hawkeye | ad90872dfd4b64dfbff9c38d36bd8b1fdb4173a14e84ad9d151d56d36dc87d08

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe
Size

201KB
MD5

9066bf885cd72e46771654d0d8be15d3
SHA1

13afce866b59c99fa0319b7f204e6b6828d4b22c
SHA256

ad90872dfd4b64dfbff9c38d36bd8b1fdb4173a14e84ad9d151d56d36dc87d08
SHA512

ed55f1e9567c5076172f9037a6487fe406b0a87ecb7f8cc892a2e2d1cd9a2d832f7286d286dc90b85de34ecc0216309e5fe658c9c14cbaf07d4e1a4df42861ec
SSDEEP

6144:Cz+glrx25snmJr/TqRd4y/Nns9ImK+BqIbsJHo57:Cz+glrxcsnor/mRGmsCt+BqFxod

Score

10^/10

hawkeye discovery evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\SiaPort.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SiaPort.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	SiaPort.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windws.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	SiaPort.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

SiaPort.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}	SiaPort.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	SiaPort.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}	SiaPort.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{7A11B4B0-04BD-C31C-DD5B-1F1EBA8BD1A3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	SiaPort.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
2832	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exemvscavAP.exeSiaPort.exeSiaPort.exe

pid	Process
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
1172	SiaPort.exe

Loads dropped DLL 7 IoCs

Processes:

9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exe

pid	Process
2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe
2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe
2832	explorer.exe
2832	explorer.exe
2612	mvscavAP.exe
2612	mvscavAP.exe
2260	SiaPort.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1172-44-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1172-41-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1172-39-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1172-38-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1172-46-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1172-45-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SiaPort.exemvscavAP.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windws.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	SiaPort.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\windws.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A7K5E8K1BX.exe"	SiaPort.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SiaPort.exe

description	pid	Process	procid_target
PID 2260 set thread context of 1172	2260	SiaPort.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.execmd.exereg.execmd.exe9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exeexplorer.exeSiaPort.exeSiaPort.exereg.exemvscavAP.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SiaPort.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SiaPort.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvscavAP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

pid	Process
3044	reg.exe
2912	reg.exe
1704	reg.exe
3048	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exemvscavAP.exeSiaPort.exe

pid	Process
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe
2612	mvscavAP.exe
2260	SiaPort.exe
2832	explorer.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exeSiaPort.exe

description	pid	Process
Token: SeDebugPrivilege	2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe
Token: SeDebugPrivilege	2832	explorer.exe
Token: SeDebugPrivilege	2612	mvscavAP.exe
Token: SeDebugPrivilege	2260	SiaPort.exe
Token: 1	1172	SiaPort.exe
Token: SeCreateTokenPrivilege	1172	SiaPort.exe
Token: SeAssignPrimaryTokenPrivilege	1172	SiaPort.exe
Token: SeLockMemoryPrivilege	1172	SiaPort.exe
Token: SeIncreaseQuotaPrivilege	1172	SiaPort.exe
Token: SeMachineAccountPrivilege	1172	SiaPort.exe
Token: SeTcbPrivilege	1172	SiaPort.exe
Token: SeSecurityPrivilege	1172	SiaPort.exe
Token: SeTakeOwnershipPrivilege	1172	SiaPort.exe
Token: SeLoadDriverPrivilege	1172	SiaPort.exe
Token: SeSystemProfilePrivilege	1172	SiaPort.exe
Token: SeSystemtimePrivilege	1172	SiaPort.exe
Token: SeProfSingleProcessPrivilege	1172	SiaPort.exe
Token: SeIncBasePriorityPrivilege	1172	SiaPort.exe
Token: SeCreatePagefilePrivilege	1172	SiaPort.exe
Token: SeCreatePermanentPrivilege	1172	SiaPort.exe
Token: SeBackupPrivilege	1172	SiaPort.exe
Token: SeRestorePrivilege	1172	SiaPort.exe
Token: SeShutdownPrivilege	1172	SiaPort.exe
Token: SeDebugPrivilege	1172	SiaPort.exe
Token: SeAuditPrivilege	1172	SiaPort.exe
Token: SeSystemEnvironmentPrivilege	1172	SiaPort.exe
Token: SeChangeNotifyPrivilege	1172	SiaPort.exe
Token: SeRemoteShutdownPrivilege	1172	SiaPort.exe
Token: SeUndockPrivilege	1172	SiaPort.exe
Token: SeSyncAgentPrivilege	1172	SiaPort.exe
Token: SeEnableDelegationPrivilege	1172	SiaPort.exe
Token: SeManageVolumePrivilege	1172	SiaPort.exe
Token: SeImpersonatePrivilege	1172	SiaPort.exe
Token: SeCreateGlobalPrivilege	1172	SiaPort.exe
Token: 31	1172	SiaPort.exe
Token: 32	1172	SiaPort.exe
Token: 33	1172	SiaPort.exe
Token: 34	1172	SiaPort.exe
Token: 35	1172	SiaPort.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SiaPort.exe

pid	Process
1172	SiaPort.exe
1172	SiaPort.exe
1172	SiaPort.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exeSiaPort.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2828 wrote to memory of 2832	2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2832	2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2832	2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2832	2828	9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe	30
PID 2832 wrote to memory of 2036	2832	explorer.exe	31
PID 2832 wrote to memory of 2036	2832	explorer.exe	31
PID 2832 wrote to memory of 2036	2832	explorer.exe	31
PID 2832 wrote to memory of 2036	2832	explorer.exe	31
PID 2832 wrote to memory of 2612	2832	explorer.exe	32
PID 2832 wrote to memory of 2612	2832	explorer.exe	32
PID 2832 wrote to memory of 2612	2832	explorer.exe	32
PID 2832 wrote to memory of 2612	2832	explorer.exe	32
PID 2612 wrote to memory of 2260	2612	mvscavAP.exe	33
PID 2612 wrote to memory of 2260	2612	mvscavAP.exe	33
PID 2612 wrote to memory of 2260	2612	mvscavAP.exe	33
PID 2612 wrote to memory of 2260	2612	mvscavAP.exe	33
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 2260 wrote to memory of 1172	2260	SiaPort.exe	34
PID 1172 wrote to memory of 1588	1172	SiaPort.exe	35
PID 1172 wrote to memory of 1588	1172	SiaPort.exe	35
PID 1172 wrote to memory of 1588	1172	SiaPort.exe	35
PID 1172 wrote to memory of 1588	1172	SiaPort.exe	35
PID 1172 wrote to memory of 2256	1172	SiaPort.exe	36
PID 1172 wrote to memory of 2256	1172	SiaPort.exe	36
PID 1172 wrote to memory of 2256	1172	SiaPort.exe	36
PID 1172 wrote to memory of 2256	1172	SiaPort.exe	36
PID 1172 wrote to memory of 2468	1172	SiaPort.exe	37
PID 1172 wrote to memory of 2468	1172	SiaPort.exe	37
PID 1172 wrote to memory of 2468	1172	SiaPort.exe	37
PID 1172 wrote to memory of 2468	1172	SiaPort.exe	37
PID 1172 wrote to memory of 2512	1172	SiaPort.exe	41
PID 1172 wrote to memory of 2512	1172	SiaPort.exe	41
PID 1172 wrote to memory of 2512	1172	SiaPort.exe	41
PID 1172 wrote to memory of 2512	1172	SiaPort.exe	41
PID 1588 wrote to memory of 1704	1588	cmd.exe	42
PID 1588 wrote to memory of 1704	1588	cmd.exe	42
PID 1588 wrote to memory of 1704	1588	cmd.exe	42
PID 1588 wrote to memory of 1704	1588	cmd.exe	42
PID 2468 wrote to memory of 3048	2468	cmd.exe	44
PID 2468 wrote to memory of 3048	2468	cmd.exe	44
PID 2468 wrote to memory of 3048	2468	cmd.exe	44
PID 2468 wrote to memory of 3048	2468	cmd.exe	44
PID 2256 wrote to memory of 3044	2256	cmd.exe	45
PID 2256 wrote to memory of 3044	2256	cmd.exe	45
PID 2256 wrote to memory of 3044	2256	cmd.exe	45
PID 2256 wrote to memory of 3044	2256	cmd.exe	45
PID 2512 wrote to memory of 2912	2512	cmd.exe	46
PID 2512 wrote to memory of 2912	2512	cmd.exe	46
PID 2512 wrote to memory of 2912	2512	cmd.exe	46
PID 2512 wrote to memory of 2912	2512	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9066bf885cd72e46771654d0d8be15d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    PID:2036
- - C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
    "C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
      "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A7K5E8K1BX.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
717371b9b665ead5e4e2f052a98c7eba

SHA1
fea748fcab2e473ac5eeeac378b19e1bb296a868

SHA256
dca6b5d9d19a3449a2d314e73513c2ee387bbcbc9c660e83e54621280975da0e

SHA512
8d37c813e3526ec3839c982c4267ec1fe6f537fed336225299738a654799e5cd953897cf4c4c1319e7215cbee4e336d4d7163e7aa821930eca44692ca3f06fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe

Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
201KB

MD5
9066bf885cd72e46771654d0d8be15d3

SHA1
13afce866b59c99fa0319b7f204e6b6828d4b22c

SHA256
ad90872dfd4b64dfbff9c38d36bd8b1fdb4173a14e84ad9d151d56d36dc87d08

SHA512
ed55f1e9567c5076172f9037a6487fe406b0a87ecb7f8cc892a2e2d1cd9a2d832f7286d286dc90b85de34ecc0216309e5fe658c9c14cbaf07d4e1a4df42861ec

Download Submit
memory/1172-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1172-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1172-45-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1172-46-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1172-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1172-41-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1172-37-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1172-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2828-1-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-0-0x0000000074A31000-0x0000000074A32000-memory.dmp

Filesize
4KB

Download
memory/2828-2-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-14-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-16-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-15-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-52-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download