305d5c8c8f00e7156dfacbf2e49524b6e87e3e7d3d5cca083d6156a82193610f

Analysis

max time kernel
123s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Size

78KB
MD5

cfeefe6f5b066de38fef45786b34e82a
SHA1

935020840ef9b8c5e58fa811d5cb197612af2805
SHA256

305d5c8c8f00e7156dfacbf2e49524b6e87e3e7d3d5cca083d6156a82193610f
SHA512

250276ced6b7d84b3126e8818207f6691f04f53bae7dfe40eb648cd2dcd6cdf9bf53fa5da3aefc6157430b2db8dab22a054eddac011e7b691b6efcbae8b9f1b3
SSDEEP

768:/dICxZk/89MpVT7woQJcW/bnqC03T/yEwSndA/zJmnPi3JnrpZdxEk+fVx6P3jM0:/TYd5QJc/vaSybs4Zr+fX6P3jg

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

pid	Process
2792	wmimgmt.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	wmimgmt.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1752	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2652	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimgmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3040	PING.EXE
2168	findstr.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2132	NETSTAT.EXE

Discovers systems in the same network 1 TTPs 4 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1048	net.exe
1412	net.exe
2964	net.exe
1756	net.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2644	ipconfig.exe
2132	NETSTAT.EXE
628	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
696	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3040	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeBackupPrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeBackupPrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeRestorePrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeBackupPrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeRestorePrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeBackupPrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeRestorePrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeBackupPrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeRestorePrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeBackupPrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeRestorePrivilege	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	tasklist.exe
Token: SeDebugPrivilege	2132	NETSTAT.EXE
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeRestorePrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe
Token: SeBackupPrivilege	2792	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2792	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2792	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2792	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2792	2400	cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2736	2792	wmimgmt.exe	31
PID 2792 wrote to memory of 2736	2792	wmimgmt.exe	31
PID 2792 wrote to memory of 2736	2792	wmimgmt.exe	31
PID 2792 wrote to memory of 2736	2792	wmimgmt.exe	31
PID 2736 wrote to memory of 3036	2736	cmd.exe	33
PID 2736 wrote to memory of 3036	2736	cmd.exe	33
PID 2736 wrote to memory of 3036	2736	cmd.exe	33
PID 2736 wrote to memory of 3036	2736	cmd.exe	33
PID 2736 wrote to memory of 2712	2736	cmd.exe	34
PID 2736 wrote to memory of 2712	2736	cmd.exe	34
PID 2736 wrote to memory of 2712	2736	cmd.exe	34
PID 2736 wrote to memory of 2712	2736	cmd.exe	34
PID 2736 wrote to memory of 2740	2736	cmd.exe	35
PID 2736 wrote to memory of 2740	2736	cmd.exe	35
PID 2736 wrote to memory of 2740	2736	cmd.exe	35
PID 2736 wrote to memory of 2740	2736	cmd.exe	35
PID 2740 wrote to memory of 2628	2740	net.exe	36
PID 2740 wrote to memory of 2628	2740	net.exe	36
PID 2740 wrote to memory of 2628	2740	net.exe	36
PID 2740 wrote to memory of 2628	2740	net.exe	36
PID 2736 wrote to memory of 2568	2736	cmd.exe	37
PID 2736 wrote to memory of 2568	2736	cmd.exe	37
PID 2736 wrote to memory of 2568	2736	cmd.exe	37
PID 2736 wrote to memory of 2568	2736	cmd.exe	37
PID 2568 wrote to memory of 2588	2568	net.exe	38
PID 2568 wrote to memory of 2588	2568	net.exe	38
PID 2568 wrote to memory of 2588	2568	net.exe	38
PID 2568 wrote to memory of 2588	2568	net.exe	38
PID 2736 wrote to memory of 2652	2736	cmd.exe	39
PID 2736 wrote to memory of 2652	2736	cmd.exe	39
PID 2736 wrote to memory of 2652	2736	cmd.exe	39
PID 2736 wrote to memory of 2652	2736	cmd.exe	39
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 696	2736	cmd.exe	41
PID 2736 wrote to memory of 2396	2736	cmd.exe	43
PID 2736 wrote to memory of 2396	2736	cmd.exe	43
PID 2736 wrote to memory of 2396	2736	cmd.exe	43
PID 2736 wrote to memory of 2396	2736	cmd.exe	43
PID 2736 wrote to memory of 2204	2736	cmd.exe	44
PID 2736 wrote to memory of 2204	2736	cmd.exe	44
PID 2736 wrote to memory of 2204	2736	cmd.exe	44
PID 2736 wrote to memory of 2204	2736	cmd.exe	44
PID 2736 wrote to memory of 2540	2736	cmd.exe	45
PID 2736 wrote to memory of 2540	2736	cmd.exe	45
PID 2736 wrote to memory of 2540	2736	cmd.exe	45
PID 2736 wrote to memory of 2540	2736	cmd.exe	45
PID 2736 wrote to memory of 2148	2736	cmd.exe	46
PID 2736 wrote to memory of 2148	2736	cmd.exe	46
PID 2736 wrote to memory of 2148	2736	cmd.exe	46
PID 2736 wrote to memory of 2148	2736	cmd.exe	46
PID 2736 wrote to memory of 2104	2736	cmd.exe	47
PID 2736 wrote to memory of 2104	2736	cmd.exe	47
PID 2736 wrote to memory of 2104	2736	cmd.exe	47
PID 2736 wrote to memory of 2104	2736	cmd.exe	47
PID 2736 wrote to memory of 2164	2736	cmd.exe	48
PID 2736 wrote to memory of 2164	2736	cmd.exe	48
PID 2736 wrote to memory of 2164	2736	cmd.exe	48
PID 2736 wrote to memory of 2164	2736	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfeefe6f5b066de38fef45786b34e82a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3036
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2652
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:696
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2396
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2296
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2644
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      System Location Discovery: System Language Discovery
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:1752
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1272
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1724
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
  - - C:\Windows\SysWOW64\net.exe
      net view /domain:"WORKGROUP"
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
  - - C:\Windows\SysWOW64\find.exe
      find "\\"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Windows\SysWOW64\net.exe
      net view \\KHBTHJFA
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1412
  - - C:\Windows\SysWOW64\net.exe
      net view \\KHBTHJFA
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:2964
  - - C:\Windows\SysWOW64\find.exe
      find "Disk"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 KHBTHJFA
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3040
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Pinging Reply Request Unknown"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
05bf969be5ffa8286a5cec181fd7bf47

SHA1
f78e8cbf49b446ab78e1af28913eaeb0bb3e5cea

SHA256
31ca14f34200304839a5e233241ebd5e58bd5a147a4e788d125eb8f227363e1e

SHA512
1fb94d34f9a52cd16dfb5a8a059f65d1672dfa5de42da7ba5f8f0964bf39dbe47b4e99084cbb757cc87c0df5a0a7f101ec49ea27df3f266de488c55b9a85a516

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
7KB

MD5
572a19532a990637495656cbfa677de4

SHA1
b68fc9c1b96c762877895c9b2841589c891ab6a3

SHA256
3d19509ab665bcb227cf7682a0d1b40bb09ccd7e64b41a42e3762f32a081b603

SHA512
09f3645b064143130c11be544e6c439e551be2a9067a6157c28beb7ddea871aaffb36f3426dccf8a4fd4f588d47f60174ceececf53b47b3b8b0430603c40f3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
15KB

MD5
3c024e64a98442b297ebc4066a4aaa5d

SHA1
88701f5f270e72037746f2bb3c1afa1006a90a72

SHA256
d931bf5d45176dfba55c8d4e0582f9e729c22da2fcc516540410969d90f3b453

SHA512
5ba591e75942cd20559d4628e44e9d67b23d09039ade7dc019667605a869540429dca83f78dc9760ef6d5f9d94557a9b1a527020133269bf131dc9ad402d55f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
24.9MB

MD5
911cc613d47e09a542723e381c0c42a3

SHA1
0a6fb123e43d4897a09be3f29a515ccad00ea149

SHA256
a1eba192a78ee6d21985ee48110fb94b58ef9e98dce0557238ef273148b50628

SHA512
67ba2a50e43028e7e74b9505a05d731eab4fa6f905151b0b31815eff637e30d8d1b66c5a69b7ac9d43f0c68fb0733487671a2300d7ffcae76bed279566ec90e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
b98e8fcde49a1caee295a6bd3d264e56

SHA1
71c82391a8617212ad48c8d79755e71be2e20be9

SHA256
e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

SHA512
fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
153B

MD5
b256c8a481b065860c2812e742f50250

SHA1
51ddf02764fb12d88822450e8a27f9deac85fe54

SHA256
b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

SHA512
f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.log

Filesize
72B

MD5
59f2768506355d8bc50979f6d64ded26

SHA1
b2d315b3857bec8335c526a08d08d6a1b5f5c151

SHA256
7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

SHA512
e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

Filesize
234B

MD5
36410966ec95ad407c3c2963352df2b7

SHA1
01c4fd256a6ec13f6697edf7d79a70308148c9cb

SHA256
559b4fbe11b804b82382a61a5cb463904741696cb5c93e06edb9dcb6dd9dc94c

SHA512
f00b2ed5f6e506782fed38bc202f6a450a9c18a76ce13b61876acfa1095b9f10e164f6a5d34facb83cdedde5f95774595387c62375a8921bc39beb9403bb5782

Download Submit
C:\Users\Public\Documents\Media\line.dat

Filesize
27B

MD5
bbeb55d9da24dbfbff9a98134c92bbbb

SHA1
4bd2f205386b014701a1cd7cfa8b171ebd36d214

SHA256
aa5d924d04242e5e0bd792699a491d835b6d844367846420f31dd5656d26e5b9

SHA512
8254f97164baa9d33c6c4acb6e56af805a022549ad5d7397b78461222fc1f1acfa2ad85d0beb00b463c0bd8960225ece92c74a495081a48ebbda6f3e9c592873

Download Submit
\ProgramData\wmimgmt.exe

Filesize
78KB

MD5
cfeefe6f5b066de38fef45786b34e82a

SHA1
935020840ef9b8c5e58fa811d5cb197612af2805

SHA256
305d5c8c8f00e7156dfacbf2e49524b6e87e3e7d3d5cca083d6156a82193610f

SHA512
250276ced6b7d84b3126e8818207f6691f04f53bae7dfe40eb648cd2dcd6cdf9bf53fa5da3aefc6157430b2db8dab22a054eddac011e7b691b6efcbae8b9f1b3

Download Submit
memory/2400-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2400-5-0x00000000002E0000-0x00000000002FD000-memory.dmp

Filesize
116KB

Download
memory/2400-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2792-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads