modiloader | 15451e3138817bd4cf423ac5e4864b01c20cce445c7355f7531adc586c5e1475

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
Size

937KB
MD5

d563e2f9a8d5d5c74c62eb533e90dd70
SHA1

2a7a97ad4a427eb693fa9abb7347fd9f3ef997ea
SHA256

15451e3138817bd4cf423ac5e4864b01c20cce445c7355f7531adc586c5e1475
SHA512

6165b16827c10948537783d6ec36267d66a4211f7e7d7521a8c7c9bb3f831c950d65f4becf110d76bc2f6f8ca7fd7779e600761fa8f1d2e8cf084e2fa2965910
SSDEEP

24576:QeWv89tDzQQZIs2EfAzITVdAvbJpXPP/6JMNRnk844M7L9tZt:QeWvWQQr2E4SdWPCyHkD4M3DZt

Score

10^/10

modiloader pony credential_access discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\3a6abd20\\X"	explorer.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	cxhost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ce4Rf7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zoakuk.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/memory/2984-13-0x0000000000400000-0x0000000000541000-memory.dmp	modiloader_stage2
behavioral1/memory/2984-15-0x0000000000400000-0x0000000000541000-memory.dmp	modiloader_stage2
behavioral1/memory/1592-11-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/files/0x0008000000018afc-45.dat	modiloader_stage2
behavioral1/memory/2984-52-0x0000000000400000-0x0000000000541000-memory.dmp	modiloader_stage2
behavioral1/memory/2784-67-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/files/0x0006000000018b03-71.dat	modiloader_stage2
behavioral1/memory/2268-94-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/files/0x0007000000018b54-391.dat	modiloader_stage2
behavioral1/memory/2984-423-0x0000000000400000-0x0000000000541000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
772	cmd.exe

Executes dropped EXE 16 IoCs

pid	Process
2952	ce4Rf7.exe
2876	zoakuk.exe
2784	axhost.exe
2440	axhost.exe
2268	bxhost.exe
3004	bxhost.exe
1168	cxhost.exe
2248	dxhost.exe
332	csrss.exe
1972	cxhost.exe
1056	cxhost.exe
480	X
2036	710B.tmp
3024	exhost.exe
936	fxhost.exe
2672	fxhost.exe

Loads dropped DLL 20 IoCs

pid	Process
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2952	ce4Rf7.exe
2952	ce4Rf7.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2248	dxhost.exe
2248	dxhost.exe
1168	cxhost.exe
1168	cxhost.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2984-4-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2984-13-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2984-15-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2984-12-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2984-6-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2984-2-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2984-52-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2440-70-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2440-69-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2440-68-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2440-63-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2440-59-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2440-57-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1168-132-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1972-176-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2672-414-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2984-423-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2672-426-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /s"	zoakuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5C1.exe = "C:\\Program Files (x86)\\LP\\B3EE\\5C1.exe"	cxhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /H"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /g"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /f"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /p"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /A"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /y"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /X"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /c"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /J"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /P"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /z"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /R"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /K"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /D"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /G"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /V"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /O"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /h"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /N"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /U"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /e"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /t"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /w"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /m"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /x"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /C"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /r"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /b"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /Z"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /B"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /n"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /M"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /o"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /T"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /Q"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /u"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /a"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /W"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /L"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /Y"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /I"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /q"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /k"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /i"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /l"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /v"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /d"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /E"	zoakuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /u"	ce4Rf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoakuk = "C:\\Users\\Admin\\zoakuk.exe /j"	zoakuk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	axhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	axhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bxhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	bxhost.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2716	tasklist.exe
1980	tasklist.exe
2532	tasklist.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 2784 set thread context of 2440	2784	axhost.exe	38
PID 2268 set thread context of 3004	2268	bxhost.exe	40
PID 2248 set thread context of 264	2248	dxhost.exe	53
PID 936 set thread context of 2672	936	fxhost.exe	56

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\B3EE\5C1.exe	cxhost.exe
File opened for modification	C:\Program Files (x86)\LP\B3EE\710B.tmp	cxhost.exe
File opened for modification	C:\Program Files (x86)\LP\B3EE\5C1.exe	cxhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	710B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4Rf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoakuk.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6309c5e8-cf71-f152-4438-0838fc78b4dd}\u = "188"	dxhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6309c5e8-cf71-f152-4438-0838fc78b4dd}\cid = "8378991844031912464"	dxhost.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{6309c5e8-cf71-f152-4438-0838fc78b4dd}	dxhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	ce4Rf7.exe
2952	ce4Rf7.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2440	axhost.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
3004	bxhost.exe
2876	zoakuk.exe
3004	bxhost.exe
3004	bxhost.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
3004	bxhost.exe
3004	bxhost.exe
1168	cxhost.exe
1168	cxhost.exe
1168	cxhost.exe
1168	cxhost.exe
1168	cxhost.exe
1168	cxhost.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2248	dxhost.exe
2248	dxhost.exe
2248	dxhost.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
3004	bxhost.exe
3004	bxhost.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
3004	bxhost.exe
3004	bxhost.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe
2876	zoakuk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1096	explorer.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeRestorePrivilege	844	msiexec.exe
Token: SeTakeOwnershipPrivilege	844	msiexec.exe
Token: SeSecurityPrivilege	844	msiexec.exe
Token: SeDebugPrivilege	2248	dxhost.exe
Token: SeDebugPrivilege	2248	dxhost.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: 33	2388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2388	AUDIODG.EXE
Token: 33	2388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2388	AUDIODG.EXE
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeDebugPrivilege	1980	tasklist.exe
Token: SeDebugPrivilege	2532	tasklist.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
2952	ce4Rf7.exe
2876	zoakuk.exe
3024	exhost.exe
2672	fxhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 1592 wrote to memory of 2984	1592	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2952	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2952	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2952	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2952	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2876	2952	ce4Rf7.exe	32
PID 2952 wrote to memory of 2876	2952	ce4Rf7.exe	32
PID 2952 wrote to memory of 2876	2952	ce4Rf7.exe	32
PID 2952 wrote to memory of 2876	2952	ce4Rf7.exe	32
PID 2952 wrote to memory of 2896	2952	ce4Rf7.exe	33
PID 2952 wrote to memory of 2896	2952	ce4Rf7.exe	33
PID 2952 wrote to memory of 2896	2952	ce4Rf7.exe	33
PID 2952 wrote to memory of 2896	2952	ce4Rf7.exe	33
PID 2896 wrote to memory of 2716	2896	cmd.exe	35
PID 2896 wrote to memory of 2716	2896	cmd.exe	35
PID 2896 wrote to memory of 2716	2896	cmd.exe	35
PID 2896 wrote to memory of 2716	2896	cmd.exe	35
PID 2984 wrote to memory of 2784	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	36
PID 2984 wrote to memory of 2784	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	36
PID 2984 wrote to memory of 2784	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	36
PID 2984 wrote to memory of 2784	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	36
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2784 wrote to memory of 2440	2784	axhost.exe	38
PID 2984 wrote to memory of 2268	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	39
PID 2984 wrote to memory of 2268	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	39
PID 2984 wrote to memory of 2268	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	39
PID 2984 wrote to memory of 2268	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	39
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2268 wrote to memory of 3004	2268	bxhost.exe	40
PID 2984 wrote to memory of 1168	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	41
PID 2984 wrote to memory of 1168	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	41
PID 2984 wrote to memory of 1168	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	41
PID 2984 wrote to memory of 1168	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	41
PID 2984 wrote to memory of 2248	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	43
PID 2984 wrote to memory of 2248	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	43
PID 2984 wrote to memory of 2248	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	43
PID 2984 wrote to memory of 2248	2984	d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe	43
PID 2248 wrote to memory of 332	2248	dxhost.exe	2
PID 1168 wrote to memory of 1972	1168	cxhost.exe	44
PID 1168 wrote to memory of 1972	1168	cxhost.exe	44
PID 1168 wrote to memory of 1972	1168	cxhost.exe	44
PID 1168 wrote to memory of 1972	1168	cxhost.exe	44
PID 332 wrote to memory of 2816	332	csrss.exe	45

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cxhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	cxhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
  d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\ce4Rf7.exe
    C:\Users\Admin\ce4Rf7.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\zoakuk.exe
      "C:\Users\Admin\zoakuk.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del ce4Rf7.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
- - C:\Users\Admin\axhost.exe
    C:\Users\Admin\axhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\axhost.exe
      axhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:2440
- - C:\Users\Admin\bxhost.exe
    C:\Users\Admin\bxhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\bxhost.exe
      bxhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:3004
- - C:\Users\Admin\cxhost.exe
    C:\Users\Admin\cxhost.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1168
  - - C:\Users\Admin\cxhost.exe
      C:\Users\Admin\cxhost.exe startC:\Users\Admin\AppData\Roaming\E3729\85DB3.exe%C:\Users\Admin\AppData\Roaming\E3729
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1972
  - - C:\Users\Admin\cxhost.exe
      C:\Users\Admin\cxhost.exe startC:\Program Files (x86)\2931A\lvvm.exe%C:\Program Files (x86)\2931A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1056
  - - C:\Program Files (x86)\LP\B3EE\710B.tmp
      "C:\Program Files (x86)\LP\B3EE\710B.tmp"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2036
- - C:\Users\Admin\dxhost.exe
    C:\Users\Admin\dxhost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\3a6abd20\X
      193.105.154.210:80
      4⤵
      Executes dropped EXE
      PID:480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:264
- - C:\Users\Admin\exhost.exe
    C:\Users\Admin\exhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Users\Admin\fxhost.exe
    C:\Users\Admin\fxhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:936
  - - C:\Users\Admin\fxhost.exe
      fxhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c tasklist&&del fxhost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del d563e2f9a8d5d5c74c62eb533e90dd70_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:772
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies WinLogon for persistence
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x604
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\B3EE\710B.tmp

Filesize
94KB

MD5
cfa7a6d662be5be703e426c1e849965f

SHA1
aada98710adee405ef485dd2baf5bcceea1ca0ee

SHA256
68144a7cd9379fcbf8872e7590903ea7b7054565792983e6728aeb18144f2cf3

SHA512
233aadbfc65440c6fa2997a04c385200df16c97ff2d09c8b534f115b67834053e694d9b38e31fdb31ed7a4b84c1aac2795d7da107334467f2d310ab3e7571f9e

Download Submit
C:\Users\Admin\AppData\Local\3a6abd20\@

Filesize
2KB

MD5
16fee3f65291a43f43d21eb2d6139b80

SHA1
c6f22bfd952f1c34303453e74016f338e37f7af1

SHA256
49578c6c06354cdfb4db25c30484ce679918a86e462f373cfe1639dcdb8462a4

SHA512
4fbd883439bd3b356cd532d936d16862c01f8d71b06094fdc7b4c7b98e7a8783d23a576efd47065e45a869038570f6834a24f75618f6f0270c41fd5a945e29ff

Download Submit
C:\Users\Admin\AppData\Roaming\E3729\931A.372

Filesize
300B

MD5
956bb66b08c0531532779e2047626316

SHA1
3a8a6c55a7cadc9ee7e66ef64045aea1237cc803

SHA256
76b1a5db53b3db472e1a7b37af0fde2bd44bbfe570b9ca609a5375085af3e8b8

SHA512
483af25010fb4d2ced07be92dc653a2086239245215397c92c1d462194367485b4a4cfa9e114ebe5aa64531dc775e81ff232d375df60e891d6a1454d637ddf6c

Download Submit
C:\Users\Admin\AppData\Roaming\E3729\931A.372

Filesize
600B

MD5
82e2a34bbd940586d48abe317c5d9c5e

SHA1
7d058fc4cfd7df121b5b0b7e44d94552245c27d7

SHA256
b9e5b0b401791ba52bd2a0faad1439300dfdfcc772e2e99ce249e769967c6871

SHA512
69b53ed967ec14edee9eac5429d6e741445385bb0ac513ea6a2c492d9f79fd0f4e726de0dcf3030e510ad281f534a0e813c5ca43cc82f97a91edce3b25457a18

Download Submit
C:\Users\Admin\AppData\Roaming\E3729\931A.372

Filesize
996B

MD5
847409874a6e27ef1e9221a95cc6ff24

SHA1
c690a021727d3cc968dc5ae32655c58133b16d73

SHA256
2c15f71f39a68e6d900091d982986f1fd4b27f4334dd36955202fe6df23a7195

SHA512
c05400433afd30c18bcc20dfba4490788bb25e1a58603c97da48b0a8b59aa56991b419e117e10ed7d18c4a3c530c18d46e734cc43988dd5fbafc80c0848e75f5

Download Submit
C:\Users\Admin\AppData\Roaming\E3729\931A.372

Filesize
1KB

MD5
0aac0b852531eccca17701118aaf9bda

SHA1
dd018da0d8f2012b28d2d006de2f728b513a3423

SHA256
3701dce3420abc3cd354c09685ecbef1b518284a8c9429cacc24971fe0e29d9d

SHA512
e5766f5998463c6042730c755e1ba76028f6a4e0ee2006740a6c0b5d9839189864e115a782f3fc79848f9714746e9f659fc9f8dd9dbadc1e2f921b279fe00df7

Download Submit
\Users\Admin\AppData\Local\3a6abd20\X

Filesize
41KB

MD5
686b479b0ee164cf1744a8be359ebb7d

SHA1
8615e8f967276a85110b198d575982a958581a07

SHA256
fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

SHA512
7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

Download Submit
\Users\Admin\axhost.exe

Filesize
153KB

MD5
52f42d7b3168372ea722c27cd526678a

SHA1
3185dc7b1776130e887da03111470b85a55307f9

SHA256
53cdddd14430f557a92994899e348a3018b54f37d3ef95afbd507a5e266c31c9

SHA512
af3dcb374d2027533ebd5668ec6c113b6aa34b61b4dcaf37b2d66675febd70f04f390ffe6f74ee74543ebf82e7c8af6df204daa50e579b2dd0d55cd9c53d426c

Download Submit
\Users\Admin\bxhost.exe

Filesize
146KB

MD5
e6258d826a5e11ab09a7eb308932816d

SHA1
de1a7a40607c2a2ef101a5837fb3f21d842be6b8

SHA256
a8e6a92415e8de7ca067a89345e46cb73191be754722cd11b07373d5288e3bda

SHA512
ab757c6a8be1a6b6c60e0e49d8858e51deaf8f901b677dfd35c6028b26bbb8bb0532a6f3e195038fcfa66420a417157b6f6bf8eb387dab675e31ff9ee3e7df47

Download Submit
\Users\Admin\ce4Rf7.exe

Filesize
224KB

MD5
7d04f00a055b881ef4e1e61b78fefe42

SHA1
81599dc048176d45e5338ecab7f9b6591fb57549

SHA256
fa2d0f1155bb0dbfa891cfe53f76b283549eb19b5aa65b44e3361b976f1ecfd2

SHA512
2d5326284aebb34e6ee6e9f8773f03bc2e54359157f9ba3d7cb1d30be63cc96eebd114f063312fd030b34f4b03c6c02b9e0c324b1430f45a4d2698eadd254f91

Download Submit
\Users\Admin\cxhost.exe

Filesize
261KB

MD5
3cff661f3c8e46f339653a989974c5a9

SHA1
a9141a0ecdc450538750b28bdd487d63670ad05c

SHA256
b0776c3631b3b9f53ee9783ace63fe8c93db8d83f2362c43fd1ddce7cb4ab2b5

SHA512
7e08d2675e450ac6b1a5b155062c6b9328f05395bb21acb09f2a2c479f16711b5526b0fa0ae72539ecb1285f39ae67759e5df5844707b0e03e6d203c1f4478ca

Download Submit
\Users\Admin\dxhost.exe

Filesize
333KB

MD5
24dfc0e20a45967e3beb04304d892ced

SHA1
77b8e906dc3e496b5e24682502cae210929ec3ef

SHA256
3ddfe2c9854b36bb1ae469e6d6040b972c0b9e94870cf63bedd41602e22e4bbb

SHA512
e58ebda08f9aee766bed1233fbdf884ef0de39b87ded559b004eeac2274358c42915329a036b54db02d1fe6ddd33fb1ded07285534b3e960266bd115ea400c11

Download Submit
\Users\Admin\exhost.exe

Filesize
36KB

MD5
805aa66b17cb3b6df005d564e818dbbc

SHA1
2b2239797e6f0b80e73323d64a341067506fd913

SHA256
8598f1e53c608aa94919cd736eba115a597a5af6bb5869382a2f1750f0fb8a2e

SHA512
87f8dc492a2a673639f028d27b2ba227e2e2dd13d65030bd0365b80fa88ff18a763fd624a434c80bee29f93675b9029492ff51d6343bd34dc2a5b968df3666fd

Download Submit
\Users\Admin\fxhost.exe

Filesize
103KB

MD5
238baebf250614a48106ec4e34eb81c0

SHA1
7e0ce34860d8360dc71289e6e8b5876cbbd8569d

SHA256
79e84dfa5cbd7d4601498d63a50d42f8590b1ed6bbaee1f5361e7676c9beb65c

SHA512
dc306e139c24f5e4bfe324c0cc485cfdd9a4f5aa130c4d972d065350178206a9c0808fe6c540b2eb37422f5df0eff68eb46d7de047abfdf7a313923cfc75a743

Download Submit
\Users\Admin\zoakuk.exe

Filesize
224KB

MD5
89a7afb7e4f73067a542c19b83853357

SHA1
eb4857e65f7f99f1cc461b1a8ab8b11a75130e77

SHA256
8530127c3d8d769fede76fadba23ff7cce1fb22adcbe059e9da5d4ca61a37f82

SHA512
17d5b87e84c1d8eacfc6696771b31fbd1304afcf543b3e705a3ca49e66ae1db42a386c1f7516638f13189f1925d8a617df7a06c96d91fb3c7569a0b9dc8d542e

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
0818e5a4f136cad95d116cc049a027d1

SHA1
f8bc21603a959ddef33b52abbf28c382beca38dc

SHA256
69e340af209af20669ba5f1d3fcf27aacbce69f441963d5bedea3b2f1d5d0633

SHA512
95ba862b14620a3e0d022cdc614d0346fc9e828ee6054387f51b502defb00a76f553edd9d43c0d2299820162c651b7f9e0ffd5b8fb1ea93bb5ccbc6e8f421c79

Download Submit
memory/332-130-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1168-132-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1592-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1972-176-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2248-174-0x0000000000400000-0x000000000045FDD4-memory.dmp

Filesize
383KB

Download
memory/2248-117-0x00000000003C0000-0x00000000003EC000-memory.dmp

Filesize
176KB

Download
memory/2248-120-0x00000000003C0000-0x00000000003EC000-memory.dmp

Filesize
176KB

Download
memory/2248-123-0x00000000003C0000-0x00000000003EC000-memory.dmp

Filesize
176KB

Download
memory/2268-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2440-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2440-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2440-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2440-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2440-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2440-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2672-426-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2672-414-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2784-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2952-44-0x0000000003410000-0x0000000003ECA000-memory.dmp

Filesize
10.7MB

Download
memory/2984-12-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-13-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-2-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-6-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-1-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-52-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-423-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-4-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2984-15-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3004-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-93-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-131-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-97-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-86-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download