93739acd40217d985062c5ac8a028e2bf20a806be0bb4298a1dd29ad99d38052

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Size

214KB
MD5

81c7a4d1078b344f7b9e99cd3f88c984
SHA1

3355c6d6bd4fd34fb23c5ed998daaa54ba55a651
SHA256

93739acd40217d985062c5ac8a028e2bf20a806be0bb4298a1dd29ad99d38052
SHA512

b1daceccc11da91a3f47135fcdaddd06f1c25a1f571bd913ef3462a758808bd993e8a2ecf506bb5ef3a7371b3933cf765ee44a18c06c9746be5905f921d74502
SSDEEP

3072:uahAcUn4vObQA/SukvOtL7QJlsmo990S+P5tPR3Trw7R7MR1Cd/Tu:uaacVGbQMSukvOyJlsaS+xRR3/w9AyS

Score

9^/10

collection discovery spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
2528	wmimgmt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	wmimgmt.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2952	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3972	tasklist.exe

Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
discovery

Domain Trust Discovery
T1482
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
discovery

Domain Groups
T1069.002
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimgmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2484	NETSTAT.EXE

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
5112	net.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2820	ipconfig.exe
2484	NETSTAT.EXE
2788	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
432	systeminfo.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeRestorePrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeRestorePrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeRestorePrivilege	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeDebugPrivilege	3972	tasklist.exe
Token: SeDebugPrivilege	2484	NETSTAT.EXE
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeRestorePrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe
Token: SeBackupPrivilege	2528	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2528	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe	87
PID 3840 wrote to memory of 2528	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe	87
PID 3840 wrote to memory of 2528	3840	81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe	87
PID 2528 wrote to memory of 1604	2528	wmimgmt.exe	91
PID 2528 wrote to memory of 1604	2528	wmimgmt.exe	91
PID 2528 wrote to memory of 1604	2528	wmimgmt.exe	91
PID 1604 wrote to memory of 4852	1604	cmd.exe	93
PID 1604 wrote to memory of 4852	1604	cmd.exe	93
PID 1604 wrote to memory of 4852	1604	cmd.exe	93
PID 1604 wrote to memory of 2556	1604	cmd.exe	94
PID 1604 wrote to memory of 2556	1604	cmd.exe	94
PID 1604 wrote to memory of 2556	1604	cmd.exe	94
PID 1604 wrote to memory of 3544	1604	cmd.exe	95
PID 1604 wrote to memory of 3544	1604	cmd.exe	95
PID 1604 wrote to memory of 3544	1604	cmd.exe	95
PID 3544 wrote to memory of 1500	3544	net.exe	96
PID 3544 wrote to memory of 1500	3544	net.exe	96
PID 3544 wrote to memory of 1500	3544	net.exe	96
PID 1604 wrote to memory of 396	1604	cmd.exe	97
PID 1604 wrote to memory of 396	1604	cmd.exe	97
PID 1604 wrote to memory of 396	1604	cmd.exe	97
PID 396 wrote to memory of 4740	396	net.exe	98
PID 396 wrote to memory of 4740	396	net.exe	98
PID 396 wrote to memory of 4740	396	net.exe	98
PID 1604 wrote to memory of 3972	1604	cmd.exe	99
PID 1604 wrote to memory of 3972	1604	cmd.exe	99
PID 1604 wrote to memory of 3972	1604	cmd.exe	99
PID 1604 wrote to memory of 432	1604	cmd.exe	101
PID 1604 wrote to memory of 432	1604	cmd.exe	101
PID 1604 wrote to memory of 432	1604	cmd.exe	101
PID 1604 wrote to memory of 4756	1604	cmd.exe	103
PID 1604 wrote to memory of 4756	1604	cmd.exe	103
PID 1604 wrote to memory of 4756	1604	cmd.exe	103
PID 1604 wrote to memory of 3164	1604	cmd.exe	104
PID 1604 wrote to memory of 3164	1604	cmd.exe	104
PID 1604 wrote to memory of 3164	1604	cmd.exe	104
PID 1604 wrote to memory of 1384	1604	cmd.exe	105
PID 1604 wrote to memory of 1384	1604	cmd.exe	105
PID 1604 wrote to memory of 1384	1604	cmd.exe	105
PID 1604 wrote to memory of 4720	1604	cmd.exe	106
PID 1604 wrote to memory of 4720	1604	cmd.exe	106
PID 1604 wrote to memory of 4720	1604	cmd.exe	106
PID 1604 wrote to memory of 1964	1604	cmd.exe	107
PID 1604 wrote to memory of 1964	1604	cmd.exe	107
PID 1604 wrote to memory of 1964	1604	cmd.exe	107
PID 1604 wrote to memory of 1716	1604	cmd.exe	108
PID 1604 wrote to memory of 1716	1604	cmd.exe	108
PID 1604 wrote to memory of 1716	1604	cmd.exe	108
PID 1604 wrote to memory of 1908	1604	cmd.exe	109
PID 1604 wrote to memory of 1908	1604	cmd.exe	109
PID 1604 wrote to memory of 1908	1604	cmd.exe	109
PID 1604 wrote to memory of 4092	1604	cmd.exe	110
PID 1604 wrote to memory of 4092	1604	cmd.exe	110
PID 1604 wrote to memory of 4092	1604	cmd.exe	110
PID 1604 wrote to memory of 3204	1604	cmd.exe	111
PID 1604 wrote to memory of 3204	1604	cmd.exe	111
PID 1604 wrote to memory of 3204	1604	cmd.exe	111
PID 1604 wrote to memory of 3868	1604	cmd.exe	112
PID 1604 wrote to memory of 3868	1604	cmd.exe	112
PID 1604 wrote to memory of 3868	1604	cmd.exe	112
PID 1604 wrote to memory of 1196	1604	cmd.exe	113
PID 1604 wrote to memory of 1196	1604	cmd.exe	113
PID 1604 wrote to memory of 1196	1604	cmd.exe	113
PID 1604 wrote to memory of 4880	1604	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4852
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:2556
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:432
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4756
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      System Location Discovery: System Language Discovery
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:4720
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:4092
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:3204
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3336
  - - C:\Windows\SysWOW64\net.exe
      net user Admin
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
  - - C:\Windows\SysWOW64\net.exe
      net user Admin /domain
      4⤵
      System Location Discovery: System Language Discovery
      PID:4416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin /domain
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
  - - C:\Windows\SysWOW64\net.exe
      net group
      4⤵
      System Location Discovery: System Language Discovery
      PID:4312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
  - - C:\Windows\SysWOW64\net.exe
      net group /domain
      4⤵
      System Location Discovery: System Language Discovery
      PID:3352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group /domain
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      System Location Discovery: System Language Discovery
      PID:4228
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
  - - C:\Windows\SysWOW64\net.exe
      net group "domain computers"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain computers"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
  - - C:\Windows\SysWOW64\net.exe
      net group "domain computers" /domain
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain computers" /domain
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
  - - C:\Windows\SysWOW64\net.exe
      net group "domain controllers"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain controllers"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
  - - C:\Windows\SysWOW64\net.exe
      net group "domain controllers" /domain
      4⤵
      System Location Discovery: System Language Discovery
      PID:3892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain controllers" /domain
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2820
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      System Location Discovery: System Language Discovery
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2484
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:2952
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        
        PID:880
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1516
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      System Location Discovery: System Language Discovery
      PID:1376
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4288
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:8
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      System Location Discovery: System Language Discovery
      PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4056
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2316
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4952
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Domain Trust Discovery

T1482

Network Service Discovery

T1046

Network Share Discovery

T1135

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Domain Groups

T1069.002

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\wmimgmt.exe

Filesize
214KB

MD5
81c7a4d1078b344f7b9e99cd3f88c984

SHA1
3355c6d6bd4fd34fb23c5ed998daaa54ba55a651

SHA256
93739acd40217d985062c5ac8a028e2bf20a806be0bb4298a1dd29ad99d38052

SHA512
b1daceccc11da91a3f47135fcdaddd06f1c25a1f571bd913ef3462a758808bd993e8a2ecf506bb5ef3a7371b3933cf765ee44a18c06c9746be5905f921d74502

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#46CE.tmp

Filesize
361B

MD5
ee62b5ac35d874e9e6f8432e37ba45af

SHA1
2d84b4b66ec917504f26025a33975d980af6466e

SHA256
fe052b8fccd7f5dd9439ac7034b7cc1617fe18f9e3b2492506690ac8c0aa258d

SHA512
edf3fe951bb952b53bc92500b978f1273b2dcc57b80abbaf7c39ca98b21a2291ca4e2184097ae7bc85b6f3269f3a39c8d1ce30123219cbb6e1bc20485963f846

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#B77A.tmp

Filesize
55B

MD5
9da78c06e728a4dd0fb39cc931e13745

SHA1
2b5ef9bccdcb87ced6a53cf8605d9664a8b3e8f6

SHA256
34415dee19e7fff291cf2b0cc7c355447436711ee24b0005e2392cac1758d53a

SHA512
7a7a5a273f50f97250f7d4302411be719d0d3196644e2da9a25e8f73ca682430a0b0411d9fde6153bcd35af50d2f54f9da1efc37314362d003cf3603b6f47e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#BB18.tmp

Filesize
181B

MD5
49f51bd841a21c00255fdfeaa7d16d3b

SHA1
c8bb61611a6ed4771d06d30fb7f6fcf113e4641e

SHA256
9247284bea9b243dc72f07ca15ef100c03683c4066dc3b8d05898083b9cafa4f

SHA512
11323e1d41267cbd1504859dc4e78c44c0fe9ae4f5c2fcb28b67d10b2f5fd96ec007f151c101fcec60770dd2f0ccbc1df739985b4869a3f98fc8b6625b7a286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC#DD0F.tmp

Filesize
311B

MD5
5b47bd27ce2ead22bcbd666b891bb753

SHA1
67fb4e825b16735bfc62a08dcc7866327441d976

SHA256
3332f998c77bcb7959e0133d36f2ee4308deb63ba8f66cecd40a1ca156518e58

SHA512
fc7baa4558c8b0475f0420cddfdff90abde7633a0eca45ea813b0f465756f593ba19bb911aacfc23c5e2e67e8b6fcab419583e1c06759d1d48cc4da109661b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
50B

MD5
6e1ee901af8211bf02f2b57d4c7dead5

SHA1
240c021664ee742874f247832d608c68a7b58b5a

SHA256
ffdca4b0d7e20696fe65f395d0fa65de37f460a799deb48ccc42d5ebd2b0c2e2

SHA512
b679fecadc09fc9e13c306521c1538dad4b40569fbe83d122d7e111d808c9f217813a0fe98c405347c2a62946f25596fab2578ec4a30f86539bb8d23493a5404

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
37.5MB

MD5
a0983e216f7148c7673b8e9a4b6b3fe9

SHA1
ece1bd48736d60f56f0c0c26d0a8454f0c1a4e92

SHA256
6be58202d7e9f344a45917a2af9a58d701774fa5d5e5736b429ad90b01e3396b

SHA512
211b6749cb53abb4e7591d79f647b905a689156ecc195ade2199fcae46fa62fdc1eea1bb329024d9e13e9ba9aee4ed0ced81c6d277e031ca620a6518a5d266ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
12KB

MD5
9d8c8156d75bca19881972f68a7ce824

SHA1
38f671c43deba09378cb4c4b82d4df874926e78b

SHA256
6faf7c4dd60b185e045aae72fdbdf0673b68e2df11396133d66ffdfd7e2bd68a

SHA512
22d00829f94e32d5d1fa4fd35889cddaa26d375a3967aedff14adfa19709350559745f0a5886ac08122b3f6d6279a13bb119bb49270ead6005ebfe1a46c7650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
4KB

MD5
2e55bd8d0078e8fd40c1393e37d23192

SHA1
c54b3dbf5a29fe4cda82f340aae9a91175f049ff

SHA256
9859d9201e0fa3717bff47b0d3740630b92db01fcd753931470bba7247d5047d

SHA512
67e4a1c6ddfe74f55129348c2a1e72889b32ee236704b12955b6448074083b7c388c3c2eeb6f6dcce8cb8f4d3451b8989601312c664a9bc95c06105a7298709c

Download Submit
C:\Users\Public\Documents\Media\212C0DE5.db

Filesize
18KB

MD5
eb58f1db6830bf2c25eeca3b0efcc4cd

SHA1
72ee9bbc39364d1b28107e366b0cd7cc6d33888e

SHA256
24c777b1bfb98c0bf6eaa883cf204f643005e288e1bef42de6fa065b6343a17a

SHA512
11a4a989bad8d6150b690725d97a4c88074a4806fab7966fc6d94f84b2bb85ac8f7e89049c38cf89655f90e01399d4732e471b2686ad982ca97781aed8c6550f

Download Submit
C:\Users\Public\Documents\Media\212C0DE5.db

Filesize
64B

MD5
1498e9f94d64142a4113b07f4fa3db4e

SHA1
87e0662d503e955449de51bc467adcc134e227fe

SHA256
e9fdeb692c469de6fc9e1d8fd2c2f98c339672b43497e6b8cb09e36c37d494e4

SHA512
f1b6b0d51e3d04a5bd06d88553f3e3cf5db0ca3d3d522ba95adc213e4bbebd5db67f9fa5b584afc0145dd49ffb556a8722197d7a28400b49ce2e84f1e855dad2

Download Submit
memory/2528-159-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2528-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3840-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3840-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads