520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Size

80KB
MD5

bf7b61b7d5984c357907a111480602e8
SHA1

95d79d6f7da79b6487fb19431134ccb09fc027b8
SHA256

520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c
SHA512

cce9cd58fcb907618f0289ceb4a63bf9ca8df5bb53a6fa559db68c31f8c05e786b5c862218fc49dc68b2a18d7ecf7d81d9c781a3876455f42420ae21e4443b14
SSDEEP

768:qIgxZk/RCEH4QJcWfL3n8z3vpPzXreencxkgbsb3JnPY4f54jKV+JVbZU:QRQJciIDvpLr/nkcr4GVubZU

Score

9^/10

defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 3 IoCs

pid	Process
2384	wmimgmt.exe
2752	avp.exe
2836	ctfmon.exe

Loads dropped DLL 4 IoCs

pid	Process
2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
2384	wmimgmt.exe
2384	wmimgmt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysld = "C:\\Windows\\ctfmon.exe"	ctfmon.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	wmimgmt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1456	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2568	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ctfmon.exe	avp.exe
File opened for modification	C:\Windows\ctfmon.exe	avp.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimgmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1220	findstr.exe
1540	PING.EXE

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
752	NETSTAT.EXE

Discovers systems in the same network 1 TTPs 4 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2224	net.exe
748	net.exe
3036	net.exe
1496	net.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1232	NETSTAT.EXE
1836	ipconfig.exe
752	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1748	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1540	PING.EXE

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeBackupPrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeBackupPrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeRestorePrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeBackupPrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeRestorePrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeBackupPrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeRestorePrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeBackupPrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeRestorePrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeBackupPrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeRestorePrivilege	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2752	avp.exe
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	752	NETSTAT.EXE
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeRestorePrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe
Token: SeBackupPrivilege	2384	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2384	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2384	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2384	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2384	2240	bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2752	2384	wmimgmt.exe	31
PID 2384 wrote to memory of 2752	2384	wmimgmt.exe	31
PID 2384 wrote to memory of 2752	2384	wmimgmt.exe	31
PID 2384 wrote to memory of 2752	2384	wmimgmt.exe	31
PID 2752 wrote to memory of 2836	2752	avp.exe	32
PID 2752 wrote to memory of 2836	2752	avp.exe	32
PID 2752 wrote to memory of 2836	2752	avp.exe	32
PID 2752 wrote to memory of 2836	2752	avp.exe	32
PID 2752 wrote to memory of 2704	2752	avp.exe	33
PID 2752 wrote to memory of 2704	2752	avp.exe	33
PID 2752 wrote to memory of 2704	2752	avp.exe	33
PID 2752 wrote to memory of 2704	2752	avp.exe	33
PID 2384 wrote to memory of 2872	2384	wmimgmt.exe	34
PID 2384 wrote to memory of 2872	2384	wmimgmt.exe	34
PID 2384 wrote to memory of 2872	2384	wmimgmt.exe	34
PID 2384 wrote to memory of 2872	2384	wmimgmt.exe	34
PID 2872 wrote to memory of 2600	2872	cmd.exe	36
PID 2872 wrote to memory of 2600	2872	cmd.exe	36
PID 2872 wrote to memory of 2600	2872	cmd.exe	36
PID 2872 wrote to memory of 2600	2872	cmd.exe	36
PID 2872 wrote to memory of 2616	2872	cmd.exe	37
PID 2872 wrote to memory of 2616	2872	cmd.exe	37
PID 2872 wrote to memory of 2616	2872	cmd.exe	37
PID 2872 wrote to memory of 2616	2872	cmd.exe	37
PID 2872 wrote to memory of 2628	2872	cmd.exe	38
PID 2872 wrote to memory of 2628	2872	cmd.exe	38
PID 2872 wrote to memory of 2628	2872	cmd.exe	38
PID 2872 wrote to memory of 2628	2872	cmd.exe	38
PID 2628 wrote to memory of 2664	2628	net.exe	39
PID 2628 wrote to memory of 2664	2628	net.exe	39
PID 2628 wrote to memory of 2664	2628	net.exe	39
PID 2628 wrote to memory of 2664	2628	net.exe	39
PID 2872 wrote to memory of 1144	2872	cmd.exe	40
PID 2872 wrote to memory of 1144	2872	cmd.exe	40
PID 2872 wrote to memory of 1144	2872	cmd.exe	40
PID 2872 wrote to memory of 1144	2872	cmd.exe	40
PID 1144 wrote to memory of 2160	1144	net.exe	41
PID 1144 wrote to memory of 2160	1144	net.exe	41
PID 1144 wrote to memory of 2160	1144	net.exe	41
PID 1144 wrote to memory of 2160	1144	net.exe	41
PID 2872 wrote to memory of 2568	2872	cmd.exe	42
PID 2872 wrote to memory of 2568	2872	cmd.exe	42
PID 2872 wrote to memory of 2568	2872	cmd.exe	42
PID 2872 wrote to memory of 2568	2872	cmd.exe	42
PID 2872 wrote to memory of 1748	2872	cmd.exe	44
PID 2872 wrote to memory of 1748	2872	cmd.exe	44
PID 2872 wrote to memory of 1748	2872	cmd.exe	44
PID 2872 wrote to memory of 1748	2872	cmd.exe	44
PID 2872 wrote to memory of 2120	2872	cmd.exe	46
PID 2872 wrote to memory of 2120	2872	cmd.exe	46
PID 2872 wrote to memory of 2120	2872	cmd.exe	46
PID 2872 wrote to memory of 2120	2872	cmd.exe	46
PID 2872 wrote to memory of 1980	2872	cmd.exe	47
PID 2872 wrote to memory of 1980	2872	cmd.exe	47
PID 2872 wrote to memory of 1980	2872	cmd.exe	47
PID 2872 wrote to memory of 1980	2872	cmd.exe	47
PID 2872 wrote to memory of 2812	2872	cmd.exe	48
PID 2872 wrote to memory of 2812	2872	cmd.exe	48
PID 2872 wrote to memory of 2812	2872	cmd.exe	48
PID 2872 wrote to memory of 2812	2872	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\avp.exe
    C:\Users\Admin\AppData\Local\Temp\avp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\ctfmon.exe
      C:\Windows\ctfmon.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\avp.exe /a /f /q > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2568
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1836
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      System Location Discovery: System Language Discovery
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:752
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:1456
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      System Location Discovery: System Language Discovery
      PID:380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      System Location Discovery: System Language Discovery
      PID:284
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2188
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:960
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      System Location Discovery: System Language Discovery
      PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2452
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      System Location Discovery: System Language Discovery
      PID:820
  - - C:\Windows\SysWOW64\net.exe
      net view /domain:"WORKGROUP"
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
  - - C:\Windows\SysWOW64\find.exe
      find "\\"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Windows\SysWOW64\net.exe
      net view \\CTBHAMHL
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:3036
  - - C:\Windows\SysWOW64\net.exe
      net view \\CTBHAMHL
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1496
  - - C:\Windows\SysWOW64\find.exe
      find "Disk"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 CTBHAMHL
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1540
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Pinging Reply Request Unknown"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
24.9MB

MD5
704c6d14caa1ea628f6533e7cc235602

SHA1
d4f00cb1df2bfcf96b3406d555cf7d554808d59f

SHA256
55ea51d4ce1ee8e0ff4edd59fee3a9375d8a3d7182caa40a19c5bec76eeb614b

SHA512
8a1e08adcb3b62c82c2df9984087f7f2b80652d09d721935a672e868e58c98f839dcf749d2a5f0104b086744e6eb4a142f8efdb48ab29969b89b051df20a663e

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
04c4cb4dd076cac072f427d020699c42

SHA1
4ff2543d8c1279105d191546aab7fe29d3f1bb6c

SHA256
2a22056355efded2a78c32c0b27ed02c6a8e4177e25cf02c83d1de377531f079

SHA512
65ef8e83759fce0b9f5a10acb5dcd7fa8a426ed5f4cf203a248086525737df685a1b00a876c9e1716f8682173698a66c4a6915d8d1ceec2da6f4764e29d82fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
7KB

MD5
c629b0516137c1a71653e4ac4f890bf5

SHA1
42f2f9a8ff575191d817e800e2b6515b89ead02c

SHA256
c7f68ae51d607e049c3edf129f0dc5fda077a093c57b6a45812d6256f8eeec7c

SHA512
6f5297c86c0b2029469d8ed32cb6798088f91c54eb18832e4a73520d6a3c8a36a7000cef594841bc099fda826ba5d3cb76507c5b28bfe6ee6ba4b25c2185567b

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4SD\E6578CD4.db

Filesize
3.6MB

MD5
000e0ec267d0960d5c89a7880d271ad4

SHA1
0858fd20d40ba52dbcbdb8f577938b78c84b8b4e

SHA256
e5a2104fef1f75296eb0affe83d092d6c7deb127a23c28949991bd8dcd11c4b9

SHA512
30e77ef98661f150d088d902f968ab6536da0162765ca4cbbe897ba1dc65a54a91937d55261a598a0af95b4693dcca6f166b2cda66b2b90644f4a74784d91944

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
5431296029e067a37ab14127c8fbf3f6

SHA1
0e6106b3984b7e48a62d7d439324528ad9948793

SHA256
4a51230e15fd4dee03618c89eb0b2068e19de35660ce24acfc9505de1644d9e6

SHA512
5be870e295ed808f283bf969ca54789572e985fba16cb6fe9c088712381c0e4e44209cf39cebb367060914979d92517d99a1d3cf7d1d5531645b3fa08ae5a149

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
153B

MD5
b256c8a481b065860c2812e742f50250

SHA1
51ddf02764fb12d88822450e8a27f9deac85fe54

SHA256
b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

SHA512
f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.log

Filesize
72B

MD5
59f2768506355d8bc50979f6d64ded26

SHA1
b2d315b3857bec8335c526a08d08d6a1b5f5c151

SHA256
7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

SHA512
e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

Filesize
234B

MD5
96fc3e91c05308108dff8b3361560d5a

SHA1
86f4b4711339acd3a001c338959cd64b092d51b1

SHA256
304238176f46c9a2632e2ede1528354ef53eca660737dcfe7680697342d98717

SHA512
b25b5bd5f49eed329868e7c70a69ef615e7c53459aaa8cc7fdd7d35e15cc97b5b28dd7263c495113b1507ac137a95235c75688c6797408db14b04c28e9672335

Download Submit
C:\Users\Public\Documents\Media\E6578CD4.db

Filesize
64B

MD5
f5fa9689d3eafaba3c140520f1101601

SHA1
6a4ac04ce1c852d03e806107eb0876726a1b876d

SHA256
d601e19528c9024ec71db5e13828575283c6f49cefa4e4064dce10a618faed9a

SHA512
92ec7c29f92ab17e2d7cfe8ea7f28a54b38643aa24738948ea1a262e920d79d50f7aae41083429ca47e4eeb6026375574214c0609693552c6b04093c9196395c

Download Submit
\ProgramData\wmimgmt.exe

Filesize
80KB

MD5
bf7b61b7d5984c357907a111480602e8

SHA1
95d79d6f7da79b6487fb19431134ccb09fc027b8

SHA256
520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c

SHA512
cce9cd58fcb907618f0289ceb4a63bf9ca8df5bb53a6fa559db68c31f8c05e786b5c862218fc49dc68b2a18d7ecf7d81d9c781a3876455f42420ae21e4443b14

Download Submit
\Users\Admin\AppData\Local\Temp\avp.exe

Filesize
25KB

MD5
d1c53b02d8e555d4c9d01c50da28ee8d

SHA1
cac0e3ead0758b2f889735e9e01a0d65af8392ab

SHA256
5b199306d8b7c40b38c7f73a47395f7bbbc65da3f474ee2daad83ae4199ba809

SHA512
711d89461ee90874f360fd83db5cf753f2337a2991002983689936814730cfdbf5e54ce8f0164f12aca84252f712cbdcb4563a593a642e8c1dbf6687e4b5cc4f

Download Submit
memory/2240-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-5-0x0000000000460000-0x000000000047B000-memory.dmp

Filesize
108KB

Download
memory/2384-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2384-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads