Overview

overview

10

Static

static

3

bdb667f12e...18.exe

windows7-x64

10

bdb667f12e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 01:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdb667f12e906f4d6e235124f8bc11f0_JaffaCakes118.exe

  • Size

    4.9MB

  • MD5

    bdb667f12e906f4d6e235124f8bc11f0

  • SHA1

    b12cd62e9564236637a2cf0ce02ac192299bc83e

  • SHA256

    f6906e2636e05a8f894282cd4c824d53273aab85d82c3a7e9a8e2543882c4d96

  • SHA512

    bdaa815b813ecdef785a45987f6b9f44ccb1ef87f1ea143be60c83f7aa0f2aaa33a2ed6cc1e8f8d52111bf4cf6f7e6aa2dc55106b96f4ebfa264502d01f33819

  • SSDEEP

    98304:NrQZWrQZlrQZWrQZlrQZWrQZlrQZWrQZlrQZWrQZ8:Nr2Wr2lr2Wr2lr2Wr2lr2Wr2lr2Wr28

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Blocks application from running via registry modification 17 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 20 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 39 IoCs
  • Drops file in Windows directory 10 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Time Discovery 1 TTPs 6 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Runs net.exe
  • Runs regedit.exe 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 16 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdb667f12e906f4d6e235124f8bc11f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bdb667f12e906f4d6e235124f8bc11f0_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2112
    • C:\Windows\SysWOW64\net.exe
      net.exe start schedule /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start schedule /y
        3⤵
          PID:1540
      • C:\Windows\SysWOW64\At.exe
        At.exe 1:11:01 AM C:\Windows\Help\HelpCat.exe
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c at 1:10:03 AM C:\Windows\Sysinf.bat
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Windows\SysWOW64\at.exe
          at 1:10:03 AM C:\Windows\Sysinf.bat
          3⤵
            PID:3216
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c at 1:13:03 AM C:\Windows\Sysinf.bat
          2⤵
          • System Location Discovery: System Language Discovery
          PID:864
          • C:\Windows\SysWOW64\at.exe
            at 1:13:03 AM C:\Windows\Sysinf.bat
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1844
        • C:\Windows\SysWOW64\net.exe
          net.exe stop wscsvc /y
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3896
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop wscsvc /y
            3⤵
              PID:2736
          • C:\Windows\SysWOW64\net.exe
            net.exe stop sharedaccess /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop sharedaccess /y
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2708
          • C:\Windows\SysWOW64\net.exe
            net.exe stop wuauserv /y
            2⤵
              PID:3096
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop wuauserv /y
                3⤵
                  PID:3944
              • C:\Windows\SysWOW64\net.exe
                net.exe stop srservice /y
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4884
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop srservice /y
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2024
              • C:\Windows\SysWOW64\net.exe
                net.exe stop 360timeprot /y
                2⤵
                • System Time Discovery
                PID:3380
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop 360timeprot /y
                  3⤵
                  • System Time Discovery
                  PID:4100
              • C:\Windows\SysWOW64\sc.exe
                C:\Windows\system32\sc.exe config srservice start= disabled
                2⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1608
              • C:\Windows\SysWOW64\sc.exe
                C:\Windows\system32\sc.exe config SharedAccess start= disabled
                2⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1896
              • C:\Windows\SysWOW64\sc.exe
                C:\Windows\system32\sc.exe config wscsvc start= disabled
                2⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:428
              • C:\Windows\SysWOW64\sc.exe
                C:\Windows\system32\sc.exe config srservice start= disabled
                2⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:3044
              • C:\Windows\SysWOW64\regedit.exe
                regedit.exe /s C:\Windows\regedt32.sys
                2⤵
                • Modifies visibility of file extensions in Explorer
                • Blocks application from running via registry modification
                • Event Triggered Execution: Image File Execution Options Injection
                • Runs regedit.exe
                PID:3456
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1652
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4344
              • C:\Windows\system\KavUpda.exe
                C:\Windows\system\KavUpda.exe
                2⤵
                • Executes dropped EXE
                • Drops autorun.inf file
                • Drops file in System32 directory
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2172
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4832
                • C:\Windows\SysWOW64\net.exe
                  net.exe start schedule /y
                  3⤵
                    PID:1316
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start schedule /y
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:1560
                  • C:\Windows\SysWOW64\At.exe
                    At.exe 1:11:04 AM C:\Windows\Help\HelpCat.exe
                    3⤵
                      PID:4768
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c at 1:10:06 AM C:\Windows\Sysinf.bat
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2940
                      • C:\Windows\SysWOW64\at.exe
                        at 1:10:06 AM C:\Windows\Sysinf.bat
                        4⤵
                          PID:4712
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c at 1:13:06 AM C:\Windows\Sysinf.bat
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3040
                        • C:\Windows\SysWOW64\at.exe
                          at 1:13:06 AM C:\Windows\Sysinf.bat
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:4884
                      • C:\Windows\SysWOW64\net.exe
                        net.exe stop wscsvc /y
                        3⤵
                          PID:3432
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop wscsvc /y
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:4880
                        • C:\Windows\SysWOW64\net.exe
                          net.exe stop sharedaccess /y
                          3⤵
                            PID:2272
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop sharedaccess /y
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:4328
                          • C:\Windows\SysWOW64\net.exe
                            net.exe stop wuauserv /y
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:2196
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop wuauserv /y
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:5068
                          • C:\Windows\SysWOW64\net.exe
                            net.exe stop srservice /y
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:2096
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop srservice /y
                              4⤵
                                PID:1316
                            • C:\Windows\SysWOW64\net.exe
                              net.exe stop 360timeprot /y
                              3⤵
                              • System Time Discovery
                              PID:4804
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop 360timeprot /y
                                4⤵
                                • System Time Discovery
                                PID:1864
                            • C:\Windows\SysWOW64\sc.exe
                              C:\Windows\system32\sc.exe config srservice start= disabled
                              3⤵
                              • Launches sc.exe
                              PID:2464
                            • C:\Windows\SysWOW64\sc.exe
                              C:\Windows\system32\sc.exe config SharedAccess start= disabled
                              3⤵
                              • Launches sc.exe
                              PID:1060
                            • C:\Windows\SysWOW64\sc.exe
                              C:\Windows\system32\sc.exe config wscsvc start= disabled
                              3⤵
                              • Launches sc.exe
                              PID:4484
                            • C:\Windows\SysWOW64\sc.exe
                              C:\Windows\system32\sc.exe config srservice start= disabled
                              3⤵
                              • Launches sc.exe
                              • System Location Discovery: System Language Discovery
                              PID:4164
                            • C:\Windows\SysWOW64\reg.exe
                              C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:652
                            • C:\Windows\SysWOW64\reg.exe
                              C:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2896
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                              3⤵
                                PID:4908
                                • C:\Windows\SysWOW64\attrib.exe
                                  attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Views/modifies file attributes
                                  PID:3844
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c rmdir F:\Autorun.inf /s /q
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1908
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4764
                                • C:\Windows\SysWOW64\attrib.exe
                                  attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Views/modifies file attributes
                                  PID:1896
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c rmdir C:\Autorun.inf /s /q
                                3⤵
                                  PID:3504
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                  3⤵
                                    PID:4328
                                    • C:\Windows\SysWOW64\attrib.exe
                                      attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Views/modifies file attributes
                                      PID:3444
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c rmdir F:\Autorun.inf /s /q
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1864
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4704
                                    • C:\Windows\SysWOW64\attrib.exe
                                      attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                      4⤵
                                      • Views/modifies file attributes
                                      PID:2284
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c rmdir C:\Autorun.inf /s /q
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4740
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                    3⤵
                                      PID:3216
                                      • C:\Windows\SysWOW64\attrib.exe
                                        attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        • Views/modifies file attributes
                                        PID:3888
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c rmdir F:\Autorun.inf /s /q
                                      3⤵
                                        PID:4776
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                        3⤵
                                          PID:4192
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:2448
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c rmdir C:\Autorun.inf /s /q
                                          3⤵
                                            PID:4684
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                            3⤵
                                              PID:4140
                                              • C:\Windows\SysWOW64\attrib.exe
                                                attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                4⤵
                                                • Views/modifies file attributes
                                                PID:4704
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c rmdir F:\Autorun.inf /s /q
                                              3⤵
                                                PID:2432
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2772
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Views/modifies file attributes
                                                  PID:1940
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c rmdir C:\Autorun.inf /s /q
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3760
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4104
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                  4⤵
                                                  • Views/modifies file attributes
                                                  PID:3888
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c rmdir F:\Autorun.inf /s /q
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3044
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4768
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Views/modifies file attributes
                                                  PID:2756
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c rmdir C:\Autorun.inf /s /q
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2932
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4880
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Views/modifies file attributes
                                                  PID:1948
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c rmdir F:\Autorun.inf /s /q
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:428
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                3⤵
                                                  PID:2516
                                                  • C:\Windows\SysWOW64\attrib.exe
                                                    attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Views/modifies file attributes
                                                    PID:2276
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c rmdir C:\Autorun.inf /s /q
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4008
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                  3⤵
                                                    PID:544
                                                    • C:\Windows\SysWOW64\attrib.exe
                                                      attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • Views/modifies file attributes
                                                      PID:1008
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c rmdir F:\Autorun.inf /s /q
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1292
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                    3⤵
                                                      PID:4080
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Views/modifies file attributes
                                                        PID:1544
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c rmdir C:\Autorun.inf /s /q
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3708
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1612
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        attrib -s -h -r F:\Autorun.inf\*.* /s /d
                                                        4⤵
                                                        • Views/modifies file attributes
                                                        PID:4000
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c rmdir F:\Autorun.inf /s /q
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2044
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2516
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        attrib -s -h -r C:\Autorun.inf\*.* /s /d
                                                        4⤵
                                                        • Views/modifies file attributes
                                                        PID:4708
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c rmdir C:\Autorun.inf /s /q
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2908
                                                  • C:\Windows\SysWOW64\net.exe
                                                    net.exe stop wscsvc /y
                                                    2⤵
                                                      PID:5040
                                                      • C:\Windows\SysWOW64\net1.exe
                                                        C:\Windows\system32\net1 stop wscsvc /y
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2564
                                                    • C:\Windows\SysWOW64\net.exe
                                                      net.exe stop sharedaccess /y
                                                      2⤵
                                                        PID:1952
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 stop sharedaccess /y
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:864
                                                      • C:\Windows\SysWOW64\net.exe
                                                        net.exe stop wuauserv /y
                                                        2⤵
                                                          PID:2888
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 stop wuauserv /y
                                                            3⤵
                                                              PID:1416
                                                          • C:\Windows\SysWOW64\net.exe
                                                            net.exe stop srservice /y
                                                            2⤵
                                                              PID:3584
                                                              • C:\Windows\SysWOW64\net1.exe
                                                                C:\Windows\system32\net1 stop srservice /y
                                                                3⤵
                                                                  PID:4728
                                                              • C:\Windows\SysWOW64\net.exe
                                                                net.exe stop 360timeprot /y
                                                                2⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • System Time Discovery
                                                                PID:4428
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 stop 360timeprot /y
                                                                  3⤵
                                                                  • System Time Discovery
                                                                  PID:2840

                                                            Network

                                                            • flag-us
                                                              DNS
                                                              228.249.119.40.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              228.249.119.40.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              81.144.22.2.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              81.144.22.2.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                              81.144.22.2.in-addr.arpa
                                                              IN PTR
                                                              a2-22-144-81deploystaticakamaitechnologiescom
                                                            • flag-us
                                                              DNS
                                                              81.144.22.2.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              81.144.22.2.in-addr.arpa
                                                              IN PTR
                                                            • flag-us
                                                              DNS
                                                              43.58.199.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              43.58.199.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              43.58.199.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              43.58.199.20.in-addr.arpa
                                                              IN PTR
                                                            • flag-us
                                                              DNS
                                                              183.59.114.20.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              183.59.114.20.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              18.31.95.13.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              18.31.95.13.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              172.210.232.199.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              172.210.232.199.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              196.249.167.52.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              196.249.167.52.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              58.55.71.13.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              58.55.71.13.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              19.229.111.52.in-addr.arpa
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              19.229.111.52.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              tse1.mm.bing.net
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              tse1.mm.bing.net
                                                              IN A
                                                              Response
                                                              tse1.mm.bing.net
                                                              IN CNAME
                                                              mm-mm.bing.net.trafficmanager.net
                                                              mm-mm.bing.net.trafficmanager.net
                                                              IN CNAME
                                                              ax-0001.ax-msedge.net
                                                              ax-0001.ax-msedge.net
                                                              IN A
                                                              150.171.27.10
                                                              ax-0001.ax-msedge.net
                                                              IN A
                                                              150.171.28.10
                                                            • flag-us
                                                              GET
                                                              https://tse1.mm.bing.net/th?id=OADD2.10239317301506_1F0FLOT3FW11VH0B0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                                              Remote address:
                                                              150.171.27.10:443
                                                              Request
                                                              GET /th?id=OADD2.10239317301506_1F0FLOT3FW11VH0B0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                                                              host: tse1.mm.bing.net
                                                              accept: */*
                                                              accept-encoding: gzip, deflate, br
                                                              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                                              Response
                                                              HTTP/2.0 200
                                                              cache-control: public, max-age=2592000
                                                              content-length: 755035
                                                              content-type: image/jpeg
                                                              x-cache: TCP_HIT
                                                              access-control-allow-origin: *
                                                              access-control-allow-headers: *
                                                              access-control-allow-methods: GET, POST, OPTIONS
                                                              timing-allow-origin: *
                                                              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                                              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                              x-msedge-ref: Ref A: 4AF0C4A58A034BD28FCA1E21DFAC2A25 Ref B: LON04EDGE0609 Ref C: 2024-08-24T01:09:43Z
                                                              date: Sat, 24 Aug 2024 01:09:43 GMT
                                                            • flag-us
                                                              GET
                                                              https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                                                              Remote address:
                                                              150.171.27.10:443
                                                              Request
                                                              GET /th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                                                              host: tse1.mm.bing.net
                                                              accept: */*
                                                              accept-encoding: gzip, deflate, br
                                                              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                                              Response
                                                              HTTP/2.0 200
                                                              cache-control: public, max-age=2592000
                                                              content-length: 241999
                                                              content-type: image/jpeg
                                                              x-cache: TCP_HIT
                                                              access-control-allow-origin: *
                                                              access-control-allow-headers: *
                                                              access-control-allow-methods: GET, POST, OPTIONS
                                                              timing-allow-origin: *
                                                              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                                              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                              x-msedge-ref: Ref A: A14845DB51C24D7F94F756F772FCFBD5 Ref B: LON04EDGE0609 Ref C: 2024-08-24T01:09:43Z
                                                              date: Sat, 24 Aug 2024 01:09:43 GMT
                                                            • flag-us
                                                              GET
                                                              https://tse1.mm.bing.net/th?id=OADD2.10239317301073_18LC40ETNMF8SEVBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                                                              Remote address:
                                                              150.171.27.10:443
                                                              Request
                                                              GET /th?id=OADD2.10239317301073_18LC40ETNMF8SEVBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                                                              host: tse1.mm.bing.net
                                                              accept: */*
                                                              accept-encoding: gzip, deflate, br
                                                              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                                              Response
                                                              HTTP/2.0 200
                                                              cache-control: public, max-age=2592000
                                                              content-length: 857486
                                                              content-type: image/jpeg
                                                              x-cache: TCP_HIT
                                                              access-control-allow-origin: *
                                                              access-control-allow-headers: *
                                                              access-control-allow-methods: GET, POST, OPTIONS
                                                              timing-allow-origin: *
                                                              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                                              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                              x-msedge-ref: Ref A: 5564CAF370864E4890F57FB311E9CC53 Ref B: LON04EDGE0609 Ref C: 2024-08-24T01:09:43Z
                                                              date: Sat, 24 Aug 2024 01:09:43 GMT
                                                            • flag-us
                                                              GET
                                                              https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                                              Remote address:
                                                              150.171.27.10:443
                                                              Request
                                                              GET /th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                                                              host: tse1.mm.bing.net
                                                              accept: */*
                                                              accept-encoding: gzip, deflate, br
                                                              user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                                                              Response
                                                              HTTP/2.0 200
                                                              cache-control: public, max-age=2592000
                                                              content-length: 315631
                                                              content-type: image/jpeg
                                                              x-cache: TCP_HIT
                                                              access-control-allow-origin: *
                                                              access-control-allow-headers: *
                                                              access-control-allow-methods: GET, POST, OPTIONS
                                                              timing-allow-origin: *
                                                              report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                                                              nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                              x-msedge-ref: Ref A: B62B678969464F9AA4985DFE745D1892 Ref B: LON04EDGE0609 Ref C: 2024-08-24T01:09:43Z
                                                              date: Sat, 24 Aug 2024 01:09:43 GMT
                                                            • 150.171.27.10:443
                                                              https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                                                              tls, http2
                                                              81.7kB
                                                               2.3MB
                                                               1643
                                                              1639

                                                              HTTP Request

                                                              GET https://tse1.mm.bing.net/th?id=OADD2.10239317301506_1F0FLOT3FW11VH0B0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                                                              HTTP Request

                                                              GET https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                                                              HTTP Request

                                                              GET https://tse1.mm.bing.net/th?id=OADD2.10239317301073_18LC40ETNMF8SEVBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                                                              HTTP Request

                                                              GET https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                                                              HTTP Response

                                                              200

                                                              HTTP Response

                                                              200

                                                              HTTP Response

                                                              200

                                                              HTTP Response

                                                              200
                                                            • 150.171.27.10:443
                                                              tse1.mm.bing.net
                                                              tls, http2
                                                              1.2kB
                                                               6.9kB
                                                               15
                                                              13
                                                            • 150.171.27.10:443
                                                              tse1.mm.bing.net
                                                              tls, http2
                                                              1.2kB
                                                               6.9kB
                                                               15
                                                              13
                                                            • 150.171.27.10:443
                                                              tse1.mm.bing.net
                                                              tls, http2
                                                              1.2kB
                                                               6.9kB
                                                               15
                                                              13
                                                            • 8.8.8.8:53
                                                              228.249.119.40.in-addr.arpa
                                                              dns
                                                              73 B
                                                               159 B
                                                               1
                                                              1

                                                              DNS Request

                                                              228.249.119.40.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              81.144.22.2.in-addr.arpa
                                                              dns
                                                              140 B
                                                               133 B
                                                               2
                                                              1

                                                              DNS Request

                                                              81.144.22.2.in-addr.arpa

                                                              DNS Request

                                                              81.144.22.2.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              43.58.199.20.in-addr.arpa
                                                              dns
                                                              142 B
                                                               157 B
                                                               2
                                                              1

                                                              DNS Request

                                                              43.58.199.20.in-addr.arpa

                                                              DNS Request

                                                              43.58.199.20.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              183.59.114.20.in-addr.arpa
                                                              dns
                                                              72 B
                                                               158 B
                                                               1
                                                              1

                                                              DNS Request

                                                              183.59.114.20.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              18.31.95.13.in-addr.arpa
                                                              dns
                                                              70 B
                                                               144 B
                                                               1
                                                              1

                                                              DNS Request

                                                              18.31.95.13.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              172.210.232.199.in-addr.arpa
                                                              dns
                                                              74 B
                                                               128 B
                                                               1
                                                              1

                                                              DNS Request

                                                              172.210.232.199.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              196.249.167.52.in-addr.arpa
                                                              dns
                                                              73 B
                                                               147 B
                                                               1
                                                              1

                                                              DNS Request

                                                              196.249.167.52.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              58.55.71.13.in-addr.arpa
                                                              dns
                                                              70 B
                                                               144 B
                                                               1
                                                              1

                                                              DNS Request

                                                              58.55.71.13.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              19.229.111.52.in-addr.arpa
                                                              dns
                                                              72 B
                                                               158 B
                                                               1
                                                              1

                                                              DNS Request

                                                              19.229.111.52.in-addr.arpa

                                                            • 8.8.8.8:53
                                                              tse1.mm.bing.net
                                                              dns
                                                              62 B
                                                               170 B
                                                               1
                                                              1

                                                              DNS Request

                                                              tse1.mm.bing.net

                                                              DNS Response

                                                              150.171.27.10
                                                              150.171.28.10

                                                            MITRE ATT&CK Enterprise v15

                                                            Reconnaissance

                                                            Resource Development

                                                            Initial Access

                                                            Replication Through Removable Media

                                                            1
                                                            T1091

                                                            Execution

                                                            System Services

                                                            1
                                                            T1569

                                                            Service Execution

                                                            1
                                                            T1569.002

                                                            Persistence

                                                            Create or Modify System Process

                                                            1
                                                            T1543

                                                            Windows Service

                                                            1
                                                            T1543.003

                                                            Event Triggered Execution

                                                            1
                                                            T1546

                                                            Image File Execution Options Injection

                                                            1
                                                            T1546.012

                                                            Privilege Escalation

                                                            Create or Modify System Process

                                                            1
                                                            T1543

                                                            Windows Service

                                                            1
                                                            T1543.003

                                                            Event Triggered Execution

                                                            1
                                                            T1546

                                                            Image File Execution Options Injection

                                                            1
                                                            T1546.012

                                                            Defense Evasion

                                                            Hide Artifacts

                                                            2
                                                            T1564

                                                            Hidden Files and Directories

                                                            2
                                                            T1564.001

                                                            Indicator Removal

                                                            1
                                                            T1070

                                                            File Deletion

                                                            1
                                                            T1070.004

                                                            Modify Registry

                                                            1
                                                            T1112

                                                            Credential Access

                                                            Discovery

                                                            Network Share Discovery

                                                            1
                                                            T1135

                                                            System Location Discovery

                                                            1
                                                            T1614

                                                            System Language Discovery

                                                            1
                                                            T1614.001

                                                            System Time Discovery

                                                            1
                                                            T1124

                                                            Lateral Movement

                                                            Replication Through Removable Media

                                                            1
                                                            T1091

                                                            Collection

                                                            Command and Control

                                                            Exfiltration

                                                            Impact

                                                            Service Stop

                                                            1
                                                            T1489

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Windows\SysWOW64\Option.bat
                                                              Filesize

                                                              82B

                                                              MD5

                                                              3f7fbd2eb34892646e93fd5e6e343512

                                                              SHA1

                                                              265ac1061b54f62350fb7a5f57e566454d013a66

                                                              SHA256

                                                              e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

                                                              SHA512

                                                              53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

                                                              Download Submit

                                                            • C:\Windows\Sysinf.bat
                                                              Filesize

                                                              460B

                                                              MD5

                                                              7db3d565d6ddbe65a8b0e093910e7dcd

                                                              SHA1

                                                              d4804e6180c6e74ba79d3343f2f2ccb15e502f12

                                                              SHA256

                                                              a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f

                                                              SHA512

                                                              0b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b

                                                              Download Submit

                                                            • C:\Windows\System\KavUpda.exe
                                                              Filesize

                                                              4.9MB

                                                              MD5

                                                              bdb667f12e906f4d6e235124f8bc11f0

                                                              SHA1

                                                              b12cd62e9564236637a2cf0ce02ac192299bc83e

                                                              SHA256

                                                              f6906e2636e05a8f894282cd4c824d53273aab85d82c3a7e9a8e2543882c4d96

                                                              SHA512

                                                              bdaa815b813ecdef785a45987f6b9f44ccb1ef87f1ea143be60c83f7aa0f2aaa33a2ed6cc1e8f8d52111bf4cf6f7e6aa2dc55106b96f4ebfa264502d01f33819

                                                              Download Submit

                                                            • C:\Windows\regedt32.sys
                                                              Filesize

                                                              2KB

                                                              MD5

                                                              e7d7ec66bd61fac3843c98650b0c68f6

                                                              SHA1

                                                              a15ae06e1be51038863650746368a71024539bac

                                                              SHA256

                                                              6475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8

                                                              SHA512

                                                              ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6

                                                              Download Submit

                                                            • F:\Autorun.inf
                                                              Filesize

                                                              237B

                                                              MD5

                                                              94bcd02c5afd5918b4446345e7a5ded9

                                                              SHA1

                                                              79839238e84be225132e1382fae6333dfc4906a1

                                                              SHA256

                                                              5d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1

                                                              SHA512

                                                              149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500

                                                              Download Submit

                                                            • memory/3728-0-0x0000000000400000-0x0000000000436000-memory.dmp

                                                              Filesize

                                                              216KB

                                                              Download

                                                            We care about your privacy.

                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.