Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-08-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs
Resource
win10v2004-20240802-en
General
-
Target
c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs
-
Size
1.8MB
-
MD5
c42e511e79fa6c3b2931080364522dfc
-
SHA1
413fa44b48570a07420aa1511276bb4c72374cd7
-
SHA256
b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b
-
SHA512
d114ffc76a5c9de6bb02228fe84f76e78ebcfcbf28be9f3dd02cfb2f00dfbc38579cee379cfb7adb580b6a5eb54c7d6e37b4fa346fcfea3ab9dd9abecf2b0295
-
SSDEEP
49152:lP3fgyBTbzDjvjwSBLoZFVf4d6enfWoKFxCZqOoFBvQC6bztk2KSZxE2i:s
Malware Config
Extracted
qakbot
323.79
spx01
1567608215
72.16.212.107:995
107.12.140.181:443
69.70.37.246:465
66.51.231.183:443
108.160.123.244:443
65.30.12.240:443
47.49.7.42:443
73.202.121.222:443
47.153.115.154:995
47.153.115.154:443
72.29.181.77:2083
104.3.91.20:995
190.144.81.158:995
186.7.117.189:443
50.247.230.33:443
216.221.88.160:443
67.246.16.250:995
107.180.70.163:443
70.169.2.228:21
72.36.14.160:443
67.214.8.102:443
186.47.208.238:50000
166.62.129.86:443
23.240.185.215:443
159.118.173.115:443
98.165.206.64:443
162.244.224.166:443
75.157.194.173:995
207.179.194.91:443
68.238.144.55:443
47.54.254.139:2222
24.111.196.195:443
74.15.32.205:2222
189.236.234.173:995
187.156.135.153:2222
70.50.221.166:2222
65.94.90.23:1194
173.172.205.216:443
71.30.56.170:443
69.4.106.254:443
189.163.217.29:443
64.19.74.29:995
72.47.115.182:443
172.78.85.20:443
96.20.238.2:2083
96.22.239.27:2222
47.23.101.26:993
50.78.93.74:995
73.226.220.56:443
75.177.172.209:6881
192.24.181.185:443
72.255.200.129:443
206.51.202.106:50002
76.184.141.236:443
108.184.57.213:443
67.10.18.112:993
162.244.225.30:443
189.155.56.173:443
47.180.66.10:995
189.141.181.204:443
47.136.226.219:443
75.90.245.144:995
69.57.123.150:443
189.140.48.14:443
72.213.98.233:443
209.182.122.217:443
189.166.110.255:443
47.23.101.26:990
184.191.62.78:443
98.236.87.243:443
217.162.149.212:443
68.238.56.27:443
96.64.191.13:443
75.131.239.76:443
104.34.122.18:443
181.126.80.118:443
24.184.6.58:2222
68.83.59.107:443
173.22.120.11:2222
76.85.30.25:995
70.183.177.71:443
181.143.141.226:995
76.116.128.81:443
50.100.214.10:2222
96.20.238.2:2078
67.10.18.112:995
75.71.201.170:443
76.71.76.131:32101
89.138.118.87:995
68.174.15.223:443
99.228.242.183:995
71.182.142.63:443
70.188.98.97:443
148.163.2.101:443
166.62.180.194:2078
74.102.76.221:443
47.146.173.204:443
108.45.183.59:443
73.137.187.150:443
160.2.198.181:443
184.180.157.203:2222
199.126.92.231:995
2.50.171.216:443
98.186.90.192:995
111.125.70.30:2222
71.77.231.251:443
173.163.24.169:443
70.183.154.250:80
76.64.15.78:2222
67.77.162.13:443
190.120.196.18:443
187.163.101.137:995
24.229.150.54:995
105.246.79.4:995
35.136.74.103:443
71.197.126.250:443
67.41.197.173:2078
76.67.162.70:2222
24.27.82.216:2222
173.178.129.3:443
65.116.179.83:443
67.71.130.80:2222
68.59.209.183:995
184.163.89.150:3389
83.76.50.72:2222
72.142.106.198:990
64.20.68.35:2222
64.20.68.35:2083
116.58.100.130:995
184.74.101.234:995
189.160.191.239:443
174.48.72.160:443
64.229.194.70:995
70.166.97.7:465
70.164.39.91:443
75.131.72.82:443
76.6.64.52:443
98.224.57.108:443
47.214.144.253:443
70.24.218.99:995
138.122.5.214:2222
206.51.202.106:50003
108.14.239.97:443
174.19.109.195:993
98.236.87.243:995
73.133.46.105:995
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud = "0" reg.exe -
Executes dropped EXE 7 IoCs
Processes:
itUsiSHOi.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exepid process 1748 itUsiSHOi.exe 3628 itUsiSHOi.exe 4236 ayoeiizp.exe 4436 ayoeiizp.exe 1712 itUsiSHOi.exe 2388 ayoeiizp.exe 4696 ayoeiizp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljbwtveh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Qcyggyscuud\\ayoeiizp.exe\"" explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
itUsiSHOi.exeschtasks.exeayoeiizp.exeexplorer.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exeitUsiSHOi.exeayoeiizp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itUsiSHOi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itUsiSHOi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itUsiSHOi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayoeiizp.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 4884 cmd.exe 2204 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
itUsiSHOi.exeayoeiizp.exeayoeiizp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 itUsiSHOi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc itUsiSHOi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service itUsiSHOi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service itUsiSHOi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service ayoeiizp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 itUsiSHOi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc itUsiSHOi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc ayoeiizp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service ayoeiizp.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
itUsiSHOi.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ itUsiSHOi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" itUsiSHOi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" itUsiSHOi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" itUsiSHOi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" itUsiSHOi.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
itUsiSHOi.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exeexplorer.exeitUsiSHOi.exeayoeiizp.exeayoeiizp.exepid process 1748 itUsiSHOi.exe 1748 itUsiSHOi.exe 3628 itUsiSHOi.exe 3628 itUsiSHOi.exe 3628 itUsiSHOi.exe 3628 itUsiSHOi.exe 4236 ayoeiizp.exe 4236 ayoeiizp.exe 4436 ayoeiizp.exe 4436 ayoeiizp.exe 4436 ayoeiizp.exe 4436 ayoeiizp.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 1712 itUsiSHOi.exe 1712 itUsiSHOi.exe 2388 ayoeiizp.exe 2388 ayoeiizp.exe 4696 ayoeiizp.exe 4696 ayoeiizp.exe 4696 ayoeiizp.exe 4696 ayoeiizp.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ayoeiizp.exepid process 4236 ayoeiizp.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
itUsiSHOi.exeayoeiizp.exeitUsiSHOi.execmd.exeayoeiizp.exedescription pid process target process PID 1748 wrote to memory of 3628 1748 itUsiSHOi.exe itUsiSHOi.exe PID 1748 wrote to memory of 3628 1748 itUsiSHOi.exe itUsiSHOi.exe PID 1748 wrote to memory of 3628 1748 itUsiSHOi.exe itUsiSHOi.exe PID 1748 wrote to memory of 4236 1748 itUsiSHOi.exe ayoeiizp.exe PID 1748 wrote to memory of 4236 1748 itUsiSHOi.exe ayoeiizp.exe PID 1748 wrote to memory of 4236 1748 itUsiSHOi.exe ayoeiizp.exe PID 1748 wrote to memory of 3772 1748 itUsiSHOi.exe schtasks.exe PID 1748 wrote to memory of 3772 1748 itUsiSHOi.exe schtasks.exe PID 1748 wrote to memory of 3772 1748 itUsiSHOi.exe schtasks.exe PID 4236 wrote to memory of 4436 4236 ayoeiizp.exe ayoeiizp.exe PID 4236 wrote to memory of 4436 4236 ayoeiizp.exe ayoeiizp.exe PID 4236 wrote to memory of 4436 4236 ayoeiizp.exe ayoeiizp.exe PID 4236 wrote to memory of 3620 4236 ayoeiizp.exe explorer.exe PID 4236 wrote to memory of 3620 4236 ayoeiizp.exe explorer.exe PID 4236 wrote to memory of 3620 4236 ayoeiizp.exe explorer.exe PID 4236 wrote to memory of 3620 4236 ayoeiizp.exe explorer.exe PID 1712 wrote to memory of 3784 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 3784 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 760 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 760 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 4956 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 4956 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 1720 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 1720 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 4152 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 4152 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 748 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 748 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 4424 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 4424 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 3408 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 3408 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 3108 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 3108 1712 itUsiSHOi.exe reg.exe PID 1712 wrote to memory of 2388 1712 itUsiSHOi.exe ayoeiizp.exe PID 1712 wrote to memory of 2388 1712 itUsiSHOi.exe ayoeiizp.exe PID 1712 wrote to memory of 2388 1712 itUsiSHOi.exe ayoeiizp.exe PID 1712 wrote to memory of 4884 1712 itUsiSHOi.exe cmd.exe PID 1712 wrote to memory of 4884 1712 itUsiSHOi.exe cmd.exe PID 1712 wrote to memory of 708 1712 itUsiSHOi.exe schtasks.exe PID 1712 wrote to memory of 708 1712 itUsiSHOi.exe schtasks.exe PID 4884 wrote to memory of 2204 4884 cmd.exe PING.EXE PID 4884 wrote to memory of 2204 4884 cmd.exe PING.EXE PID 2388 wrote to memory of 4696 2388 ayoeiizp.exe ayoeiizp.exe PID 2388 wrote to memory of 4696 2388 ayoeiizp.exe ayoeiizp.exe PID 2388 wrote to memory of 4696 2388 ayoeiizp.exe ayoeiizp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42e511e79fa6c3b2931080364522dfc_JaffaCakes118.vbs"1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exeC:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exeC:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /C2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe /C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3620 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xswbenfjc /tr "\"C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe\" /I xswbenfjc" /SC ONCE /Z /ST 02:01 /ET 02:132⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3772
-
C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exeC:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe /I xswbenfjc1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:3784
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:760
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:4956
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:1720
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:4152
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:748
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:4424
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:3408
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud" /d "0"2⤵
- Windows security bypass
PID:3108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exeC:\Users\Admin\AppData\Roaming\Microsoft\Qcyggyscuud\ayoeiizp.exe /C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\itUsiSHOi.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2204 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN xswbenfjc2⤵PID:708
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD5e372d668d9e1d734b76655f5b0ebd0e6
SHA1b6fc1da195130a16f15e471835041ed05473c795
SHA25607ee7be992525cfa1a66ca03ee127f2df8041e88bf6c12a1fffcb206660606e7
SHA51206b4be1d2ebb82860e6d8396ab963707840dcd35678c512cf18f085ba2c0d75c4f5341f2189685e65a8dc611317c93012bb8b3944758172377aa23bae1469496
-
Filesize
63B
MD53293bed115d40541731b160527d6ff11
SHA1c4aae3b347d81be32acb12f6d6b2785f00379ab8
SHA256d9ce80e3d62e331b532a941289aa21f128eeb28980cd14d1dc65de1db8992774
SHA512bc029a7e0ef0a5e4193ebdd67836a3d78ade05cbed80802ea8f02d9a44dab68aa1b8f5264ed46fa9ddc7661be3d04b19b889d6d654f86f5fcc9e48999973ec27