metasploit | 2b8ca9167adfa1f750586e957d4ac4a0f5f3d260200167fb30e4b6caea9b0953

Analysis

max time kernel
147s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe
Size

1.3MB
MD5

e7413f74d42ea5800098ed3e829e4482
SHA1

a948c60fbdc351f820ee2485a40ec770cb192043
SHA256

2b8ca9167adfa1f750586e957d4ac4a0f5f3d260200167fb30e4b6caea9b0953
SHA512

1fd09d2ce6a147163a7432c3a658f533a6ba130b1bc6ba493931976fd4c3d2a7845e11029bd0bbec08e7709ccfa1f93123ca4e6f24dc06f1df9c5681b85417c4
SSDEEP

3072:wjY4C6zJKEmIjV0s4wg8ShB/V50GSSOEPCQ4gn2CPETEwabZlXLRsHfBg580f70+:MY4vgv9ZBn/oGpOfQsabRr8c7yg

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
828	msxdll.exe
3352	msxdll.exe
464	msxdll.exe
2072	msxdll.exe
3960	msxdll.exe
4812	msxdll.exe
2256	msxdll.exe
3968	msxdll.exe
2976	msxdll.exe
2100	msxdll.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msxdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 11 IoCs

pid	Process
1208	regedit.exe
4720	regedit.exe
2300	regedit.exe
2232	regedit.exe
2208	regedit.exe
976	regedit.exe
3996	regedit.exe
1012	regedit.exe
4312	regedit.exe
5116	regedit.exe
2164	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1896	1116	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe	81
PID 1116 wrote to memory of 1896	1116	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe	81
PID 1116 wrote to memory of 1896	1116	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe	81
PID 1896 wrote to memory of 1208	1896	cmd.exe	82
PID 1896 wrote to memory of 1208	1896	cmd.exe	82
PID 1896 wrote to memory of 1208	1896	cmd.exe	82
PID 1116 wrote to memory of 828	1116	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe	83
PID 1116 wrote to memory of 828	1116	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe	83
PID 1116 wrote to memory of 828	1116	e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe	83
PID 828 wrote to memory of 4544	828	msxdll.exe	84
PID 828 wrote to memory of 4544	828	msxdll.exe	84
PID 828 wrote to memory of 4544	828	msxdll.exe	84
PID 4544 wrote to memory of 4720	4544	cmd.exe	85
PID 4544 wrote to memory of 4720	4544	cmd.exe	85
PID 4544 wrote to memory of 4720	4544	cmd.exe	85
PID 828 wrote to memory of 3352	828	msxdll.exe	93
PID 828 wrote to memory of 3352	828	msxdll.exe	93
PID 828 wrote to memory of 3352	828	msxdll.exe	93
PID 3352 wrote to memory of 400	3352	msxdll.exe	94
PID 3352 wrote to memory of 400	3352	msxdll.exe	94
PID 3352 wrote to memory of 400	3352	msxdll.exe	94
PID 400 wrote to memory of 2300	400	cmd.exe	95
PID 400 wrote to memory of 2300	400	cmd.exe	95
PID 400 wrote to memory of 2300	400	cmd.exe	95
PID 3352 wrote to memory of 464	3352	msxdll.exe	97
PID 3352 wrote to memory of 464	3352	msxdll.exe	97
PID 3352 wrote to memory of 464	3352	msxdll.exe	97
PID 464 wrote to memory of 1784	464	msxdll.exe	98
PID 464 wrote to memory of 1784	464	msxdll.exe	98
PID 464 wrote to memory of 1784	464	msxdll.exe	98
PID 1784 wrote to memory of 3996	1784	cmd.exe	99
PID 1784 wrote to memory of 3996	1784	cmd.exe	99
PID 1784 wrote to memory of 3996	1784	cmd.exe	99
PID 464 wrote to memory of 2072	464	msxdll.exe	101
PID 464 wrote to memory of 2072	464	msxdll.exe	101
PID 464 wrote to memory of 2072	464	msxdll.exe	101
PID 2072 wrote to memory of 1896	2072	msxdll.exe	102
PID 2072 wrote to memory of 1896	2072	msxdll.exe	102
PID 2072 wrote to memory of 1896	2072	msxdll.exe	102
PID 1896 wrote to memory of 2232	1896	cmd.exe	103
PID 1896 wrote to memory of 2232	1896	cmd.exe	103
PID 1896 wrote to memory of 2232	1896	cmd.exe	103
PID 2072 wrote to memory of 3960	2072	msxdll.exe	104
PID 2072 wrote to memory of 3960	2072	msxdll.exe	104
PID 2072 wrote to memory of 3960	2072	msxdll.exe	104
PID 3960 wrote to memory of 1084	3960	msxdll.exe	105
PID 3960 wrote to memory of 1084	3960	msxdll.exe	105
PID 3960 wrote to memory of 1084	3960	msxdll.exe	105
PID 1084 wrote to memory of 2208	1084	cmd.exe	106
PID 1084 wrote to memory of 2208	1084	cmd.exe	106
PID 1084 wrote to memory of 2208	1084	cmd.exe	106
PID 3960 wrote to memory of 4812	3960	msxdll.exe	107
PID 3960 wrote to memory of 4812	3960	msxdll.exe	107
PID 3960 wrote to memory of 4812	3960	msxdll.exe	107
PID 4812 wrote to memory of 1480	4812	msxdll.exe	108
PID 4812 wrote to memory of 1480	4812	msxdll.exe	108
PID 4812 wrote to memory of 1480	4812	msxdll.exe	108
PID 1480 wrote to memory of 1012	1480	cmd.exe	109
PID 1480 wrote to memory of 1012	1480	cmd.exe	109
PID 1480 wrote to memory of 1012	1480	cmd.exe	109
PID 4812 wrote to memory of 2256	4812	msxdll.exe	110
PID 4812 wrote to memory of 2256	4812	msxdll.exe	110
PID 4812 wrote to memory of 2256	4812	msxdll.exe	110
PID 2256 wrote to memory of 5028	2256	msxdll.exe	111

C:\Users\Admin\AppData\Local\Temp\e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:1208
- C:\Windows\SysWOW64\msxdll.exe
  C:\Windows\system32\msxdll.exe 1048 "C:\Users\Admin\AppData\Local\Temp\e7413f74d42ea5800098ed3e829e4482_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:4720
- - C:\Windows\SysWOW64\msxdll.exe
    C:\Windows\system32\msxdll.exe 1168 "C:\Windows\SysWOW64\msxdll.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2300
  - - C:\Windows\SysWOW64\msxdll.exe
      C:\Windows\system32\msxdll.exe 1140 "C:\Windows\SysWOW64\msxdll.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3996
    - - C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1144 "C:\Windows\SysWOW64\msxdll.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2232
      - C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1152 "C:\Windows\SysWOW64\msxdll.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2208
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1148 "C:\Windows\SysWOW64\msxdll.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1012
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1156 "C:\Windows\SysWOW64\msxdll.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:976
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1160 "C:\Windows\SysWOW64\msxdll.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4312
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1164 "C:\Windows\SysWOW64\msxdll.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:5116
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1172 "C:\Windows\SysWOW64\msxdll.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
574B

MD5
5020988c301a6bf0c54a293ddf64837c

SHA1
5b65e689a2988b9a739d53565b2a847f20d70f09

SHA256
a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d

SHA512
921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ff6c57e8ec2b96b8da7fe900f1f3da1c

SHA1
a6f0dc2e2a0a46e1031017b81825173054bf76ae

SHA256
ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6

SHA512
c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a920eceddece6cf7f3487fd8e919af34

SHA1
a6dee2d31d4cbd1b18f5d3bc971521411a699889

SHA256
ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6

SHA512
a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
274B

MD5
eee5718ce97d259fd8acec31375fc375

SHA1
989c64b0c9a049f1b7ad9e677c4566ab1559744f

SHA256
1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb

SHA512
6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
bef09dc596b7b91eec4f38765e0965b7

SHA1
b8bb8d2eb918e0979b08fd1967dac127874b9de5

SHA256
8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

SHA512
0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
7fe70731de9e888ca911baeb99ee503d

SHA1
0073da5273512f66dbf570580dc55957535c2478

SHA256
ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a

SHA512
4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
584f47a0068747b3295751a0d591f4ee

SHA1
7886a90e507c56d3a6105ecdfd9ff77939afa56f

SHA256
927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

SHA512
ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3637baf389a0d79b412adb2a7f1b7d09

SHA1
f4b011a72f59cf98a325f12b7e40ddd0548ccc16

SHA256
835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

SHA512
ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
6b0182442d6e09100c34904ae6d8ee0c

SHA1
6255e65587505629521ea048a4e40cc48b512f2c

SHA256
cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4

SHA512
64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

Download Submit
C:\Windows\SysWOW64\msxdll.exe

Filesize
1.3MB

MD5
e7413f74d42ea5800098ed3e829e4482

SHA1
a948c60fbdc351f820ee2485a40ec770cb192043

SHA256
2b8ca9167adfa1f750586e957d4ac4a0f5f3d260200167fb30e4b6caea9b0953

SHA512
1fd09d2ce6a147163a7432c3a658f533a6ba130b1bc6ba493931976fd4c3d2a7845e11029bd0bbec08e7709ccfa1f93123ca4e6f24dc06f1df9c5681b85417c4

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/464-452-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/828-228-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1116-0-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1116-227-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2072-564-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2100-1236-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2256-900-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2976-1124-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3352-340-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3960-676-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3968-1012-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/4812-788-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads