Overview

overview

7

Static

static

3

c7ed2b79eb...18.exe

windows7-x64

7

c7ed2b79eb...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7ed2b79eb20054aad14b19a97edbc6e_JaffaCakes118.exe

  • Size

    53KB

  • MD5

    c7ed2b79eb20054aad14b19a97edbc6e

  • SHA1

    33ea5f0c900c6d09451fad76777db2d78b9e5f53

  • SHA256

    52ee8f6b0eea91b810be120d051ae2215fd2a43030f763c9eabdacae86d687cf

  • SHA512

    371f6f92d25df9c2c7a437fc0d05a79169968a23d26832f0e56f2769c0d4918fbe3c1a8f3df98a82ea10d73d87dbe66f1314e38182cb54f017cfcfa5bdd3421e

  • SSDEEP

    768:E4uuCOSHenILlUFhVXpJHtFjqn378sdXzxn81XgX/GPiLu/T7GTmLoVz:EBuChtLEX/Ht03RX4XgX/G90

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7ed2b79eb20054aad14b19a97edbc6e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7ed2b79eb20054aad14b19a97edbc6e_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\microsoft\serv\service.exe
      "C:\Windows\system32\microsoft\serv\service.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\microsoft\serv\service.exe
        "C:\Windows\system32\microsoft\serv\service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\SysWOW64\microsoft\serv\service.exe
          "C:\Windows\system32\microsoft\serv\service.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\SysWOW64\microsoft\serv\service.exe
            "C:\Windows\system32\microsoft\serv\service.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3888
            • C:\Windows\SysWOW64\microsoft\serv\service.exe
              "C:\Windows\system32\microsoft\serv\service.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4700
              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                "C:\Windows\system32\microsoft\serv\service.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2408
                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                  "C:\Windows\system32\microsoft\serv\service.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2724
                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                    "C:\Windows\system32\microsoft\serv\service.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:908
                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                      "C:\Windows\system32\microsoft\serv\service.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2216
                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                        "C:\Windows\system32\microsoft\serv\service.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4072
                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                          "C:\Windows\system32\microsoft\serv\service.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:912
                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                            "C:\Windows\system32\microsoft\serv\service.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1888
                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                              "C:\Windows\system32\microsoft\serv\service.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:2372
                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                "C:\Windows\system32\microsoft\serv\service.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:4520
                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1608
                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:4064
                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:4888
                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of WriteProcessMemory
                                        PID:1244
                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:2192
                                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                            "C:\Windows\system32\microsoft\serv\service.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:4748
                                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                              "C:\Windows\system32\microsoft\serv\service.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              PID:1036
                                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                "C:\Windows\system32\microsoft\serv\service.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:2996
                                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1528
                                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3340
                                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:232
                                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5236
                                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5456
                                                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                            "C:\Windows\system32\microsoft\serv\service.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:5704
                                                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                              "C:\Windows\system32\microsoft\serv\service.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5932
                                                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                "C:\Windows\system32\microsoft\serv\service.exe"
                                                                31⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:5208
                                                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:5512
                                                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5740
                                                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5904
                                                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                                                        35⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:6036
                                                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2072
                                                                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                            "C:\Windows\system32\microsoft\serv\service.exe"
                                                                            37⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5652
                                                                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                              "C:\Windows\system32\microsoft\serv\service.exe"
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4516
                                                                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                39⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:6084
                                                                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1372
                                                                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                    41⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5896
                                                                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:4780
                                                                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                        43⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        PID:6124
                                                                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2292
                                                                                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                            "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                            45⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:5724
                                                                                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                              "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3940
                                                                                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                47⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:3316
                                                                                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:832
                                                                                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                    49⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:6052
                                                                                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:5396
                                                                                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                        51⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:4724
                                                                                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1692
                                                                                                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                            "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                            53⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:6152
                                                                                                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                              "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:6516
                                                                                                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                55⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:6952
                                                                                                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                  56⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:6440
                                                                                                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                    57⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:6696
                                                                                                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                      58⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:7104
                                                                                                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                        59⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:6552
                                                                                                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                          60⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:7024
                                                                                                                          • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                            "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                            61⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:4364
                                                                                                                            • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                              "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5816
                                                                                                                              • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                                "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                                63⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:6636
                                                                                                                                • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                                  "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:6308
                                                                                                                                  • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                                    "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:6864
                                                                                                                                    • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                                      "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:2260
                                                                                                                                      • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                                        "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:2652
                                                                                                                                        • C:\Windows\SysWOW64\microsoft\serv\service.exe
                                                                                                                                          "C:\Windows\system32\microsoft\serv\service.exe"
                                                                                                                                          68⤵
                                                                                                                                            PID:6888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C7ED2B~1.EXE > nul
        2⤵
        • System Location Discovery: System Language Discovery
        PID:636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\bloodspike.pbk
      Filesize

      2KB

      MD5

      5eb36d6be7aa9f501d976076d533116c

      SHA1

      c2e16fe3f3e0c5f5ac9e751d7c0d9dcb35d0f4dc

      SHA256

      d475f44ba6c5613d4ed211d2611f0b00e93fc03d40f30d4833ba97d108b4c936

      SHA512

      a3723d12df2b3fb7ebea3446a7d0ae60a78e674afde225f673f7536fd3de23bf25e0bc9f63a22223356ce3680898a9dbe1c3648f6240dde750b362f5aeb34c11

      Download Submit

    • C:\Windows\SysWOW64\bloodspike.pbk
      Filesize

      2KB

      MD5

      c0cd3e00e8fbb434a3680d5d8ff95843

      SHA1

      6bb2e95934f72f92c2f527a7fc499116ca4a205d

      SHA256

      1bc6783acb73953f3cd334bf0139eac0763dd254503528cc49a18acb70bc6aab

      SHA512

      7459fd4ae11a9edd3be7b08ad4216daaa44212598464593f2c7214c07cbe9ac43768812dbde28ef5402558684872eea80136097aa8d8784c794db8bfe89be5ed

      Download Submit

    • C:\Windows\SysWOW64\bloodspike.pbk
      Filesize

      2KB

      MD5

      8d0d6be695ae3939f24849865eba6e32

      SHA1

      75df61c0c6d6ee8ee09bcaba2eb920f361ed8401

      SHA256

      b16a0131d6550dc4379b87a226aa38e94aa2ec54afd37519e944ab6319fb2515

      SHA512

      0ebd24ec16e3c4d9a6bdaf277859db582597e4debece78e58db2e9ea418fa5ee80df7d99bbde062a6529a82ab0f2754ec84485ea38fca4dda065de5bcbb30015

      Download Submit

    • C:\Windows\SysWOW64\bloodspike.pbk
      Filesize

      2KB

      MD5

      ddb12a1ffc3b4e67ae7716313277d448

      SHA1

      99947434b190f2d4c31ad8ed4ed1ae606a892949

      SHA256

      fff36d5f1b97a78f543a3a1f60089985a4a9dd6e751c2e5d28d1228b36179fa4

      SHA512

      dbcd558d8f7cd526d087361d31418da41f747ec10f0e3e4dd3450f60d4a9298bceaef7be50840b0d562c6383eeeb4f71b3fc2da075c58abb3ab67956e180663b

      Download Submit

    • C:\Windows\SysWOW64\bloodspike.pbk
      Filesize

      2KB

      MD5

      f3627c003ebd5b8b0882c8588b55297b

      SHA1

      3b55d7a14ef8ac13a77748937fba7e58ff92ebd6

      SHA256

      465634422a36c6be0829d2940b54bd7bb4ee4b0f7d6063d8796d71f1d7ec8ef8

      SHA512

      b562ea674db95a09a162103edd096bf09c3afbbdcc84b9df22d9bec21548f63f4cf5145efefd38ccbabf078cc2b89b0c801a494ebee59bcff4c377a25abb28a7

      Download Submit

    • C:\Windows\SysWOW64\bloodspike.pbk
      Filesize

      2KB

      MD5

      5e7dcaf7aa1073a4fd8f05e0dc9f2724

      SHA1

      279756784c8b34351b2849bf43b9a631349ae08b

      SHA256

      9ef1539fcaddebf0279d0acf540900a641b3af464918dc853115221b6458532a

      SHA512

      2ff5bf6e5a2cf59a8bfc3e7ef793388395d49224589f11ed3f717ec8dd0ba74d855304970624fe7c69703e2fba666eb3b5a5844a3e23ed282d6af2c94148a057

      Download Submit

    • C:\Windows\SysWOW64\microsoft\serv\service.exe
      Filesize

      53KB

      MD5

      c7ed2b79eb20054aad14b19a97edbc6e

      SHA1

      33ea5f0c900c6d09451fad76777db2d78b9e5f53

      SHA256

      52ee8f6b0eea91b810be120d051ae2215fd2a43030f763c9eabdacae86d687cf

      SHA512

      371f6f92d25df9c2c7a437fc0d05a79169968a23d26832f0e56f2769c0d4918fbe3c1a8f3df98a82ea10d73d87dbe66f1314e38182cb54f017cfcfa5bdd3421e

      Download Submit

    • memory/232-132-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/232-309-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/908-199-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/912-221-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1036-290-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1244-273-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1244-94-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1372-374-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1372-228-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1528-298-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1528-120-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1608-76-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1608-251-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1692-305-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1888-59-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1888-225-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2072-349-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2164-161-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2164-13-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2192-281-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2216-206-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2292-263-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2372-234-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2408-184-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2652-376-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2724-192-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2996-294-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3316-283-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3340-126-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3340-304-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3612-0-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3612-10-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3888-18-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3888-169-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4064-82-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4064-261-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4072-213-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4072-48-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4516-364-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4516-216-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4520-242-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4520-70-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4700-176-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4700-22-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4724-300-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4748-286-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4844-154-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4888-265-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4888-88-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5060-148-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5208-164-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5208-329-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5236-312-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5456-143-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5456-315-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5512-332-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5652-357-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5704-321-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5740-179-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5740-339-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5896-237-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5896-378-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5904-187-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5904-343-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/5932-324-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6036-345-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6084-223-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6084-368-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6124-256-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6552-335-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6636-352-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6696-327-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/6864-366-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download