5db5cc276c0731467390e4369345ffe9c349c221df5fc1d58dbdd27e6963ac50

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe
Size

529KB
MD5

da7e858452919019ee6c61c5c158f28b
SHA1

875f2a668abc6c70ec1bba1584b9e4f6e75d8cfc
SHA256

5db5cc276c0731467390e4369345ffe9c349c221df5fc1d58dbdd27e6963ac50
SHA512

d2eb6775bbe9678e92bb87deeba38d1ac5a9a86ee5df8d5a8d50c69a1475bb2a792ff1b6d20142a7812f0f4f158cdc2cf8ab50263c738842f3e80ce5435a6c35
SSDEEP

12288:QyeWT96x+MN2N4Bou8Bw1bFsIPNHqC5xlA0l:QyeAEwN4BuYFsI1KyV

Score

10^/10

discovery evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ееЕаАххВОеЕао.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ееЕаАххВОеЕао.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ееЕаАххВОеЕао.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2796	ееЕаАххВОеЕао.exe
304	ееЕаАххВОеЕао.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe
2420	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
1452	powershell.exe
764	powershell.exe
760	powershell.exe
2136	powershell.exe
2236	powershell.exe
320	powershell.exe
3052	powershell.exe
2108	powershell.exe
1904	powershell.exe
2032	powershell.exe
2736	powershell.exe
2152	powershell.exe
2164	powershell.exe
2428	powershell.exe
1084	powershell.exe
2372	powershell.exe
2072	powershell.exe
2732	powershell.exe
1660	powershell.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2580	sc.exe
2620	sc.exe
1736	sc.exe
2324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ееЕаАххВОеЕао.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ееЕаАххВОеЕао.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0789b665204db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ееЕаАххВОеЕао.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ееЕаАххВОеЕао.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2032	powershell.exe
2236	powershell.exe
2136	powershell.exe
2732	powershell.exe
2848	powershell.exe
320	powershell.exe
2736	powershell.exe
1084	powershell.exe
2372	powershell.exe
1660	powershell.exe
764	powershell.exe
2152	powershell.exe
1452	powershell.exe
2164	powershell.exe
760	powershell.exe
3052	powershell.exe
2108	powershell.exe
1904	powershell.exe
2072	powershell.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeTcbPrivilege	2556	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2796	2420	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2796	2420	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2796	2420	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2796	2420	da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2392	2796	ееЕаАххВОеЕао.exe	31
PID 2796 wrote to memory of 2392	2796	ееЕаАххВОеЕао.exe	31
PID 2796 wrote to memory of 2392	2796	ееЕаАххВОеЕао.exe	31
PID 2796 wrote to memory of 2392	2796	ееЕаАххВОеЕао.exe	31
PID 2796 wrote to memory of 2876	2796	ееЕаАххВОеЕао.exe	33
PID 2796 wrote to memory of 2876	2796	ееЕаАххВОеЕао.exe	33
PID 2796 wrote to memory of 2876	2796	ееЕаАххВОеЕао.exe	33
PID 2796 wrote to memory of 2876	2796	ееЕаАххВОеЕао.exe	33
PID 2392 wrote to memory of 2580	2392	cmd.exe	35
PID 2392 wrote to memory of 2580	2392	cmd.exe	35
PID 2392 wrote to memory of 2580	2392	cmd.exe	35
PID 2796 wrote to memory of 2884	2796	ееЕаАххВОеЕао.exe	36
PID 2796 wrote to memory of 2884	2796	ееЕаАххВОеЕао.exe	36
PID 2796 wrote to memory of 2884	2796	ееЕаАххВОеЕао.exe	36
PID 2796 wrote to memory of 2884	2796	ееЕаАххВОеЕао.exe	36
PID 2796 wrote to memory of 2668	2796	ееЕаАххВОеЕао.exe	38
PID 2796 wrote to memory of 2668	2796	ееЕаАххВОеЕао.exe	38
PID 2796 wrote to memory of 2668	2796	ееЕаАххВОеЕао.exe	38
PID 2796 wrote to memory of 2668	2796	ееЕаАххВОеЕао.exe	38
PID 2796 wrote to memory of 2556	2796	ееЕаАххВОеЕао.exe	40
PID 2796 wrote to memory of 2556	2796	ееЕаАххВОеЕао.exe	40
PID 2796 wrote to memory of 2556	2796	ееЕаАххВОеЕао.exe	40
PID 2796 wrote to memory of 2556	2796	ееЕаАххВОеЕао.exe	40
PID 2796 wrote to memory of 2588	2796	ееЕаАххВОеЕао.exe	42
PID 2796 wrote to memory of 2588	2796	ееЕаАххВОеЕао.exe	42
PID 2796 wrote to memory of 2588	2796	ееЕаАххВОеЕао.exe	42
PID 2796 wrote to memory of 2588	2796	ееЕаАххВОеЕао.exe	42
PID 2876 wrote to memory of 2620	2876	cmd.exe	43
PID 2876 wrote to memory of 2620	2876	cmd.exe	43
PID 2876 wrote to memory of 2620	2876	cmd.exe	43
PID 2796 wrote to memory of 2676	2796	ееЕаАххВОеЕао.exe	44
PID 2796 wrote to memory of 2676	2796	ееЕаАххВОеЕао.exe	44
PID 2796 wrote to memory of 2676	2796	ееЕаАххВОеЕао.exe	44
PID 2796 wrote to memory of 2676	2796	ееЕаАххВОеЕао.exe	44
PID 2796 wrote to memory of 2016	2796	ееЕаАххВОеЕао.exe	45
PID 2796 wrote to memory of 2016	2796	ееЕаАххВОеЕао.exe	45
PID 2796 wrote to memory of 2016	2796	ееЕаАххВОеЕао.exe	45
PID 2796 wrote to memory of 2016	2796	ееЕаАххВОеЕао.exe	45
PID 2884 wrote to memory of 2236	2884	cmd.exe	47
PID 2884 wrote to memory of 2236	2884	cmd.exe	47
PID 2884 wrote to memory of 2236	2884	cmd.exe	47
PID 2796 wrote to memory of 2724	2796	ееЕаАххВОеЕао.exe	48
PID 2796 wrote to memory of 2724	2796	ееЕаАххВОеЕао.exe	48
PID 2796 wrote to memory of 2724	2796	ееЕаАххВОеЕао.exe	48
PID 2796 wrote to memory of 2724	2796	ееЕаАххВОеЕао.exe	48
PID 2556 wrote to memory of 2032	2556	cmd.exe	49
PID 2556 wrote to memory of 2032	2556	cmd.exe	49
PID 2556 wrote to memory of 2032	2556	cmd.exe	49
PID 2668 wrote to memory of 2136	2668	cmd.exe	50
PID 2668 wrote to memory of 2136	2668	cmd.exe	50
PID 2668 wrote to memory of 2136	2668	cmd.exe	50
PID 2796 wrote to memory of 916	2796	ееЕаАххВОеЕао.exe	51
PID 2796 wrote to memory of 916	2796	ееЕаАххВОеЕао.exe	51
PID 2796 wrote to memory of 916	2796	ееЕаАххВОеЕао.exe	51
PID 2796 wrote to memory of 916	2796	ееЕаАххВОеЕао.exe	51
PID 2796 wrote to memory of 1476	2796	ееЕаАххВОеЕао.exe	54
PID 2796 wrote to memory of 1476	2796	ееЕаАххВОеЕао.exe	54
PID 2796 wrote to memory of 1476	2796	ееЕаАххВОеЕао.exe	54
PID 2796 wrote to memory of 1476	2796	ееЕаАххВОеЕао.exe	54
PID 2796 wrote to memory of 2312	2796	ееЕаАххВОеЕао.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da7e858452919019ee6c61c5c158f28b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\ProgramData\ееЕаАххВОеЕао.exe
  "C:\ProgramData\ееЕаАххВОеЕао.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:2588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:2676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
    3⤵
    PID:2016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:1476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:2312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1532

C:\Windows\system32\taskeng.exe
taskeng.exe {F92139C7-6C97-4262-B39A-5657A445E7C1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2984
- C:\Users\Admin\AppData\Roaming\NetLibs14\ееЕаАххВОеЕао.exe
  C:\Users\Admin\AppData\Roaming\NetLibs14\ееЕаАххВОеЕао.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:304
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:2380
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
    3⤵
    PID:2756
  - - C:\Windows\system32\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2324
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:2712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
    3⤵
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:1588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:1584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
    3⤵
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:1412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:2672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2072
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:2784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:764
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12d345ae7d7044974b8e0dedb8571222

SHA1
98d669f0ec01e92af50a9437985883e1470c63da

SHA256
fbf91cb1831f935307045d937df4cb7fed5d055e16e31c766b773216bb2ea21a

SHA512
e53aff9a1a9c48846c80352d59ef268b096f13e65431d9daea4290dee752e686cfd07f2298ae7e7d47df94af156885d206e844d87defff9e32596e4c7b5297ea

Download Submit
\ProgramData\ееЕаАххВОеЕао.exe

Filesize
529KB

MD5
da7e858452919019ee6c61c5c158f28b

SHA1
875f2a668abc6c70ec1bba1584b9e4f6e75d8cfc

SHA256
5db5cc276c0731467390e4369345ffe9c349c221df5fc1d58dbdd27e6963ac50

SHA512
d2eb6775bbe9678e92bb87deeba38d1ac5a9a86ee5df8d5a8d50c69a1475bb2a792ff1b6d20142a7812f0f4f158cdc2cf8ab50263c738842f3e80ce5435a6c35

Download Submit
memory/764-76-0x0000000019FF0000-0x000000001A2D2000-memory.dmp

Filesize
2.9MB

Download
memory/764-77-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1532-68-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2032-27-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2032-26-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2796-11-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/2796-63-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2796-70-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download