c4dd9a6b5b0dd93906e7336b1a9a1f3a2e437080fa184a944bcd1071c54d6e28

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe
Size

1.3MB
MD5

ace7b17fde1bbc4793699ce122536a1c
SHA1

4ad092beef72e98a759e3c2cca6b63afff644afb
SHA256

c4dd9a6b5b0dd93906e7336b1a9a1f3a2e437080fa184a944bcd1071c54d6e28
SHA512

d2f615cb0d5cfeb76da0128a6c7600f699824187a7375bad4610db163879b058c2ddbd778c5f2466cff19358318303553061f9c10288d7c9e5856a1533ab6e99
SSDEEP

24576:eKfcBFJHSok2vRYiwrf+G2Cq7iJy26QwFdZJLBEUjZDo:eNXgKu7Py2IFdHLSUjq

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\Config\\csrss.exe"	983PAC~1.EXE

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a00000002343d-63.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	983PAC~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	983PAC~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3740	983PAC~1.EXE
4732	XRHOST~1.EXE

Loads dropped DLL 5 IoCs

pid	Process
3740	983PAC~1.EXE
3740	983PAC~1.EXE
4732	XRHOST~1.EXE
4732	XRHOST~1.EXE
4732	XRHOST~1.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00040000000230ad-23.dat	upx
behavioral2/memory/3740-26-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral2/memory/3740-38-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral2/memory/3740-39-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral2/memory/3740-50-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral2/memory/3740-56-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral2/files/0x000a00000002343d-63.dat	upx
behavioral2/memory/4732-64-0x0000000027580000-0x00000000276B5000-memory.dmp	upx
behavioral2/memory/4732-66-0x0000000027580000-0x00000000276B5000-memory.dmp	upx
behavioral2/memory/4732-69-0x0000000027580000-0x00000000276B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\MSWINSCK.OCX	983PAC~1.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Config\csrss.exe	983PAC~1.EXE
File created	C:\WINDOWS\Config\csrss.exe	983PAC~1.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	983PAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XRHOST~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ = "IToolbarEvents"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ = "DImageComboEvents"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Control	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nlMyDikec = "\x7f`jHg`_qplvO`]\\"	983PAC~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CurVer	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2\ = "Microsoft ImageList Control 6.0 (SP6)"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	983PAC~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ = "IColumnHeaders"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	983PAC~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Version	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.TreeCtrl"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\ = "Microsoft Slider Control 6.0 (SP6)"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Version	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\mscomctl.ocx"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ = "INode"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\MiscStatus	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\mscomctl.ocx"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ = "ITreeViewEvents"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\auYrbBoe = "nt_KOsiSYsKjAV{STKhEULIBv"	983PAC~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	983PAC~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ = "Microsoft ImageList Control 6.0 (SP6)"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\ = "ListView Sort Property Page Object"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.TabStrip"	XRHOST~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar.2	XRHOST~1.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32	XRHOST~1.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	XRHOST~1.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:C980DA7D	983PAC~1.EXE
File opened for modification	C:\ProgramData\TEMP:C980DA7D	983PAC~1.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe
Token: 33	3740	983PAC~1.EXE
Token: SeIncBasePriorityPrivilege	3740	983PAC~1.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3740	983PAC~1.EXE
4732	XRHOST~1.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3740	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe	88
PID 1584 wrote to memory of 3740	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe	88
PID 1584 wrote to memory of 3740	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe	88
PID 1584 wrote to memory of 4732	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe	96
PID 1584 wrote to memory of 4732	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe	96
PID 1584 wrote to memory of 4732	1584	ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ace7b17fde1bbc4793699ce122536a1c_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\983PAC~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\983PAC~1.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XRHOST~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XRHOST~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\983PAC~1.EXE

Filesize
572KB

MD5
faf56ac537610cd6b4b494b4e61c3f31

SHA1
43059a670721137b7de4731e6657b1cfef632fef

SHA256
036c91fea0b2284bb16322a33006645b5f6e67a72225f18ed1aa7eba4f2ba265

SHA512
20877f964b4d8224a5870824c6e1b8d35e5423384ed136077d9321f34bfe71f88d81977f4120391838dc2b3999c4733a10d4e927a2f606b105cbc10ddc9edab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSCOMCTL.OCX

Filesize
514KB

MD5
4a40bb8e7e658c766241978bc5412097

SHA1
3ae83d20749f796d2934c2c6f4cbbb3cd595749b

SHA256
3a1e1b50bc63f803d891f2dd8da32d87b7552c344bdabc17506c9f4b8163ae6e

SHA512
5ae6f6caeb6c7e49ce7fc3b3192cd158364fbe00b7d19fb6bae5ee16d0decae98722ad5d7fd5f4b183a55020206027ba09e376e6af4cd52ea3f0d891b27890eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XRHOST~1.EXE

Filesize
188KB

MD5
4bf978d87341d9b87aac82e3add08a1b

SHA1
eeacdb767c566ea0065d27c8da8ad820d40a2b1d

SHA256
a283b0bc66d85470ec0a9a55005674bc0d0919d7c962247694a1000e041655a2

SHA512
bf43746423632590ccf6c182b41337991cec9846b7fc0a28b5198c2c2c404196fdcc9f83bb2dcc4d1409be4210e7be759c15f0ffd9649fbc1aa121d088d9ee2b

Download Submit
memory/1584-8-0x0000000001000000-0x0000000001249000-memory.dmp

Filesize
2.3MB

Download
memory/1584-11-0x0000000000160000-0x00000000001AD000-memory.dmp

Filesize
308KB

Download
memory/1584-10-0x0000000001000000-0x0000000001249000-memory.dmp

Filesize
2.3MB

Download
memory/1584-9-0x0000000001000000-0x0000000001249000-memory.dmp

Filesize
2.3MB

Download
memory/1584-7-0x0000000001000000-0x0000000001249000-memory.dmp

Filesize
2.3MB

Download
memory/1584-2-0x0000000000160000-0x00000000001AD000-memory.dmp

Filesize
308KB

Download
memory/1584-27-0x0000000000160000-0x00000000001AD000-memory.dmp

Filesize
308KB

Download
memory/1584-35-0x0000000001000000-0x0000000001249000-memory.dmp

Filesize
2.3MB

Download
memory/1584-0-0x0000000001000000-0x0000000001249000-memory.dmp

Filesize
2.3MB

Download
memory/3740-38-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3740-40-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/3740-39-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3740-42-0x000000000040B000-0x000000000040E000-memory.dmp

Filesize
12KB

Download
memory/3740-49-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/3740-50-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3740-54-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/3740-29-0x00000000005E0000-0x000000000062D000-memory.dmp

Filesize
308KB

Download
memory/3740-56-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3740-26-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4732-64-0x0000000027580000-0x00000000276B5000-memory.dmp

Filesize
1.2MB

Download
memory/4732-66-0x0000000027580000-0x00000000276B5000-memory.dmp

Filesize
1.2MB

Download
memory/4732-69-0x0000000027580000-0x00000000276B5000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads