97e9d8fedf5738ce3f5ca2e84d3c250cc7e903ba286510fb4ed3a2f30d47813f

Analysis

max time kernel
150s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
Size

292KB
MD5

c941f52156a23b7d68e472985e7a20c8
SHA1

0abf6219aca6b805778b389a7fd1692a85d00b18
SHA256

97e9d8fedf5738ce3f5ca2e84d3c250cc7e903ba286510fb4ed3a2f30d47813f
SHA512

fc26638882acdc5646cbefb43972a9db92e06204a6765488066c9c7af1272683e0d0f346a8ae331b5a52e48c90e358124cfd30f9b1e25d68ab342507e6380ee1
SSDEEP

6144:JYDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYkl5ehRsGT:S9BvctM85t35JPNJj2WzoRLQYRYzmYO8

Score

10^/10

defense_evasion discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.com

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.com

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.com

Disables Task Manager via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 48 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	svchost.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cftmon.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	svchost.com
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	svchost.com

Executes dropped EXE 4 IoCs

pid	Process
1244	svchost.com
4204	cftmon.exe
3272	svchost.com
3788	cftmon.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/824-0-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/files/0x00070000000234e1-7.dat	upx
behavioral2/memory/824-10-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-48-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/4204-56-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-58-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-60-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-64-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-66-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-68-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-70-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-72-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-74-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-76-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-94-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3272-97-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-98-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-99-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-100-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-101-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-102-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-103-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-104-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-105-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-106-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-107-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-108-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-109-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-110-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1244-111-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3788-112-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com
File opened for modification	C:\Users\Admin\Templates\cache\desktop.ini	svchost.com
File opened for modification	\??\c:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com
File opened for modification	\??\f:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	svchost.com
File opened (read-only)	\??\b:	svchost.com
File opened (read-only)	\??\m:	svchost.com
File opened (read-only)	\??\p:	svchost.com
File opened (read-only)	\??\q:	svchost.com
File opened (read-only)	\??\e:	svchost.com
File opened (read-only)	\??\h:	svchost.com
File opened (read-only)	\??\j:	svchost.com
File opened (read-only)	\??\v:	svchost.com
File opened (read-only)	\??\i:	svchost.com
File opened (read-only)	\??\j:	svchost.com
File opened (read-only)	\??\z:	svchost.com
File opened (read-only)	\??\i:	svchost.com
File opened (read-only)	\??\q:	svchost.com
File opened (read-only)	\??\b:	svchost.com
File opened (read-only)	\??\l:	svchost.com
File opened (read-only)	\??\r:	svchost.com
File opened (read-only)	\??\y:	svchost.com
File opened (read-only)	\??\t:	svchost.com
File opened (read-only)	\??\g:	svchost.com
File opened (read-only)	\??\r:	svchost.com
File opened (read-only)	\??\w:	svchost.com
File opened (read-only)	\??\y:	svchost.com
File opened (read-only)	\??\z:	svchost.com
File opened (read-only)	\??\k:	svchost.com
File opened (read-only)	\??\t:	svchost.com
File opened (read-only)	\??\u:	svchost.com
File opened (read-only)	\??\o:	svchost.com
File opened (read-only)	\??\s:	svchost.com
File opened (read-only)	\??\u:	svchost.com
File opened (read-only)	\??\x:	svchost.com
File opened (read-only)	\??\o:	svchost.com
File opened (read-only)	\??\g:	svchost.com
File opened (read-only)	\??\l:	svchost.com
File opened (read-only)	\??\a:	svchost.com
File opened (read-only)	\??\m:	svchost.com
File opened (read-only)	\??\n:	svchost.com
File opened (read-only)	\??\p:	svchost.com
File opened (read-only)	\??\v:	svchost.com
File opened (read-only)	\??\w:	svchost.com
File opened (read-only)	\??\k:	svchost.com
File opened (read-only)	\??\n:	svchost.com
File opened (read-only)	\??\s:	svchost.com
File opened (read-only)	\??\x:	svchost.com
File opened (read-only)	\??\e:	svchost.com
File opened (read-only)	\??\h:	svchost.com

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Network_Service = "0"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\KeepRasConnections = "1"	svchost.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

AutoIT Executable 37 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/824-10-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-48-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/4204-56-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-57-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-58-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-62-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-61-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-60-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-64-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-65-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-66-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-68-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-67-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-70-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-71-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-72-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-73-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-74-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-76-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-77-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-94-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3272-97-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-98-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-99-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-100-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-101-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-102-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-103-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-104-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-105-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-106-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-107-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-108-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-109-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-110-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1244-111-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3788-112-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\f:\autorun.inf	svchost.com
File opened for modification	F:\\autorun.inf	svchost.com
File opened for modification	\??\c:\autorun.inf	svchost.com
File opened for modification	C:\\autorun.inf	svchost.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fdisk.com	svchost.com
File opened for modification	C:\Windows\SysWOW64\fdisk.com	svchost.com

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Network_Service = "0"	svchost.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\cftmon.exe	svchost.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Help\cliconf.chm	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cftmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cftmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xnotepad.exe\shell	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xnotepad.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1"	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xmspaint.exe	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xmspaint.exe\shell	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xnotepad.exe\shell\open\command	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xnotepad.exe	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xnotepad.exe\shell\open	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xmspaint.exe\shell\open\command	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xmspaint.exe\shell\open	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Applications\xmspaint.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\ShellEx\SharingHandler\	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\shellex\SharingHandler	svchost.com

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
824	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
1244	svchost.com
3272	svchost.com
3272	svchost.com
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe
3788	cftmon.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1244	824	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe	87
PID 824 wrote to memory of 1244	824	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe	87
PID 824 wrote to memory of 1244	824	c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe	87
PID 1244 wrote to memory of 4204	1244	svchost.com	89
PID 1244 wrote to memory of 4204	1244	svchost.com	89
PID 1244 wrote to memory of 4204	1244	svchost.com	89
PID 1244 wrote to memory of 3272	1244	svchost.com	90
PID 1244 wrote to memory of 3272	1244	svchost.com	90
PID 1244 wrote to memory of 3272	1244	svchost.com	90
PID 4204 wrote to memory of 3788	4204	cftmon.exe	91
PID 4204 wrote to memory of 3788	4204	cftmon.exe	91
PID 4204 wrote to memory of 3788	4204	cftmon.exe	91
PID 1244 wrote to memory of 412	1244	svchost.com	103
PID 1244 wrote to memory of 412	1244	svchost.com	103
PID 1244 wrote to memory of 412	1244	svchost.com	103
PID 1244 wrote to memory of 3744	1244	svchost.com	105
PID 1244 wrote to memory of 3744	1244	svchost.com	105
PID 1244 wrote to memory of 3744	1244	svchost.com	105
PID 1244 wrote to memory of 3288	1244	svchost.com	107
PID 1244 wrote to memory of 3288	1244	svchost.com	107
PID 1244 wrote to memory of 3288	1244	svchost.com	107
PID 412 wrote to memory of 3568	412	net.exe	109
PID 412 wrote to memory of 3568	412	net.exe	109
PID 412 wrote to memory of 3568	412	net.exe	109
PID 3744 wrote to memory of 4012	3744	net.exe	110
PID 3744 wrote to memory of 4012	3744	net.exe	110
PID 3744 wrote to memory of 4012	3744	net.exe	110
PID 3288 wrote to memory of 3296	3288	net.exe	111
PID 3288 wrote to memory of 3296	3288	net.exe	111
PID 3288 wrote to memory of 3296	3288	net.exe	111
PID 1244 wrote to memory of 3324	1244	svchost.com	112
PID 1244 wrote to memory of 3324	1244	svchost.com	112
PID 1244 wrote to memory of 3324	1244	svchost.com	112
PID 3324 wrote to memory of 2636	3324	net.exe	114
PID 3324 wrote to memory of 2636	3324	net.exe	114
PID 3324 wrote to memory of 2636	3324	net.exe	114
PID 1244 wrote to memory of 768	1244	svchost.com	115
PID 1244 wrote to memory of 768	1244	svchost.com	115
PID 1244 wrote to memory of 768	1244	svchost.com	115
PID 768 wrote to memory of 1580	768	net.exe	117
PID 768 wrote to memory of 1580	768	net.exe	117
PID 768 wrote to memory of 1580	768	net.exe	117
PID 1244 wrote to memory of 1772	1244	svchost.com	118
PID 1244 wrote to memory of 1772	1244	svchost.com	118
PID 1244 wrote to memory of 1772	1244	svchost.com	118
PID 1772 wrote to memory of 1556	1772	net.exe	120
PID 1772 wrote to memory of 1556	1772	net.exe	120
PID 1772 wrote to memory of 1556	1772	net.exe	120

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharingControl = "1"	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharing = "0"	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoPrintSharing = "0"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.com

C:\Users\Admin\AppData\Local\Temp\c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\svchost.com
  "C:\Users\Admin\AppData\Local\Temp\svchost.com"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1244
- - C:\Program Files (x86)\Common Files\System\cftmon.exe
    "C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Program Files (x86)\Common Files\System\cftmon.exe
      "C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3788
- - C:\Users\Admin\AppData\Local\Temp\svchost.com
    C:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3272
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" share SYS_c$=c:\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_c$=c:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" share SYS_f$=f:\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_f$=f:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:4012
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" user guest guest
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user guest guest
      4⤵
      System Location Discovery: System Language Discovery
      PID:3296
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" user /add Network_Service
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user /add Network_Service
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" user Network_Service 1016760
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Network_Service 1016760
      4⤵
      System Location Discovery: System Language Discovery
      PID:1580
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" localgroup administrators Network_Service /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators Network_Service /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db

Filesize
1KB

MD5
063f0c3b2d4faa1113b4dc34fa788a19

SHA1
de2b393170519137499b5593b6a9b8fd71fd983e

SHA256
a0a0590cfa9663a09eba321d2dbfcf54a24a6906707dd9b8679f5064307050e3

SHA512
77d88664adc9169bf2172318d61b8a3b906d0c37e7daff669101f2dc4f458e9c7058253be7668c9ce4c4183201fb593a1ca2cceac3e16de0cb30eefe8b5902c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
292KB

MD5
c941f52156a23b7d68e472985e7a20c8

SHA1
0abf6219aca6b805778b389a7fd1692a85d00b18

SHA256
97e9d8fedf5738ce3f5ca2e84d3c250cc7e903ba286510fb4ed3a2f30d47813f

SHA512
fc26638882acdc5646cbefb43972a9db92e06204a6765488066c9c7af1272683e0d0f346a8ae331b5a52e48c90e358124cfd30f9b1e25d68ab342507e6380ee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/824-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/824-10-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-105-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-107-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-103-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-101-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-99-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-66-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-109-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-94-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1244-111-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-76-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-58-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-70-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3272-97-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-106-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-102-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-98-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-104-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-108-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-112-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-110-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3788-74-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4204-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download