28d29e9f4e98c3f5a9def1e806b74efa0d09cfc9929b45e25ae2d70c332eb645

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
Size

430KB
MD5

b90eb15e39d81bafa3f73487906f5bb2
SHA1

43d988989d6923c228eef55977a44d131742adc1
SHA256

28d29e9f4e98c3f5a9def1e806b74efa0d09cfc9929b45e25ae2d70c332eb645
SHA512

1295c5158347f13589ceea1cfd20db2678366816aabdbee55832ce361d574448e718d9f98f10e7916cb85cb25f9b06f292bea3f67b60d0a75e9244f4e410408e
SSDEEP

12288:6EizaAaNcSZJvSIO9aKH5xrtzVFiAyTAA+j:6bjbS/vSIO9aKZxrtzVFVD

Score

10^/10

discovery evasion execution persistence trojan upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	6ufv.exe

Executes dropped EXE 9 IoCs

pid	Process
476	ic7.exe
2128	1EuroP.exe
2668	2IC.exe
2724	3E4U - Bucks.exe
2716	6tbp.exe
1824	IR.exe
1764	6ufv.exe
2400	6ufv.exe
1804	6ufv.exe

Loads dropped DLL 60 IoCs

pid	Process
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
476	ic7.exe
476	ic7.exe
476	ic7.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2128	1EuroP.exe
2128	1EuroP.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2668	2IC.exe
2668	2IC.exe
2668	2IC.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
2724	3E4U - Bucks.exe
2724	3E4U - Bucks.exe
2724	3E4U - Bucks.exe
2716	6tbp.exe
2716	6tbp.exe
2716	6tbp.exe
1824	IR.exe
1824	IR.exe
1824	IR.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
2520	WerFault.exe
1628	WerFault.exe
1824	IR.exe
1824	IR.exe
1764	6ufv.exe
1764	6ufv.exe
1764	6ufv.exe
1764	6ufv.exe
2400	6ufv.exe
2400	6ufv.exe
2400	6ufv.exe
236	rundll32.exe
236	rundll32.exe
236	rundll32.exe
236	rundll32.exe
1764	6ufv.exe
1804	6ufv.exe
1804	6ufv.exe
1804	6ufv.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1824-70-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x00080000000164be-69.dat	upx
behavioral1/memory/1764-117-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1824-133-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1764-143-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2400-144-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2724-145-0x0000000000CC0000-0x0000000000CF0000-memory.dmp	upx
behavioral1/memory/2400-150-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2400-178-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1764-183-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1804-216-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jxiquqeboqutun = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\wonpt40.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eksaz = "C:\\Users\\Admin\\AppData\\Roaming\\6ufv.exe"	IR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1872	sc.exe
1936	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2520	2724	WerFault.exe
1628	2668	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ic7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ufv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1EuroP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2IC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ufv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3E4U - Bucks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ufv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IR.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	6ufv.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	6ufv.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	6ufv.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2200	Rundll32.exe
Token: SeRestorePrivilege	2200	Rundll32.exe
Token: SeRestorePrivilege	2200	Rundll32.exe
Token: SeRestorePrivilege	2200	Rundll32.exe
Token: SeRestorePrivilege	2200	Rundll32.exe
Token: SeRestorePrivilege	2200	Rundll32.exe
Token: SeRestorePrivilege	2200	Rundll32.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2716	6tbp.exe
1824	IR.exe
1824	IR.exe
1824	IR.exe
1996	rundll32.exe
1764	6ufv.exe
1764	6ufv.exe
1764	6ufv.exe
2400	6ufv.exe
2400	6ufv.exe
2400	6ufv.exe
236	rundll32.exe
1804	6ufv.exe
1804	6ufv.exe
1804	6ufv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 476	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2128	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2668	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2724	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2716	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	35
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2792 wrote to memory of 1824	2792	b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe	36
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2724 wrote to memory of 2520	2724	3E4U - Bucks.exe	37
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2716 wrote to memory of 1996	2716	6tbp.exe	38
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 2668 wrote to memory of 1628	2668	2IC.exe	39
PID 1824 wrote to memory of 2872	1824	IR.exe	41

C:\Users\Admin\AppData\Local\Temp\b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b90eb15e39d81bafa3f73487906f5bb2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\ic7.exe
  "C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\ic7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:476
- C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\1EuroP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Xvz..bat" > nul 2> nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1008
- C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1628
- C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 284
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2520
- C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\wonpt40.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1996
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\wonpt40.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:236
- C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1872
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2380
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Users\Admin\AppData\Roaming\6ufv.exe
    C:\Users\Admin\AppData\Roaming\6ufv.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1764
  - - C:\Users\Admin\AppData\Roaming\6ufv.exe
      C:\Users\Admin\AppData\Roaming\6ufv.exe -d2E3D13F9C90EE9366D9C2A0D4B0F4D48C550D5A56E0CB8714E221F6923F5234BAAD6716C3945F5AB384CFE512F1181A98A495EB647ECD18D1A237905DBA4A2D03871A708F4FCAF434706155219E23339291E6B2765D4A9A9F84AACC4DC28D650F7A05D4FFFE109B9C80EE9BE9E5DA2F7DF624477EEB5D1E63614CF81DBA4A01742547CD5A0E234F32617326194514FCB27CA737347BC1A2461FA3C63CD2C22FFB8DD2C515A3CA08E1146E9B30F91FD50C1AABF0C1431952345488B04E7A3BB6D344BD8CAF4B8FE19730347DD65F4ABE8A81634713B75931CF11296069E580FD8D569272B71C341F07A7BC6572AE09CDF192C1930E192A612B00076FEA65DFC97F71904AE1890972394731D21337A4F899232F7CE6A459D06102784CCF65BA59F367A96616D2674496D5347389688866AD00698227CFE8BBADDEE582FC1B86A18713F483235D18738F3E27C31A76641A6CFC40444FB7EBF43268FCCA67D99ED95C3A6C1DC756BC16A52803569FC2AC3A4CC6385ED0E5DCCFF36CDF9EDE0600EB58BA4EB23730354A0F7842CBF69858B07454BA398172482F89B283747DDC7EEFB6502EF46B210B1F88F0C583203D85C96F75528CBBEF3F219220720E4A99AEE3C2D8A3770F9B588AC076CF476209F3549DE36
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400
  - - C:\Users\Admin\AppData\Roaming\6ufv.exe
      C:\Users\Admin\AppData\Roaming\6ufv.exe -d9685C62C9D5A994612E38BACE3A74247E1740575046672BBDAB6BCCA39EF0A62ACD0B6AB3C406E307D098F200937361ED112CC24E64D267AAE976D11A1DE6113FDB4C16E1911D93534757F38FF040A003205115DDE6FE8E86ACB334459BA16614420BDADB4A858C3C003BDDA97424B2E5D90C9E00E435417391F94DAD3A7D661796CBE0BD0E6A86CEBA8F1A1E035C64AEA302929D6D84678830E5323C02D8E59D5821A916C09C5DBBED4FEA42C9D872AB4D9A618D7C7DD67F0F077F310236CBED2A36560CB8EEC1081F109850C9DDC9ED17AF4B3F2C9740A6B8944C6F532DC0027E974886CAE9B2DBD4E78EA528A52109DAD0A17493FAA1D1BAA3FB6DF258BE1CF215DF011998E3D3CD4F0DC0D47B609AF341B293C1F5AC26A5D2D6E802D6648025C7490BA83C4F60640562C908D14FDE12C9D546DEDA381023A139BC9449BEB3A6B4F37AA4977CA6564CE806BBABA524CB3457BBC3CE1E4CA78365CEA0C96EE2E79C2E2607B2685E15CBEE56EAF355348E709614A19B083EC171C0855D504BFD9F6E22A9FEF8E7A4330CA59AC4052DE707E1B20794AEF95D16288F8BAA0D2C7721505AC66C4ABE29516D9B375AE1DD79A38F310E8A5BA51230681380B642E3A75DDBFBCF78FBA5520930D8F5AE5E599E20A
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1804
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:1516
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\phvoisznn.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\2IC.exe

Filesize
178KB

MD5
2e59f34092ba76af9e08637ce59209e5

SHA1
d5c754b5485fc39161ed38716768c5e2240c0043

SHA256
44344b39c5e233ce3b0136d210103c996e09cb21eebb9e1d2b59a6f1863d511a

SHA512
adaf63fa80ec3c98f58125ea7969839c36324aca7b1e51e2ee3c013fe93dff52a422d8eaea0d7b981e59d9f8d894ee608b85ea39305404fab68c30ce370cbb56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\3E4U - Bucks.exe

Filesize
27KB

MD5
5f6c6b5e491ac60e088adba6dd5791c2

SHA1
292f4b81b3eee53877c672faf540aceeb2fc881f

SHA256
b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018

SHA512
59c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\6tbp.exe

Filesize
116KB

MD5
fa45c2c2531e465bf39bcc16230679e7

SHA1
02e8434ff7216972d8a14120606f645205a0606a

SHA256
3ba405082f996b861fd3f6ca5a2a1ba3379ea27fd5395741163702fa6d4bd968

SHA512
7d4c3e75ed10907bd6f1f5880de3dc4142332605a9d10127da6c395c3eed3355498d9bc1d33a1cd50b4b2139e920dc03226183cea58e33a0bb6fa9222c4574f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD329.tmp\IR.exe

Filesize
61KB

MD5
0e72f6e865433a1ba0bf143a1142b60d

SHA1
0ddb85c493f31c3915d01447ff2ed6b64c8840bf

SHA256
d303490f349958a3f8d077ec45844370994ebabe21e15f54b88c1dc3084742c4

SHA512
fe739de193d399c890d57cc0bcf9166a82b3015affc0e5bac537ebd4ce4fd4c5305b120a89f0084107096b867b552f2514467a3cd6c2a44c94d401985a6bb7b9

Download Submit
C:\Users\Admin\AppData\Local\wonpt40.dll

Filesize
116KB

MD5
d3b5346e588fce3cdb37ddf727a770a5

SHA1
0f684cc33058701398b2c35a7ae059c9eae23145

SHA256
9189ad0411301b3bde79b07274a22de73b6995a89ab9d8ccb04701cbc0352244

SHA512
3419c90aae696bedbf0b7ac4ae6b5e7fafd3ae687645cfe2eab032214680b63dd3591cb19155946b40655036690120d4cdd95166440a38ea752ff8c90e2a535b

Download Submit
C:\Users\Admin\AppData\Roaming\mdinstall.inf

Filesize
410B

MD5
3ccb3b743b0d79505a75476800c90737

SHA1
b5670f123572972883655ef91c69ecc2be987a63

SHA256
5d96bec9bc06fd8d7abc11efbb3cb263844ee0416910f63581dd7848b4e1d8dd

SHA512
09b1cdd4393f515f7569fbccc3f63051823ed7292b6e572bc9a34e4389b727b2914b22118e874864ccb32ef63016b2abd6d84510fd46fdee712fd84be59c114e

Download Submit
C:\Users\Admin\AppData\Roaming\phvoisznn.bat

Filesize
154B

MD5
ab1d5b9e8db99a515b1c70e50f8bfd0f

SHA1
2eb7e952dc8f885077db8fba0ae34156e8791bfb

SHA256
87a40d67ed790b8bebe8de262d98727fc1a25c3c7d90b8531dcb5d303828c489

SHA512
8b18b4fddb41636692db09a94635a9b48f8c7f694a6b508fb2f382fd1d848acfab36fb383036c4e00f7fdf6d0cae6245d6bac550e8e78ffcfe23f7513d8412cc

Download Submit
\Users\Admin\AppData\Local\Temp\nstD329.tmp\1EuroP.exe

Filesize
89KB

MD5
05ae3a409bc4183ef689aeb360093719

SHA1
9ed7015d2de57c9dfba13bdfcff06f91e1dafede

SHA256
29a8352ac45d00b8cac4909363072c784a5ab9a756564c3909af2b6da408b636

SHA512
359c102af7dd1b0e89aaa1ca50323c75fd2350a0521daa19fff59fb8106eb120c7fa53ddd6b171bbf839062d150a402668cf82cf807006607068b075ae7651c0

Download Submit
\Users\Admin\AppData\Local\Temp\nstD329.tmp\ic7.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
memory/236-164-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1764-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-135-0x0000000003150000-0x0000000003180000-memory.dmp

Filesize
192KB

Download
memory/1764-148-0x0000000003150000-0x0000000003180000-memory.dmp

Filesize
192KB

Download
memory/1764-183-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-117-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-120-0x00000000009A0000-0x0000000000A36000-memory.dmp

Filesize
600KB

Download
memory/1804-207-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1804-211-0x00000000026C0000-0x0000000002756000-memory.dmp

Filesize
600KB

Download
memory/1804-206-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1804-208-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1804-218-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1804-217-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1804-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1824-111-0x0000000002EB0000-0x0000000002EE0000-memory.dmp

Filesize
192KB

Download
memory/1824-83-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1824-103-0x0000000002DF0000-0x0000000002E86000-memory.dmp

Filesize
600KB

Download
memory/1824-82-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1824-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1824-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1996-100-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1996-147-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1996-159-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1996-163-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2128-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2400-138-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2400-178-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2400-150-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2400-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2400-140-0x0000000002E80000-0x0000000002F16000-memory.dmp

Filesize
600KB

Download
memory/2400-139-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2716-146-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2716-75-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2724-145-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download