f4ec69dc9212cbffe2a74bb355f50f99b5442f52b5b70595de0b3f33233dcc4b

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Size

657KB
MD5

a796327ce2ca78fa734aedf237df55e8
SHA1

895ca753640da9b474ff50cfc1e3f14453dd1327
SHA256

f4ec69dc9212cbffe2a74bb355f50f99b5442f52b5b70595de0b3f33233dcc4b
SHA512

6952d2c15a25f35e3c7bd990b420d3f35ce4720d52b6a14e92711b30f551488f797279879f0ba1be9a129952beb5e794832e4fa9b29c701a40cb62323db7c302
SSDEEP

12288:zXg/LFPMdV4Fg88nPnAX2qArDY4LalpBCOjAj5QFYGq6tJdVcbmVHE8FpY/LS:oJkdV4KhPAGqAXY42lpBvAj5kYytJLcs

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 35 IoCs

pid	Process
1872	صورة.exe
612	ÕæÑÉ.exe
1124	cmd.exe
2448	ÕæÑÉ.exe
1224	ÕæÑÉ.exe
1180	PING.EXE
2432	PING.EXE
1892	PING.EXE
2304	PING.EXE
1748	PING.EXE
1140	PING.EXE
612	PING.EXE
2384	PING.EXE
2512	PING.EXE
1576	PING.EXE
1800	PING.EXE
2788	PING.EXE
1956	PING.EXE
2668	PING.EXE
2084	PING.EXE
2688	PING.EXE
2752	PING.EXE
3032	PING.EXE
1128	PING.EXE
2712	PING.EXE
2632	PING.EXE
972	PING.EXE
2392	PING.EXE
300	PING.EXE
1776	PING.EXE
2296	PING.EXE
2764	PING.EXE
2556	PING.EXE
3012	PING.EXE
2680	PING.EXE

Loads dropped DLL 50 IoCs

pid	Process
2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
1872	صورة.exe
1872	صورة.exe
612	ÕæÑÉ.exe
612	ÕæÑÉ.exe
1872	صورة.exe
612	ÕæÑÉ.exe
612	ÕæÑÉ.exe
2448	ÕæÑÉ.exe
2448	ÕæÑÉ.exe
2448	ÕæÑÉ.exe
2448	ÕæÑÉ.exe
1224	ÕæÑÉ.exe
1224	ÕæÑÉ.exe
1224	ÕæÑÉ.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1124	cmd.exe
1808	WerFault.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe
1124	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Windows\\system32\\file.exe"	صورة.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Windows\\system32\\file.exe"	صورة.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 612 set thread context of 2448	612	ÕæÑÉ.exe	34
PID 2448 set thread context of 1224	2448	ÕæÑÉ.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1808	1224	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÕæÑÉ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÕæÑÉ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	صورة.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÕæÑÉ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 31 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2668	PING.EXE
2764	PING.EXE
1140	PING.EXE
612	PING.EXE
1956	PING.EXE
2556	PING.EXE
1124	cmd.exe
2432	PING.EXE
2304	PING.EXE
1748	PING.EXE
1128	PING.EXE
972	PING.EXE
1180	PING.EXE
1800	PING.EXE
2632	PING.EXE
3012	PING.EXE
2680	PING.EXE
1576	PING.EXE
2788	PING.EXE
2084	PING.EXE
2752	PING.EXE
3032	PING.EXE
300	PING.EXE
2384	PING.EXE
2512	PING.EXE
2688	PING.EXE
2392	PING.EXE
1776	PING.EXE
2296	PING.EXE
1892	PING.EXE
2712	PING.EXE

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
1748	PING.EXE
2512	PING.EXE
1576	PING.EXE
1956	PING.EXE
2764	PING.EXE
2680	PING.EXE
1180	PING.EXE
2788	PING.EXE
2668	PING.EXE
2752	PING.EXE
2392	PING.EXE
300	PING.EXE
972	PING.EXE
1140	PING.EXE
2632	PING.EXE
2296	PING.EXE
1892	PING.EXE
2384	PING.EXE
2084	PING.EXE
3012	PING.EXE
2432	PING.EXE
612	PING.EXE
2712	PING.EXE
2556	PING.EXE
2688	PING.EXE
3032	PING.EXE
1128	PING.EXE
2304	PING.EXE
1800	PING.EXE
1776	PING.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Token: 33	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Token: 33	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
Token: 33	1872	صورة.exe
Token: SeIncBasePriorityPrivilege	1872	صورة.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 2784 wrote to memory of 1872	2784	a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe	30
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 612	1872	صورة.exe	31
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 1872 wrote to memory of 1124	1872	صورة.exe	32
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 612 wrote to memory of 2448	612	ÕæÑÉ.exe	34
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 2448 wrote to memory of 1224	2448	ÕæÑÉ.exe	35
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1224 wrote to memory of 1808	1224	ÕæÑÉ.exe	36
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 1180	1124	cmd.exe	37
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 2432	1124	cmd.exe	38
PID 1124 wrote to memory of 1892	1124	cmd.exe	39
PID 1124 wrote to memory of 1892	1124	cmd.exe	39
PID 1124 wrote to memory of 1892	1124	cmd.exe	39
PID 1124 wrote to memory of 1892	1124	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a796327ce2ca78fa734aedf237df55e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Virtual\STUBEXE\@APPDATALOCAL@\Temp\صورة.exe
  "C:\Users\Admin\AppData\Local\Temp\صورة.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@APPDATALOCAL@\Temp\ÕæÑÉ.exe
    "C:\Users\Admin\AppData\Local\Temp\ÕæÑÉ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@APPDATALOCAL@\Temp\ÕæÑÉ.exe
      "C:\Users\Admin\AppData\Local\Temp\ÕæÑÉ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\ÕæÑÉ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ÕæÑÉ.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 252
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1808
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "for /L %a in (1,1,30) do del "C:\Users\Admin\AppData\Local\Temp\????.exe" && if exist "C:\Users\Admin\AppData\Local\Temp\????.exe" ping -n 2 0.0.0.0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1180
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2432
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1892
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2304
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1748
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1140
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:612
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2384
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2512
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1576
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1800
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2788
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1956
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2668
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2084
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2688
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2752
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3032
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1128
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2712
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2632
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:972
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2392
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:300
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1776
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2296
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2764
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2556
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3012
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE
      ping -n 2 0.0.0.0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÕæÑÉ.exe

Filesize
162KB

MD5
3728b939ae9e570bdd1e512761c8635e

SHA1
fc4c8639439844f9ed70dbb7d056ab61ef72afcc

SHA256
2d97da5f5a1d69bee4a6786200fc7cbe0e95f8696979726227ec3d0319154912

SHA512
323c75750d93670a9b072a5a7457f080359e06028aa0e7b964c84ae2e22aaf8bce11f86e9eac3e06e6f3879c562922853c0641aadd0aeeccbbde4e71c07b3ada

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\cmd.exe

Filesize
17KB

MD5
a6bb1229030921e98aade90362b8e36b

SHA1
7944ee4dc63d7e1b9be245c2d6f1877c27747788

SHA256
8f2342ddb9d971ae938690ca621e25a74cf82eeb1a6c05eef3159e3092f3d2b0

SHA512
3dc54461117cbb9f2735559a1d823cd72b769956829bccd8e824c9035a84735213b2e68a4269f1604cc4f5f4e59520a9db9be289ffd69fd1b96b916fe7c6dcda

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@APPDATALOCAL@\Temp\ÕæÑÉ.exe

Filesize
17KB

MD5
90a691546ff7e6dadffaf547563bf21c

SHA1
514f11de40096db6715f8efa63daa288f1f1f4fb

SHA256
4d86b32cb8666936217e0abf220788c7a2cfc80b795a1edd3b5311d446080dbf

SHA512
319257461794c5705c6f4423bf8f452f7b98bd0834a208e54929209b0af375ac62dbda33f34d2427ebe14fdc5eaaf8733032814a47c010c10d829421862b6bba

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Native\STUBEXE\@SYSTEM@\PING.EXE

Filesize
17KB

MD5
a3bbd099b395dbe54570a5418e43ad0d

SHA1
0b29a4ebde0404806b1f1330a3a0e6e07732e220

SHA256
c9f18d71ad01f9ece28d4817f7bf15485d65ff7a606020d639306a351a5212f7

SHA512
72253d357852dc3513c73656b725fd4fa3a559157233f444868abaa0ea6bf1b6383ca62cf8f4cfd5281e30e3b750aa8d549ac5779b6659c8eba4a6dae0dcfff5

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\AVG Internet Security System\10, 0, 0, 0\1432.10.29T05.53\Virtual\STUBEXE\@APPDATALOCAL@\Temp\صورة.exe

Filesize
17KB

MD5
cfa6427e9929ca6ec4b85a6bbc788c76

SHA1
533b019240d4f5647fa5eb471dfdfac23be7c1cf

SHA256
a2b5e59257d85a0d77890b7a25d478a0f5b98c6f4ddaa8399a27e378fee38440

SHA512
3d0abd260840ff60bf74e8bee8dd4fe2ead8a21fe2f0e2bbb2db50a1af75bbbe4ec3b471793f182347e3f9ae4c27a92b042f1e20e4fc90b4c532f024f21a40ad

Download Submit
memory/2784-43-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-39-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-7-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-9-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-11-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-13-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-215-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-64-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-63-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-57-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-55-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-53-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-51-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-49-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-45-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-31-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-41-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-5-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-37-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-35-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-33-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-29-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-27-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-25-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-23-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-21-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-19-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-17-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-15-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-3-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-1-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-61-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-940-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-0-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2784-47-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads