400c3c197bb2fdf11175443d341b4b698dbee576272b0afc6b06d1bccfbc24b3

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Size

208KB
MD5

d55030741d7d4e5ab4d10ea6a92ab3dc
SHA1

e04dd824d1dee0270d681a692f7253c106b4089d
SHA256

400c3c197bb2fdf11175443d341b4b698dbee576272b0afc6b06d1bccfbc24b3
SHA512

59e40c4a50c1003fb24bbe23d3f18b237f5db94da412f349cb852b7939cc164001e8fda4f8f26e2c82757b507183ab1acab57f8faa8b5e6e95cb2ba1d2d6e81f
SSDEEP

3072:xIdcFLEdskgrt05bnwhVh6PTPKp6zQc9bav/DIIjOdbryuyRCpGGuj7N+d:6WjZ0xCVh6Qch+ORrcBj7N2

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	idemoodp0cetka.exe

Executes dropped EXE 2 IoCs

pid	Process
3668	idemoodp0cetka.exe
2432	idemoodp0cetka.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-1-0x0000000002C80000-0x0000000003CAA000-memory.dmp	upx
behavioral2/memory/4104-3-0x0000000002C80000-0x0000000003CAA000-memory.dmp	upx
behavioral2/memory/4104-4-0x0000000002C80000-0x0000000003CAA000-memory.dmp	upx
behavioral2/memory/4104-13-0x0000000002C80000-0x0000000003CAA000-memory.dmp	upx
behavioral2/memory/4104-25-0x0000000002C80000-0x0000000003CAA000-memory.dmp	upx
behavioral2/memory/3668-42-0x0000000002A50000-0x0000000003A7A000-memory.dmp	upx
behavioral2/memory/3668-53-0x0000000002A50000-0x0000000003A7A000-memory.dmp	upx
behavioral2/memory/3668-39-0x0000000002A50000-0x0000000003A7A000-memory.dmp	upx
behavioral2/memory/3668-72-0x0000000002A50000-0x0000000003A7A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe"	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe"	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	idemoodp0cetka.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 3668 set thread context of 2432	3668	idemoodp0cetka.exe	88

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idemoodp0cetka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idemoodp0cetka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
3668	idemoodp0cetka.exe
3668	idemoodp0cetka.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Token: SeDebugPrivilege	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
3668	idemoodp0cetka.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 788	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	8
PID 4104 wrote to memory of 796	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	9
PID 4104 wrote to memory of 384	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	13
PID 4104 wrote to memory of 2628	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	45
PID 4104 wrote to memory of 2652	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	46
PID 4104 wrote to memory of 2756	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	48
PID 4104 wrote to memory of 3440	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	56
PID 4104 wrote to memory of 3548	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	57
PID 4104 wrote to memory of 3740	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	58
PID 4104 wrote to memory of 3832	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	59
PID 4104 wrote to memory of 3908	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	60
PID 4104 wrote to memory of 3988	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	61
PID 4104 wrote to memory of 3588	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	62
PID 4104 wrote to memory of 3480	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	75
PID 4104 wrote to memory of 4148	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	76
PID 4104 wrote to memory of 1224	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	81
PID 4104 wrote to memory of 2444	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	83
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 4104 wrote to memory of 1488	4104	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	86
PID 1488 wrote to memory of 3668	1488	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	87
PID 1488 wrote to memory of 3668	1488	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	87
PID 1488 wrote to memory of 3668	1488	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe	87
PID 3668 wrote to memory of 788	3668	idemoodp0cetka.exe	8
PID 3668 wrote to memory of 796	3668	idemoodp0cetka.exe	9
PID 3668 wrote to memory of 384	3668	idemoodp0cetka.exe	13
PID 3668 wrote to memory of 2628	3668	idemoodp0cetka.exe	45
PID 3668 wrote to memory of 2652	3668	idemoodp0cetka.exe	46
PID 3668 wrote to memory of 2756	3668	idemoodp0cetka.exe	48
PID 3668 wrote to memory of 3440	3668	idemoodp0cetka.exe	56
PID 3668 wrote to memory of 3548	3668	idemoodp0cetka.exe	57
PID 3668 wrote to memory of 3740	3668	idemoodp0cetka.exe	58
PID 3668 wrote to memory of 3832	3668	idemoodp0cetka.exe	59
PID 3668 wrote to memory of 3908	3668	idemoodp0cetka.exe	60
PID 3668 wrote to memory of 3988	3668	idemoodp0cetka.exe	61
PID 3668 wrote to memory of 3588	3668	idemoodp0cetka.exe	62
PID 3668 wrote to memory of 3480	3668	idemoodp0cetka.exe	75
PID 3668 wrote to memory of 4148	3668	idemoodp0cetka.exe	76
PID 3668 wrote to memory of 1224	3668	idemoodp0cetka.exe	81
PID 3668 wrote to memory of 2196	3668	idemoodp0cetka.exe	84
PID 3668 wrote to memory of 2876	3668	idemoodp0cetka.exe	85
PID 3668 wrote to memory of 1488	3668	idemoodp0cetka.exe	86
PID 3668 wrote to memory of 1488	3668	idemoodp0cetka.exe	86
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88
PID 3668 wrote to memory of 2432	3668	idemoodp0cetka.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	idemoodp0cetka.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2652

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d55030741d7d4e5ab4d10ea6a92ab3dc_JaffaCakes118.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
      "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3588

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1224

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:2444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

Filesize
208KB

MD5
d55030741d7d4e5ab4d10ea6a92ab3dc

SHA1
e04dd824d1dee0270d681a692f7253c106b4089d

SHA256
400c3c197bb2fdf11175443d341b4b698dbee576272b0afc6b06d1bccfbc24b3

SHA512
59e40c4a50c1003fb24bbe23d3f18b237f5db94da412f349cb852b7939cc164001e8fda4f8f26e2c82757b507183ab1acab57f8faa8b5e6e95cb2ba1d2d6e81f

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
8f4f6baad448ae2e10423f28ecb9f382

SHA1
53ece93df15b8039eb34eaba7883ccd2ee3138b7

SHA256
c3e275b5b922fd1bf9aac9c070addb23924ad33e66ecdb6e1c8d005d75cd8e02

SHA512
113d3fc9759957b55c02ff193d090f4282c45e6e49511ddccf696e7cf5e40612399fc7b5f613d1a945b62fc11d75f94d1dae8d5470d969ddc1276c45e20e98e8

Download Submit
memory/1488-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1488-49-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/1488-60-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/1488-50-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1488-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1488-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1488-54-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/1488-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-83-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-69-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-80-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-81-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-84-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-85-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3668-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-42-0x0000000002A50000-0x0000000003A7A000-memory.dmp

Filesize
16.2MB

Download
memory/3668-39-0x0000000002A50000-0x0000000003A7A000-memory.dmp

Filesize
16.2MB

Download
memory/3668-55-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3668-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-67-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3668-53-0x0000000002A50000-0x0000000003A7A000-memory.dmp

Filesize
16.2MB

Download
memory/3668-72-0x0000000002A50000-0x0000000003A7A000-memory.dmp

Filesize
16.2MB

Download
memory/3668-52-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4104-25-0x0000000002C80000-0x0000000003CAA000-memory.dmp

Filesize
16.2MB

Download
memory/4104-4-0x0000000002C80000-0x0000000003CAA000-memory.dmp

Filesize
16.2MB

Download
memory/4104-1-0x0000000002C80000-0x0000000003CAA000-memory.dmp

Filesize
16.2MB

Download
memory/4104-3-0x0000000002C80000-0x0000000003CAA000-memory.dmp

Filesize
16.2MB

Download
memory/4104-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4104-24-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/4104-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4104-7-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/4104-6-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/4104-10-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download
memory/4104-13-0x0000000002C80000-0x0000000003CAA000-memory.dmp

Filesize
16.2MB

Download
memory/4104-14-0x0000000002C10000-0x0000000002C12000-memory.dmp

Filesize
8KB

Download