0336c4297134931c333b65f3874aa86283d33a93a5638925ef7721e6e9829522

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
Size

284KB
MD5

a7be1355d86fadca5ad8aaa6da05b22a
SHA1

7b70f184f03de7e5d94d1e1a2613450f32aedf2c
SHA256

0336c4297134931c333b65f3874aa86283d33a93a5638925ef7721e6e9829522
SHA512

b2c230633481f8e7c93031e3f4095c912de6ea2903194a2c49bc721d9fa0ea05ae745d79f539a9da548b403ff5eaad291a75d23e5e0238c6504bde4e5de32f26
SSDEEP

6144:5xe34O3Y75+ZPPfnE2Qyn20Uq2iwIfkfJx2HdG0A5Nrau75+ZPPfnE2Qyn20UI:8IF+ZPPfnEUnvgUkfqIb5NrauF+ZPPf9

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000234d0-54.dat	acprotect
behavioral2/memory/3532-55-0x00000000748C0000-0x00000000748C9000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
720	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4568	WTool.exe

Loads dropped DLL 12 IoCs

pid	Process
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3824	regsvr32.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
2348	regsvr32.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234d0-54.dat	upx
behavioral2/memory/3532-55-0x00000000748C0000-0x00000000748C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WTool = "C:\\Program Files (x86)\\WTool\\WTool.exe"	WTool.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84395E42-9FF9-4B85-9264-B1762D069593}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{84395E42-9FF9-4B85-9264-B1762D069593}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84395E42-9FF9-4B85-9264-B1762D069593}	regsvr32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 720	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	91

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WTool\Uninstall.exe	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
File created	C:\Program Files (x86)\WTool\WTool.dll	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
File created	C:\Program Files (x86)\WTool\WTool.exe	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper\ = "BandHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\InprocServer32\ = "C:\\Program Files (x86)\\WTool\\WTool.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\TypeLib\ = "{1E677998-EB26-466A-B87C-85DFCB38FAE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E677998-EB26-466A-B87C-85DFCB38FAE0}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\ProgID\ = "WTool.SideBand.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\TypeLib\ = "{1E677998-EB26-466A-B87C-85DFCB38FAE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand.1\ = "SideBand Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E677998-EB26-466A-B87C-85DFCB38FAE0}\1.0\0\win32\ = "C:\\Program Files (x86)\\WTool\\WTool.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\InprocServer32\ = "C:\\Program Files (x86)\\WTool\\WTool.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\ProgID\ = "WTool.BandHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\ = "WTool"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\ProgID\ = "WTool.SideBand.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E677998-EB26-466A-B87C-85DFCB38FAE0}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper\ = "BandHelper Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\VersionIndependentProgID\ = "WTool.SideBand"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper\CurVer\ = "WTool.BandHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper.1\CLSID\ = "{84395E42-9FF9-4B85-9264-B1762D069593}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand.1\CLSID\ = "{CD1884F6-1D50-42BC-AF79-31E85C47FC90}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\InprocServer32\ = "C:\\Program Files (x86)\\WTool\\WTool.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\InprocServer32\ = "C:\\Program Files (x86)\\WTool\\WTool.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.SideBand\ = "SideBand Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\TypeLib\ = "{1E677998-EB26-466A-B87C-85DFCB38FAE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper.1\ = "BandHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\TypeLib\ = "{1E677998-EB26-466A-B87C-85DFCB38FAE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WTool.BandHelper.1\CLSID\ = "{84395E42-9FF9-4B85-9264-B1762D069593}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4568	WTool.exe
4568	WTool.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3824	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	84
PID 3532 wrote to memory of 3824	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	84
PID 3532 wrote to memory of 3824	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	84
PID 3532 wrote to memory of 4568	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	85
PID 3532 wrote to memory of 4568	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	85
PID 3532 wrote to memory of 4568	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	85
PID 4568 wrote to memory of 2348	4568	WTool.exe	90
PID 4568 wrote to memory of 2348	4568	WTool.exe	90
PID 4568 wrote to memory of 2348	4568	WTool.exe	90
PID 3532 wrote to memory of 720	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	91
PID 3532 wrote to memory of 720	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	91
PID 3532 wrote to memory of 720	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	91
PID 3532 wrote to memory of 720	3532	a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7be1355d86fadca5ad8aaa6da05b22a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\WTool\WTool.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3824
- C:\Program Files (x86)\WTool\WTool.exe
  "C:\Program Files (x86)\WTool\WTool.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\WTool\WTool.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2348
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WTool\WTool.dll

Filesize
174KB

MD5
7cd05c15ed6cfcba4fef8de891386adc

SHA1
8e878dae8bd501c311a50dfe2afd78e507ed86df

SHA256
493ded4890f015651d04440696706f8f1513bd67005be49f8cf7a5419cd2300a

SHA512
62ecdddc96e61b5c3b22038e0dd4bf68ab800a36a135c1039bd649b22a75b97a2748463995dc34db9abc9af2311e6e482a29f1ee76dc7f2c8889f22d2b7259fb

Download Submit
C:\Program Files (x86)\WTool\WTool.exe

Filesize
38KB

MD5
ea57e34ddb40bd684ca12710768f87c0

SHA1
4443ea2fee00d943aaece9b7c3e37498f75a25ed

SHA256
76a6f2ec41f7793b3a1ceb1ac83bbd530c23885227e54555728cd18430fe8549

SHA512
7b00718aa699d865e556e55b055dfab360b08b53c69c6e2b3f1d427a65e44cf7b03d15de5a357e48822b1287c6a457348598000b7163a77caea909a006724382

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\SelfDel.dll

Filesize
4KB

MD5
7cff7fe2caea5184d98c147e7e263132

SHA1
21f39d3d0dd5f7198d67ef30e95d10ae3460093e

SHA256
281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

SHA512
fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslAEEE.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/3532-39-0x0000000002F60000-0x0000000002F86000-memory.dmp

Filesize
152KB

Download
memory/3532-55-0x00000000748C0000-0x00000000748C9000-memory.dmp

Filesize
36KB

Download