Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
88dea4b3191736270f9057dee7f8e7b0
-
SHA1
4544dedbd265e62c88958d5f8fd9e61e0dff9ee6
-
SHA256
194c4c8e422b39853379ce0de407713320da2bdcbf40be3203fea3520e3f3a14
-
SHA512
bfca91a51c0a73fa77acde31935339065b64ae715f9670979da0d38974078de905ad2d43342c331452dbdb3739c4d24c68805ae18aec803e83bda1e5677cfe64
-
SSDEEP
24576:CzCtx5NqOtj35jCPLw1lgGQwC3lulTiyFv4ZWC7+Ep8rNTfmvNvCX:CE5N3JjC2lCTluh3XCKa8rNCvwX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" File Binde.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" File Binde.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" FileJoiner.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FileJoiner.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" FileJoiner.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00070000000234b2-13.dat acprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation file binder.exe -
Deletes itself 1 IoCs
pid Process 1288 File Binde.exe -
Executes dropped EXE 3 IoCs
pid Process 3516 file binder.exe 1288 File Binde.exe 2260 FileJoiner.exe -
Loads dropped DLL 8 IoCs
pid Process 3516 file binder.exe 3516 file binder.exe 1288 File Binde.exe 1288 File Binde.exe 3516 file binder.exe 3516 file binder.exe 2260 FileJoiner.exe 2260 FileJoiner.exe -
resource yara_rule behavioral2/files/0x00070000000234b5-37.dat upx behavioral2/memory/1288-63-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-62-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-69-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-50-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-96-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-97-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-95-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-64-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-41-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-51-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-239-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-238-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-240-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/1288-247-0x00000000026A0000-0x000000000372E000-memory.dmp upx behavioral2/memory/2260-261-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-265-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-263-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-269-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-266-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-264-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-268-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-267-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-270-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-271-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-272-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-273-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-275-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-274-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-278-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-279-0x00000000062E0000-0x000000000736E000-memory.dmp upx behavioral2/memory/2260-280-0x00000000062E0000-0x000000000736E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" FileJoiner.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" File Binde.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" FileJoiner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" FileJoiner.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FileJoiner.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: FileJoiner.exe File opened (read-only) \??\J: FileJoiner.exe File opened (read-only) \??\K: FileJoiner.exe File opened (read-only) \??\L: FileJoiner.exe File opened (read-only) \??\M: FileJoiner.exe File opened (read-only) \??\N: FileJoiner.exe File opened (read-only) \??\E: FileJoiner.exe File opened (read-only) \??\I: FileJoiner.exe File opened (read-only) \??\H: FileJoiner.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI File Binde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file binder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language File Binde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileJoiner.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1288 File Binde.exe 1288 File Binde.exe 1288 File Binde.exe 1288 File Binde.exe 1288 File Binde.exe 1288 File Binde.exe 2260 FileJoiner.exe 2260 FileJoiner.exe 2260 FileJoiner.exe 2260 FileJoiner.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe Token: SeDebugPrivilege 1288 File Binde.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3516 file binder.exe 1288 File Binde.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 3516 1624 88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe 84 PID 1624 wrote to memory of 3516 1624 88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe 84 PID 1624 wrote to memory of 3516 1624 88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe 84 PID 3516 wrote to memory of 1288 3516 file binder.exe 86 PID 3516 wrote to memory of 1288 3516 file binder.exe 86 PID 3516 wrote to memory of 1288 3516 file binder.exe 86 PID 3516 wrote to memory of 2260 3516 file binder.exe 88 PID 3516 wrote to memory of 2260 3516 file binder.exe 88 PID 3516 wrote to memory of 2260 3516 file binder.exe 88 PID 1288 wrote to memory of 772 1288 File Binde.exe 8 PID 1288 wrote to memory of 780 1288 File Binde.exe 9 PID 1288 wrote to memory of 336 1288 File Binde.exe 13 PID 1288 wrote to memory of 2888 1288 File Binde.exe 49 PID 1288 wrote to memory of 3020 1288 File Binde.exe 51 PID 1288 wrote to memory of 3144 1288 File Binde.exe 52 PID 1288 wrote to memory of 3452 1288 File Binde.exe 56 PID 1288 wrote to memory of 3620 1288 File Binde.exe 57 PID 1288 wrote to memory of 3816 1288 File Binde.exe 58 PID 1288 wrote to memory of 3908 1288 File Binde.exe 59 PID 1288 wrote to memory of 3972 1288 File Binde.exe 60 PID 1288 wrote to memory of 4052 1288 File Binde.exe 61 PID 1288 wrote to memory of 3944 1288 File Binde.exe 62 PID 1288 wrote to memory of 2120 1288 File Binde.exe 74 PID 1288 wrote to memory of 2868 1288 File Binde.exe 76 PID 1288 wrote to memory of 1788 1288 File Binde.exe 81 PID 1288 wrote to memory of 2684 1288 File Binde.exe 82 PID 1288 wrote to memory of 3516 1288 File Binde.exe 84 PID 1288 wrote to memory of 1448 1288 File Binde.exe 85 PID 1288 wrote to memory of 1432 1288 File Binde.exe 87 PID 1288 wrote to memory of 2260 1288 File Binde.exe 88 PID 1288 wrote to memory of 2260 1288 File Binde.exe 88 PID 1288 wrote to memory of 3452 1288 File Binde.exe 56 PID 1288 wrote to memory of 3452 1288 File Binde.exe 56 PID 1288 wrote to memory of 3452 1288 File Binde.exe 56 PID 1288 wrote to memory of 3452 1288 File Binde.exe 56 PID 2260 wrote to memory of 772 2260 FileJoiner.exe 8 PID 2260 wrote to memory of 780 2260 FileJoiner.exe 9 PID 2260 wrote to memory of 336 2260 FileJoiner.exe 13 PID 2260 wrote to memory of 2888 2260 FileJoiner.exe 49 PID 2260 wrote to memory of 3020 2260 FileJoiner.exe 51 PID 2260 wrote to memory of 3144 2260 FileJoiner.exe 52 PID 2260 wrote to memory of 3452 2260 FileJoiner.exe 56 PID 2260 wrote to memory of 3620 2260 FileJoiner.exe 57 PID 2260 wrote to memory of 3816 2260 FileJoiner.exe 58 PID 2260 wrote to memory of 3908 2260 FileJoiner.exe 59 PID 2260 wrote to memory of 3972 2260 FileJoiner.exe 60 PID 2260 wrote to memory of 4052 2260 FileJoiner.exe 61 PID 2260 wrote to memory of 3944 2260 FileJoiner.exe 62 PID 2260 wrote to memory of 2120 2260 FileJoiner.exe 74 PID 2260 wrote to memory of 2868 2260 FileJoiner.exe 76 PID 2260 wrote to memory of 1788 2260 FileJoiner.exe 81 PID 2260 wrote to memory of 1432 2260 FileJoiner.exe 87 PID 2260 wrote to memory of 1944 2260 FileJoiner.exe 89 PID 2260 wrote to memory of 772 2260 FileJoiner.exe 8 PID 2260 wrote to memory of 780 2260 FileJoiner.exe 9 PID 2260 wrote to memory of 336 2260 FileJoiner.exe 13 PID 2260 wrote to memory of 2888 2260 FileJoiner.exe 49 PID 2260 wrote to memory of 3020 2260 FileJoiner.exe 51 PID 2260 wrote to memory of 3144 2260 FileJoiner.exe 52 PID 2260 wrote to memory of 3452 2260 FileJoiner.exe 56 PID 2260 wrote to memory of 3620 2260 FileJoiner.exe 57 PID 2260 wrote to memory of 3816 2260 FileJoiner.exe 58 PID 2260 wrote to memory of 3908 2260 FileJoiner.exe 59 PID 2260 wrote to memory of 3972 2260 FileJoiner.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" File Binde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FileJoiner.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3020
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88dea4b3191736270f9057dee7f8e7b0_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\file binder.exe"C:\Users\Admin\AppData\Local\Temp\file binder.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\File Binde.exe"C:\Users\Admin\AppData\Local\Temp\File Binde.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1288
-
-
C:\Users\Admin\AppData\Local\Temp\FileJoiner.exe"C:\Users\Admin\AppData\Local\Temp\FileJoiner.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2260
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2120
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2868
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1788
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2684
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:1448
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1432
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1944
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD532d687da2eb634d1c6a56c8e595bee83
SHA1fd700d996a704415931a4c3bdd2eb1baab4b1dc0
SHA2565feb3a995c070dfa8a6668edbc76b6921abb8ccb2507634f8d68cdd111f0ff6a
SHA51212986142e3b8082ff1c9d06a7e52d6232a02034fb8e0a6b0223af238551e01eaab480ba8168a63027190d233bb79d2844db99363f03e41f5f648e2d4d7fdcd25
-
Filesize
752KB
MD50ab9151c47b0f6e8175978586cfcc4a0
SHA160a2e196d1008e3c7206340a5dd1c2e1b995b475
SHA2560c751133da9edd7d97bc952f746bb1f90ad1e926885c9a0ef4dc4928da7f1698
SHA5123fb1ced73acde0a7eb19beb7d675b9f82b1214b21d7185a010e87416298655dfe396600a3f927e78f2eb708cfbc512db57ce7690cff9557e79b7cd087cd4856c
-
Filesize
1.2MB
MD5077462b150aaa177c2944c59dbff5a15
SHA1f90095ed49bfd5b32af8702aa2a1e74596fe2273
SHA2562e6cf16d8321a8471299e76a23e0178570bc6dcccac4b71de21abb306e22dd9c
SHA5124f70cbcffb1d82489bc5617aeb89cf94352aea52dd125bd7c8a2b6556388dc39e5625a71df28cae3b189bd1899f6b7ebc05bc030080ad085d3efc24d3ddc3cca
-
Filesize
3KB
MD510f593c565d903d77d2c2f3937d871bc
SHA1792dcecc1df125fe3fb306153fe55eb0ed1fcde8
SHA2561aa66378f94786ab1fb09e49678d68e4db0f627f88987645a100bd1278a5646e
SHA5120d9588a3dc6e946fb0f72a63d1efa73e72d8536d24cd00b93b87ce939c82883ec70e11dd65942be268af0334464aee0fb6db4d9b2ae43d3011c6de659bafe518
-
Filesize
3KB
MD5e6ef70517d846723327491c49ac40a53
SHA172e559d9da02c6cc77da0f0b0242cd874dbff38b
SHA256a2d87c0f15b38351059846f376a8083b7df89b2ad82ca495c919a7626a117c3d
SHA51225f0db16b910c8b2b780fcd3182de8c140b2bf90b18da49999d9e64e3e69ba3d73a02b8dc17014c8981d7cbd95ef38a9f578ea54339f05f44b7aa47c82a79fc9
-
Filesize
3KB
MD52e36c1b78bc3f83b6e95f59f1282a075
SHA1927c840a214d0a5143c07c20f093233ac761dc3e
SHA2565f30ddcde1ab8e11a13b1fad1c3ea02d9049dfbc76facaa400b8785b0cd1364f
SHA51206aa72d38e0f75d50cdf27a7123fdd0479dcfb8a91d4afb0789527b72580a2f8b9817ad380849d1fd2cf2ae960564c958ee340d8e4719be6465fea552fffeaa3
-
Filesize
3KB
MD54979252354ca1b2d5c5e44c0e5485a6c
SHA131c5e39044a5be2b7e5c441cc9621b95eb90f679
SHA2561491b2624b425f190c1cac65ba369f01d4dc105fa2319918c22567101fe3f9a7
SHA512cc4535d3f93f2bd8dc2ab863f5bd9306357f40407d082d1adad7f5304e80c3ea4f1011bdc8041c2c0485859e4f596d2e2d487ecae7d40df9da17baebabfc720c
-
Filesize
3KB
MD5bc4a99c867092521255e7f5feaf64ac4
SHA1baf9c05ff667cee9d38d352d21bc2fa2c005dfc3
SHA2565c0b91194e47e3d027d9f82fcc78da53a52b7c3ef4db202600291ba2d5c73a40
SHA512726f6354f79065ebb36ab1ddb8cb8144a22ac8defabad5feb54b5ba18ba977fd9f705133341cdcaf1c0afbf90192391b6e3ebe15fab466e36120feef02ddce7e
-
Filesize
3KB
MD55c949e1fb6892bc52b6126308b7a69ae
SHA12e662e3bc392d887372a7c8d38805632ad28028d
SHA256179fc477de56b62e6da89a0266768c8b49ddb7b4be56f1070b4b32ad21b4b263
SHA512b57d0572e0a53790524212ca7da58a83d8c14d7d5df7bcf840270fe30134a442d7945890bf257d7b5d46ff3725201d548eb957a2865e0f0a608d48bc6aa8d8a3
-
Filesize
3KB
MD50c166eb92417af53e9df390c2a30a6cb
SHA145c4349d3bd2edc42c5d95b0fd5793377beb3858
SHA256121f4ffad2f323e907cd5c7355c4a29e9f1b50bffe420a6b228f62a50503826f
SHA512f5e89ce070c595c1acf32fb8818c9d59cbeed615370cfc5b4b86a257909d031e7d7dfca962b831a31c37325b6c3626e43528a4fac3690e4e05ebd23b84d73b84
-
Filesize
3KB
MD55cd6da6e05901e3d30914f3fc6d6c790
SHA1a054ad7e7c0efb5b6c17cef6a1f0c0ffe151c9bd
SHA256effd0482c7ce5beb4e5620e9e5fe96f09b4412294b4e85c638e9a4d26545b024
SHA51216f9256e3b99ebcc0d941685b904143830a3d0f8b1883d26d260863577bbe080925c4c171ee5ac6d37e87c97b0b9db5ddbc57c0598898881a12e82c90a5d1e80
-
Filesize
3KB
MD5e768f678a8453882ccdfd44ce6deb9fe
SHA1b7b99029fee6962b4c475d746009ea8f516234a5
SHA256a80de28205b3b15beedbdf86923ab009b2a7761a5d8b96fdde240b10299ea29d
SHA512089a66ee5104ff89d480d35dc5c9e7d13a5442d408586d4fe928e95a89b16222b1db5c9e43ac7198ed8ca3ec0aa65a1c31c6b973ba3fdf8364e7c2d9a6a0cc81
-
Filesize
3KB
MD5120237b6f8a17e1990f1e731741c4044
SHA189347688431f58bd35d50ac4e9ba836a31fa6aba
SHA256ae24ccf28ae397519bee9452110719e360249660c21df3d53279499ade89f198
SHA512f6d72c1a5cef72da958feaf102bbe2d78c4f142433a5f64aecd95778aeba48659435ee7c3bc7b32b0cd30dff6d6ce60393f0b6dca75c8e424bc848d030840bac
-
Filesize
3KB
MD5e7a6f968626084a7c5a72aedbf5bd315
SHA1007891ea6a4b64d851f167f9e6a2afef1ed5a52c
SHA25639d6b865ef7bfb315d5b96e1f6ee6e12dc612f8b0aefa4392e17e0192ffe8de7
SHA5125e9af9b112a183be4b9976533a0f900b46614e804ee292868dc2d83d9d17cec82dba195dd0a785509c72a73c0d2137975d11db7d716de6b3cd07188b46870d9e
-
Filesize
3KB
MD5a4064df61dc9b9485213b2947f79e662
SHA18499bbba69d6ad960ddc1ad58b2d68cd2904e207
SHA2562ecb83a57e5898aa275b4ad07d06ab5f6844c3bf424b01702000ad6dc9ad9736
SHA512fb70b56b21a1af3c6a3173701920d8e6e44fa69148ba18801c72f8d0e69e39bb3614b56dda03e7016b503837f5c7dcda0ea329dab57a15e20b9d77fb66f64eb0
-
Filesize
3KB
MD519243603f8bb07b2847e9dfc095fdfca
SHA1c4e33d7d767f284ff82ed8dd72b957cd7e8db7b1
SHA256fcb0a4bacf0895d183f088383cb55ae297a7ceb61a97b1d08d494bfd6ea572e5
SHA51241dd1b2c512d3a5fee1d735345bdddc2a4c4e036f73d396d8394071e4b3982532c52a870ba5a4920cb4fdafdc88218f12e5b1893becda0ff73035992b60877d7
-
Filesize
3KB
MD5063275ac89c44dcd99242e7be6846930
SHA1c1e47fa8b70326f9a228843b2fcb23447657d5db
SHA256387dcedc1bfaab5822c4b111a75e2997b51667ca09d29d591732f5a27bff661e
SHA512395f3b682f3609744bd7c86e685dfd761750f6679de04911520a318c5ec7090b57e8ed965b0b1778e9d52b7f506bc22a62598c726fd913789252edd5f97f59ce
-
Filesize
3KB
MD515e9fb689e49a973e13382fe5a3e1622
SHA1a83227a3c6f2659bc17a39f86968f57582268407
SHA256d94747ec3fbeaa6ab494e3250b17de741d95a1dbeba9c713b297e75a992f3085
SHA51228bbd2c4834c5006e19a5d03a6803fcef6986e7b46cd487a8a6b9ab0cde2c7848391749deb00242a6025d6d8ac073462272d60b1cd3544bc56fe798a79b1c982
-
Filesize
3KB
MD588b4d7849de2b7a9afa656f98684be82
SHA10547c87737f471370b4ed5d0447ed3481d244685
SHA25626123f378441ec10b634d83bce84f6c31a91923606ab058a5dfb08e0ad82a293
SHA512af1f3d13f15655f033cf42281c83c7508ab583d01a8eeea818cb775a447ceb3fc7a1c719229b854b1e2955b72a2b24a4f2872d41cad1aaab0e5ac6af8b3b01e0
-
Filesize
3KB
MD51139f9d1ec6cc1e2b4821e265c7f2b0a
SHA14088e2933e2371e262a9df5bf611fddb1a438a9f
SHA256eb3ae04a48c0a3173975a3b877924dc9115569ed353a65d0c85818aa3140f2c2
SHA512fd05fcce50ea548e99ff1f1956fba90d1fe31ff08c215d18bd36ed5238ab9b9aca9bce558e60c1a71d6d97d0e5adf790750343b95976477560aad4e625452aba
-
Filesize
3KB
MD540913e5fab8c231d87ae9ed82ddc48a6
SHA12717d8b0833a13b2e8902da04437518c5092e1a9
SHA256c99cecff6b1543819ba333c12918a2ac99023ccc0c5b29b75c82e8d92d72b679
SHA5128ce3e46bfe00e16da243679334de20fc3c11e496cd40caf44e85af9866dfe070b1bfad1f16cdffb693ef46302e3c270556db7420416ad156062a0f5a6e0f8ba8
-
Filesize
3KB
MD523de7235b4676c9c53c5cad7267abd62
SHA17c7eac55d44f13852222097f20a92bc1851027c9
SHA256468a650a28af530f1283f0ed9713baaa2b8305df07c4b61de1b387eacc303e4a
SHA51222af58af70392f7b629d69270db842eca71d4f094e9fe3d039ba3abf05f3225645d3eb8c762edd373be20eeec0bdd40fd34239f4d89442fe4ac9e1fa0ff8ca8d
-
Filesize
3KB
MD51d8a70dff325f5dab7305db3e3fec39b
SHA1218a21620d789da24d4ef26e1682a85f8b93467d
SHA25605d69813b6188f8ca3234aee0844c2ae8292030877123d4eb400765f05906063
SHA51224d0af7eb954c2e549e0f0cf5b4e71dcd1279367f44f33fa3bc850db755ea1bc178be65f9ef17e6ca36295c1eed4ec7c2bc56aa58dedd9f4c5c28b3ad122bb4a
-
Filesize
3KB
MD5fe99c4fd792f89afe753aca126c44c9e
SHA1e84703397d01c2bb811cc016aa37881bf9003838
SHA256cf37071e2b083931abaf1034f7cfb5750039e212c06d5263720820f1fdced698
SHA512e3d058e529f65e7cab56587c9b0a8a8fb80fcb53cbbeb86ef70c4c8b6fc06d62afcd18e1473f67e275d45786e6bf0b5aa9fd4827d9b5764ce092bf4959ac973f
-
Filesize
3KB
MD59f7723220e334b22df66e70bd110f238
SHA1f7e89ebe46d67c6ac2f2a93efd698b189a2d11d5
SHA2564da8695f82e607f1d9af8444d37d08df970efa6cb9e910926b8060cecdbca11e
SHA512339cfa1f1f31cefb6a68f24e0be6a25af5ad696708cc1bc99ae4f8514a3a3c7b67bb1aaebfc65418e2d1ac8e670c8ff225d91e94d02f2d8f7cb40a17e774d6bb
-
Filesize
3KB
MD5db0efda90892b46443dc7fbcced6d195
SHA189b61a9b1a6901e64c150d8db1a801194e121a49
SHA25678fbf29a8009950a388869b696fea6bf6f197d52a0bb23736eaae53fa14b2b1a
SHA5121ddcdd83051d0caa0a34c57c76f4491c444c7f75488c9820c1c63b03c0d0c3eb02d1730605ab24275f768ad108b2ec4075a3a44306351632c322c0aab4f203a0
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
257B
MD592350dc76083b061f8e575aff0e9b2fe
SHA14f6e66f09416c5959f74b9dce571185862226c44
SHA2567e6295c7b4efceb0d1b80df6335803eeba8b8f2674693a006e7696b9100ecac7
SHA512e97752fa8c333095af7a54370b68eac66e81767639066ed9952da5c45c22b847d18d73b3fdf7492d5eb2c9f62d19663a18cf5e606653346b33ed406888e8ea3f
-
Filesize
100KB
MD5f05a5e0fdcc19195692891f7ebdd58af
SHA19f981c8ce795dd30d3211e52af9bdbb570e27746
SHA2567a65519f06e51ffd0aaf0483d8c3570d75d8424b9ab65d0c47b396124fd86a00
SHA5120d511f422de800abaadbd635b165adb6c25492c684bd5533aa74a0c566956b5f1978eef6cd2686005471ba055441da2cb45b178e23b0647b5734f8d99e31a40f