d3d1f9bb9c14e22d9b2ef3be231007f410712151df0b20d778a68b747131bd06

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
Size

3.4MB
MD5

8b4b919616fe2147d682bf72be22702a
SHA1

73f7d942ae6816b24e150573a0a707869296a01d
SHA256

d3d1f9bb9c14e22d9b2ef3be231007f410712151df0b20d778a68b747131bd06
SHA512

268bb299838d4a40f760206a30458db9c131b5489cf454ab48ef36e817cfa82f8a4be5d173e7193e55d1b9717027eb404dbbb4a93ce9d13042903fc0610e7597
SSDEEP

49152:ND2dnYR2i7zAJDbai+0zq7xEVSDWcesbzCw/Qa1/AM/aD2dnYR2i7zAJDbaO:52i7zu+/bzCfcA6g2i7zy

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2636	ninstall.exe
1656	gsender.exe
1516	ninstall.exe
2792	gsender.exe
1492	ninstall.exe
1144	gsender.exe
1568	ninstall.exe
892	gsender.exe
1880	ninstall.exe
1636	gsender.exe
2516	ninstall.exe
2712	gsender.exe
2644	ninstall.exe
3060	ninstall.exe
1496	gsender.exe
1912	gsender.exe
820	ninstall.exe
3048	gsender.exe
2496	ninstall.exe
1852	gsender.exe
2596	ninstall.exe
1556	gsender.exe
2776	ninstall.exe
2852	gsender.exe
2204	ninstall.exe
2488	gsender.exe

Loads dropped DLL 64 IoCs

pid	Process
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2636	ninstall.exe
2636	ninstall.exe
2636	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
1656	gsender.exe
1516	ninstall.exe
1516	ninstall.exe
1516	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
1492	ninstall.exe
1492	ninstall.exe
1492	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2636	ninstall.exe
1568	ninstall.exe
1568	ninstall.exe
1568	ninstall.exe
2636	ninstall.exe
2636	ninstall.exe
892	gsender.exe
892	gsender.exe
892	gsender.exe
1656	gsender.exe
1880	ninstall.exe
1880	ninstall.exe
1880	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2516	ninstall.exe
2516	ninstall.exe
2516	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2636	ninstall.exe
1656	gsender.exe
2644	ninstall.exe
2644	ninstall.exe
2644	ninstall.exe
3060	ninstall.exe
3060	ninstall.exe
3060	ninstall.exe
2636	ninstall.exe
2636	ninstall.exe
1912	gsender.exe
1912	gsender.exe
1912	gsender.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
820	ninstall.exe
820	ninstall.exe
820	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
1656	gsender.exe
2496	ninstall.exe
2496	ninstall.exe
2496	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2596	ninstall.exe
2596	ninstall.exe
2596	ninstall.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2636	ninstall.exe
2776	ninstall.exe
2776	ninstall.exe
2776	ninstall.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ninstall = "C:\\Program Files\\7-Zip\\ninstall.exe"	ninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ninstall = "C:\\Program Files\\7-Zip\\ninstall.exe"	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\K:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\O:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\Q:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\X:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\B:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\G:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\H:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\I:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\L:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\M:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\P:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\R:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\A:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\E:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\S:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\V:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\U:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\W:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\N:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened (read-only)	\??\T:	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\ninstall.exe	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\ninstall.exe	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\gsender.exe	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\ninstall.exe	ninstall.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gsender.exe	ninstall.exe
File opened for modification	C:\Program Files\7-Zip\ninstall.exe	gsender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ninstall.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	ninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	gsender.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
2636	ninstall.exe
2636	ninstall.exe
2636	ninstall.exe
1656	gsender.exe
1656	gsender.exe
1656	gsender.exe
1516	ninstall.exe
1516	ninstall.exe
1516	ninstall.exe
2792	gsender.exe
2792	gsender.exe
2792	gsender.exe
1492	ninstall.exe
1492	ninstall.exe
1492	ninstall.exe
1144	gsender.exe
1144	gsender.exe
1144	gsender.exe
1568	ninstall.exe
1568	ninstall.exe
1568	ninstall.exe
892	gsender.exe
892	gsender.exe
892	gsender.exe
1636	gsender.exe
1636	gsender.exe
1636	gsender.exe
2516	ninstall.exe
2516	ninstall.exe
2516	ninstall.exe
2712	gsender.exe
2712	gsender.exe
2712	gsender.exe
2644	ninstall.exe
3060	ninstall.exe
3060	ninstall.exe
3060	ninstall.exe
2644	ninstall.exe
2644	ninstall.exe
1496	gsender.exe
1496	gsender.exe
1496	gsender.exe
1912	gsender.exe
1912	gsender.exe
1912	gsender.exe
820	ninstall.exe
820	ninstall.exe
820	ninstall.exe
3048	gsender.exe
3048	gsender.exe
3048	gsender.exe
2496	ninstall.exe
2496	ninstall.exe
2496	ninstall.exe
1852	gsender.exe
1852	gsender.exe
1852	gsender.exe
2596	ninstall.exe
2596	ninstall.exe
2596	ninstall.exe
1556	gsender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 2636	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	31
PID 1740 wrote to memory of 1656	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	32
PID 1740 wrote to memory of 1656	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	32
PID 1740 wrote to memory of 1656	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	32
PID 1740 wrote to memory of 1656	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	32
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 1516	1656	gsender.exe	33
PID 1656 wrote to memory of 2792	1656	gsender.exe	34
PID 1656 wrote to memory of 2792	1656	gsender.exe	34
PID 1656 wrote to memory of 2792	1656	gsender.exe	34
PID 1656 wrote to memory of 2792	1656	gsender.exe	34
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1492	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	35
PID 1740 wrote to memory of 1144	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	36
PID 1740 wrote to memory of 1144	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	36
PID 1740 wrote to memory of 1144	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	36
PID 1740 wrote to memory of 1144	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	36
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 1568	2636	ninstall.exe	38
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 2636 wrote to memory of 892	2636	ninstall.exe	39
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1880	1656	gsender.exe	40
PID 1656 wrote to memory of 1636	1656	gsender.exe	41
PID 1656 wrote to memory of 1636	1656	gsender.exe	41
PID 1656 wrote to memory of 1636	1656	gsender.exe	41
PID 1656 wrote to memory of 1636	1656	gsender.exe	41
PID 1740 wrote to memory of 2516	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	42
PID 1740 wrote to memory of 2516	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	42
PID 1740 wrote to memory of 2516	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	42
PID 1740 wrote to memory of 2516	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	42
PID 1740 wrote to memory of 2516	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	42
PID 1740 wrote to memory of 2516	1740	8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe	42

C:\Users\Admin\AppData\Local\Temp\8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b4b919616fe2147d682bf72be22702a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files\7-Zip\ninstall.exe
  "C:\Program Files\7-Zip\ninstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1568
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:892
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1912
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Program Files\Mozilla Firefox\gsender.exe
  "C:\Program Files\Mozilla Firefox\gsender.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1880
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1852
- - C:\Program Files\7-Zip\ninstall.exe
    "C:\Program Files\7-Zip\ninstall.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2204
- - C:\Program Files\Mozilla Firefox\gsender.exe
    "C:\Program Files\Mozilla Firefox\gsender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2488
- C:\Program Files\7-Zip\ninstall.exe
  "C:\Program Files\7-Zip\ninstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Program Files\Mozilla Firefox\gsender.exe
  "C:\Program Files\Mozilla Firefox\gsender.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1144
- C:\Program Files\7-Zip\ninstall.exe
  "C:\Program Files\7-Zip\ninstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Program Files\Mozilla Firefox\gsender.exe
  "C:\Program Files\Mozilla Firefox\gsender.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Program Files\7-Zip\ninstall.exe
  "C:\Program Files\7-Zip\ninstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:820
- C:\Program Files\Mozilla Firefox\gsender.exe
  "C:\Program Files\Mozilla Firefox\gsender.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Program Files\7-Zip\ninstall.exe
  "C:\Program Files\7-Zip\ninstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Program Files\Mozilla Firefox\gsender.exe
  "C:\Program Files\Mozilla Firefox\gsender.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\background_gradient[2]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\dnserrordiagoff[1]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\info_48[2]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\g91gy2.txt

Filesize
15KB

MD5
73809e9887b6aecc738c79a8968d6e61

SHA1
7150238161cf6acdfc4c402d6352c725098840fd

SHA256
df0ab06e2a5980b5725b99dcd14e308712e5ddf5bfa397343cf2aec21ef7cb79

SHA512
d14cc420079aaadf197abd668059db6a25de7a806e0eae468dae7e7dfba8dfbb9f6e17d481c0bdec3ee156c75ac7e95563e0184cbaaa262a1bd6161591fd2e74

Download Submit
\Program Files\7-Zip\ninstall.exe

Filesize
3.4MB

MD5
8b4b919616fe2147d682bf72be22702a

SHA1
73f7d942ae6816b24e150573a0a707869296a01d

SHA256
d3d1f9bb9c14e22d9b2ef3be231007f410712151df0b20d778a68b747131bd06

SHA512
268bb299838d4a40f760206a30458db9c131b5489cf454ab48ef36e817cfa82f8a4be5d173e7193e55d1b9717027eb404dbbb4a93ce9d13042903fc0610e7597

Download Submit
memory/1656-157-0x00000000048E0000-0x0000000005942000-memory.dmp

Filesize
16.4MB

Download
memory/1656-185-0x0000000006140000-0x0000000006552000-memory.dmp

Filesize
4.1MB

Download
memory/1740-15-0x0000000006110000-0x0000000006522000-memory.dmp

Filesize
4.1MB

Download
memory/1740-2-0x00000000044E0000-0x0000000005542000-memory.dmp

Filesize
16.4MB

Download
memory/2636-60-0x0000000004A10000-0x0000000005A72000-memory.dmp

Filesize
16.4MB

Download
memory/2636-81-0x0000000006230000-0x0000000006642000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads