Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 23:57
Behavioral task
behavioral1
Sample
bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
-
Size
7.4MB
-
MD5
bfb294177b4bc808140b52f0731189f0
-
SHA1
0cd47380795fde1c6fd6b878e70f97503887f49b
-
SHA256
1de40371fceb758580032cebfd76f0ed550723d8e9d920ca817cf898fd2c7087
-
SHA512
c1da21a31dbf7b93a56bc78f08caf262bd49f99c9852ca20c112c8306ebb29f89031d37d2e885977680efaf4061917541c4853efe114b983741e75909dbdd398
-
SSDEEP
196608:GGY/dTX+XkwhZqz2NSWgxOfTm6Y4RAu8VAGnD/8PrvL:GGMVXlOZqaNSdOLmUC6UWv
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\DriverCode_X64.sys bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\DriverCode_X64.sys bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\HomePageLockerUpdate\Parameters\ServiceDLL = "C:\\Program Files (x86)\\WinHomeLite\\HomeLockerUpdateServices.dll" regsvr32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\HomePageLockerUpdate\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k HomePageLockerUpdate" regsvr32.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a0000000233da-222.dat acprotect behavioral2/files/0x000d0000000233dd-311.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 4800 HomePageLocker.exe 3944 HomePageLocker.exe 5080 locker32.exe 1644 Locker64.exe -
Loads dropped DLL 8 IoCs
pid Process 676 regsvr32.exe 4284 svchost.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 3380 Process not Found 3380 Process not Found -
resource yara_rule behavioral2/memory/3156-0-0x0000000000400000-0x000000000068D000-memory.dmp upx behavioral2/files/0x00090000000233dc-220.dat upx behavioral2/files/0x000a0000000233da-222.dat upx behavioral2/memory/676-224-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/files/0x0007000000023639-290.dat upx behavioral2/memory/3156-298-0x0000000000400000-0x000000000068D000-memory.dmp upx behavioral2/memory/4800-304-0x0000000000400000-0x0000000000C89000-memory.dmp upx behavioral2/memory/3944-306-0x0000000000400000-0x0000000000C89000-memory.dmp upx behavioral2/files/0x000b0000000233e5-307.dat upx behavioral2/files/0x000d0000000233dd-311.dat upx behavioral2/memory/5080-314-0x0000000000AB0000-0x0000000000D64000-memory.dmp upx behavioral2/memory/5080-313-0x0000000000400000-0x00000000006AF000-memory.dmp upx behavioral2/memory/3944-312-0x0000000000400000-0x0000000000C89000-memory.dmp upx behavioral2/files/0x0008000000023635-317.dat upx behavioral2/memory/1644-321-0x0000000000400000-0x0000000000823000-memory.dmp upx behavioral2/files/0x00090000000233e0-320.dat upx behavioral2/memory/4284-323-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/1644-324-0x0000000000B60000-0x0000000000F97000-memory.dmp upx behavioral2/memory/1644-322-0x0000000000B60000-0x0000000000F97000-memory.dmp upx behavioral2/memory/4800-328-0x0000000000400000-0x0000000000C89000-memory.dmp upx behavioral2/memory/4284-329-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/5080-330-0x0000000000400000-0x00000000006AF000-memory.dmp upx behavioral2/memory/5080-331-0x0000000000AB0000-0x0000000000D64000-memory.dmp upx behavioral2/memory/1644-334-0x0000000000400000-0x0000000000823000-memory.dmp upx behavioral2/memory/1644-335-0x0000000000B60000-0x0000000000F97000-memory.dmp upx behavioral2/memory/4284-338-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/5080-339-0x0000000000400000-0x00000000006AF000-memory.dmp upx behavioral2/memory/4284-343-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/4284-348-0x0000000000400000-0x000000000043D000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 locker32.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\WinHomeLite\HPHelper32.dll bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\HPHelper64.dll bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\locker64.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\uninstall.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\HPHelper32.dll bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\HPHelper64.dll bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\netError.log bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\DriverCode_X86.sys bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\locker32.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\locker64.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\locker32.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\uninstall.exe bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WinHomeLite\DriverCode_X86.sys bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe File created C:\Program Files (x86)\WinHomeLite\files.log bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4204 sc.exe 3408 sc.exe 3944 sc.exe 2984 sc.exe 4352 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HomePageLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HomePageLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locker32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 4284 svchost.exe 4800 HomePageLocker.exe 4800 HomePageLocker.exe 5080 locker32.exe 5080 locker32.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeCreateGlobalPrivilege 3944 HomePageLocker.exe Token: SeCreateGlobalPrivilege 4800 HomePageLocker.exe Token: SeCreateGlobalPrivilege 5080 locker32.exe Token: SeCreateGlobalPrivilege 5080 locker32.exe Token: SeCreateGlobalPrivilege 1644 Locker64.exe Token: SeCreateGlobalPrivilege 1644 Locker64.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5080 locker32.exe 5080 locker32.exe 1644 Locker64.exe 1644 Locker64.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 3156 wrote to memory of 1376 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 92 PID 3156 wrote to memory of 1376 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 92 PID 3156 wrote to memory of 1376 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 92 PID 3156 wrote to memory of 4352 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 94 PID 3156 wrote to memory of 4352 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 94 PID 3156 wrote to memory of 4352 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 94 PID 1376 wrote to memory of 1436 1376 net.exe 96 PID 1376 wrote to memory of 1436 1376 net.exe 96 PID 1376 wrote to memory of 1436 1376 net.exe 96 PID 3156 wrote to memory of 3484 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 100 PID 3156 wrote to memory of 3484 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 100 PID 3156 wrote to memory of 3484 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 100 PID 3156 wrote to memory of 4204 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 102 PID 3156 wrote to memory of 4204 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 102 PID 3156 wrote to memory of 4204 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 102 PID 3484 wrote to memory of 3480 3484 net.exe 104 PID 3484 wrote to memory of 3480 3484 net.exe 104 PID 3484 wrote to memory of 3480 3484 net.exe 104 PID 3156 wrote to memory of 2276 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 107 PID 3156 wrote to memory of 2276 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 107 PID 3156 wrote to memory of 2276 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 107 PID 3156 wrote to memory of 3408 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 109 PID 3156 wrote to memory of 3408 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 109 PID 3156 wrote to memory of 3408 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 109 PID 2276 wrote to memory of 2476 2276 net.exe 111 PID 2276 wrote to memory of 2476 2276 net.exe 111 PID 2276 wrote to memory of 2476 2276 net.exe 111 PID 3156 wrote to memory of 4524 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 114 PID 3156 wrote to memory of 4524 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 114 PID 3156 wrote to memory of 4524 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 114 PID 3156 wrote to memory of 3944 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 116 PID 3156 wrote to memory of 3944 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 116 PID 3156 wrote to memory of 3944 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 116 PID 4524 wrote to memory of 2340 4524 net.exe 118 PID 4524 wrote to memory of 2340 4524 net.exe 118 PID 4524 wrote to memory of 2340 4524 net.exe 118 PID 3156 wrote to memory of 4332 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 119 PID 3156 wrote to memory of 4332 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 119 PID 3156 wrote to memory of 4332 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 119 PID 3156 wrote to memory of 2984 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 121 PID 3156 wrote to memory of 2984 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 121 PID 3156 wrote to memory of 2984 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 121 PID 4332 wrote to memory of 4816 4332 net.exe 123 PID 4332 wrote to memory of 4816 4332 net.exe 123 PID 4332 wrote to memory of 4816 4332 net.exe 123 PID 3156 wrote to memory of 676 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 125 PID 3156 wrote to memory of 676 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 125 PID 3156 wrote to memory of 676 3156 bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe 125 PID 4284 wrote to memory of 4800 4284 svchost.exe 128 PID 4284 wrote to memory of 4800 4284 svchost.exe 128 PID 4284 wrote to memory of 4800 4284 svchost.exe 128 PID 4284 wrote to memory of 3944 4284 svchost.exe 129 PID 4284 wrote to memory of 3944 4284 svchost.exe 129 PID 4284 wrote to memory of 3944 4284 svchost.exe 129 PID 3944 wrote to memory of 5080 3944 HomePageLocker.exe 130 PID 3944 wrote to memory of 5080 3944 HomePageLocker.exe 130 PID 3944 wrote to memory of 5080 3944 HomePageLocker.exe 130 PID 5080 wrote to memory of 1644 5080 locker32.exe 132 PID 5080 wrote to memory of 1644 5080 locker32.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop HomePageLockerUpdate2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HomePageLockerUpdate3⤵
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" delete HomePageLockerUpdate2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop HomePageLockerUpdate2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HomePageLockerUpdate3⤵
- System Location Discovery: System Language Discovery
PID:3480
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" delete HomePageLockerUpdate2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4204
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop HomePageLockerUpdate2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HomePageLockerUpdate3⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" delete HomePageLockerUpdate2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3408
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop HomePageLockerUpdate2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HomePageLockerUpdate3⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" delete HomePageLockerUpdate2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3944
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop HomePageLockerUpdate2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HomePageLockerUpdate3⤵
- System Location Discovery: System Language Discovery
PID:4816
-
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" delete HomePageLockerUpdate2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll"2⤵
- Server Software Component: Terminal Services DLL
- Sets service image path in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:4220
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k HomePageLockerUpdate -s HomePageLockerUpdate1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\program files (x86)\winhomelite\HomePageLocker.exe"c:\program files (x86)\winhomelite\HomePageLocker.exe" /update2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
\??\c:\program files (x86)\winhomelite\HomePageLocker.exe"c:\program files (x86)\winhomelite\HomePageLocker.exe" /ii:63003a005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c00770069006e0068006f006d0065006c006900740065005c006c006f0063006b0065007200330032002e00650078006500 /cc:220063003a005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c00770069006e0068006f006d0065006c006900740065005c006c006f0063006b0065007200330032002e0065007800650022002⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\program files (x86)\winhomelite\locker32.exe"c:\program files (x86)\winhomelite\locker32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\program files (x86)\winhomelite\Locker64.exe"c:\program files (x86)\winhomelite\Locker64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD53b16e45e48d8cbcbd18c6f1fe551d058
SHA15aef17d1d44d60a8011da30d505a1f0c949ca34e
SHA256b992343d675459048122e84620c0fb04a8a79cbe01be78427cd104e620c4f05e
SHA5125ec06f43b285d116e2bf0dd75cef32e386f4147dc02b7e4f16f8b9f37c3dcf707d11eb28484614e395ce3ff18b062ce6abb1fc4dc73ceb6ae1d7b886f8c0ca56
-
Filesize
711KB
MD5e71bff2c69d10d14d94f01aa4c10af0a
SHA14592f0ce959f2e9ae06051a670d2bf65325174d0
SHA256b8d69d9c9bdd7c751bde574a105de88aefbd984748a83bfa31ca71d98dc69bed
SHA51252bc3b754c2ca9cc8e293ffcac705894cf2024335d540ccea227e2c025a4273805a453786083894ba43b89178d46bcca7408699dde6a30842e4124e88d3b47ae
-
Filesize
975KB
MD53a2aeb2f479fe32445fd0d0c2ca53130
SHA171ff4799c359c8d8e2c34ca3b238573f33f324c4
SHA2568ed17be3721a0d33f4a2c42452aa3d41e1f4b7f70e232c8620d92c4b266bed75
SHA51293f516c0d018fe790cb3683dd569a969558ff2a5b1a0df7e27c0bf2a9226a35b3abe99180bf4412a138e2d1d0daed131b42f188712bbd5666057ec8d123b8930
-
Filesize
71KB
MD53d5b36708d0d34914df72d1f6f4b7e29
SHA1c89c346edf19a715c47113d9f45b97ec22bbdf44
SHA256fe814ef776493a26d9bd7f3e4a90beae4c2548a4ab1ef3d9103cd2cc4fea8519
SHA51279f2cf1674f1fe83088b31fc37a3d2b1da8b879a0b07471ea4ade3184a07edb8ff8c2526f1385bfddd795530d268303fd42a6c5ae93d7c3c3a3168f73fd1286a
-
Filesize
2.1MB
MD536414e180604cf592db3da4949eda839
SHA11391e5fdf0041d6c3de6e11d16369ab4c5ee0c13
SHA2564d3f7133cf81028c6d6a766a5beb7258219ece1faa2b769ef9993528421a6d88
SHA5128f40143e7926388c7c4ae1bd737c1169e86f35bad6fb53a9e952f5266cbe32f6515d2fb8232899e79fcf8bf9084f5cad3592edfdd7950a1c33d61f395dd310d3
-
Filesize
1.0MB
MD58d07d1fccb9ae2ed8eee436cd71c83ff
SHA1e1c2d567bd8f4168e0b79644c4c34bcbbea10f09
SHA25682e39e493f33347830ed27057353e0bbd23fbdbea8317c1221895fd7ddd21fa2
SHA51291be9628217ed9b0a9af4f35d72e7ce9b39a50976b22f68252b8fc39c44f2b9d9ab91c7150651ab466fc996ca967335337a68a8e5e6fddf198caba29263ab118
-
Filesize
1.6MB
MD558b7e0b462d0e9ebf480567fdf58312c
SHA1dde2ad5799cd142d2349d9ef482cc4a8c3fae2b2
SHA2566ca24050fa8c872d77f9fa627c56e214c8024387c6f2032d6a252c14ee3d52a7
SHA5128c1976ad933b4b44ecfa31807c301f2e5bf4d7159637fa5144f63918f65a2703e6aa16579cff1f186ef5a0e6273068fce82dee9a227cd91085939219054bdec9
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
805KB
MD57aed7d1f8caa79926eb0d2b2580e5ca9
SHA15379c909be25fd256de43e18a5cd675fb95c02e0
SHA2568487bf18b9a8d2a6aa00d370aa51f99aeb6229f5f0379d4c2b11989c29cee020
SHA512fc2c171af028b2e08c5d16a90af34fb770f0fa1e92a87b9a9d2cda192a2fa2ddb053799f5d5259bdca7339eaa67d074d25cb783e92506c438d84f5e619aa1c40
-
Filesize
820B
MD5b27921e3e9fbe4ddfcda5f0c6e008af7
SHA134c3ab3a138a0a208bf354add976c9095559a976
SHA256d930b87274b52442c188ffb1e627cff99a8ef9e055f4bdc6de46ae4868e84dd4
SHA5128bd7e1cef6516bc40c5adf464bb0b2e1e5d6df3ed6ab2bed2c2347f3e35df51ae644d742ff4b1126e4ae05d1ab5f45c6316ec7506774b3e6eabde1be88e3253e