Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 04:25
Static task
static1
Behavioral task
behavioral1
Sample
ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
ea94754c6d1a3ec7c46046b64a499505
-
SHA1
1c88c9e9d596e1f0d89b411726bda1e1b3272be9
-
SHA256
237521ebc7eacb0394d7276585529344e22ba03a888720d43b79eb95f29ab186
-
SHA512
d619fae20548bfdcdb025c6ecaec081088946b31989cfca562fac0b81d4c41ce3b89a79c502a645c1dc2d986b0130169f04458b353d2f891620ab531be0a4f2b
-
SSDEEP
24576:hbSaE4mvt/Gqc/fVlUvnnhUw87iVdzxYQC8n:hbSv4mvYJFlUvnhA7ydeQDn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2660 File.exe 3036 1431745337.exe -
Loads dropped DLL 11 IoCs
pid Process 2660 File.exe 2660 File.exe 2660 File.exe 2660 File.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe 996 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 996 3036 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language File.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1431745337.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0006000000019c3c-67.dat nsis_installer_1 behavioral1/files/0x0006000000019c3c-67.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2252 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2252 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 684 wmic.exe Token: SeSecurityPrivilege 684 wmic.exe Token: SeTakeOwnershipPrivilege 684 wmic.exe Token: SeLoadDriverPrivilege 684 wmic.exe Token: SeSystemProfilePrivilege 684 wmic.exe Token: SeSystemtimePrivilege 684 wmic.exe Token: SeProfSingleProcessPrivilege 684 wmic.exe Token: SeIncBasePriorityPrivilege 684 wmic.exe Token: SeCreatePagefilePrivilege 684 wmic.exe Token: SeBackupPrivilege 684 wmic.exe Token: SeRestorePrivilege 684 wmic.exe Token: SeShutdownPrivilege 684 wmic.exe Token: SeDebugPrivilege 684 wmic.exe Token: SeSystemEnvironmentPrivilege 684 wmic.exe Token: SeRemoteShutdownPrivilege 684 wmic.exe Token: SeUndockPrivilege 684 wmic.exe Token: SeManageVolumePrivilege 684 wmic.exe Token: 33 684 wmic.exe Token: 34 684 wmic.exe Token: 35 684 wmic.exe Token: SeIncreaseQuotaPrivilege 684 wmic.exe Token: SeSecurityPrivilege 684 wmic.exe Token: SeTakeOwnershipPrivilege 684 wmic.exe Token: SeLoadDriverPrivilege 684 wmic.exe Token: SeSystemProfilePrivilege 684 wmic.exe Token: SeSystemtimePrivilege 684 wmic.exe Token: SeProfSingleProcessPrivilege 684 wmic.exe Token: SeIncBasePriorityPrivilege 684 wmic.exe Token: SeCreatePagefilePrivilege 684 wmic.exe Token: SeBackupPrivilege 684 wmic.exe Token: SeRestorePrivilege 684 wmic.exe Token: SeShutdownPrivilege 684 wmic.exe Token: SeDebugPrivilege 684 wmic.exe Token: SeSystemEnvironmentPrivilege 684 wmic.exe Token: SeRemoteShutdownPrivilege 684 wmic.exe Token: SeUndockPrivilege 684 wmic.exe Token: SeManageVolumePrivilege 684 wmic.exe Token: 33 684 wmic.exe Token: 34 684 wmic.exe Token: 35 684 wmic.exe Token: SeIncreaseQuotaPrivilege 2500 wmic.exe Token: SeSecurityPrivilege 2500 wmic.exe Token: SeTakeOwnershipPrivilege 2500 wmic.exe Token: SeLoadDriverPrivilege 2500 wmic.exe Token: SeSystemProfilePrivilege 2500 wmic.exe Token: SeSystemtimePrivilege 2500 wmic.exe Token: SeProfSingleProcessPrivilege 2500 wmic.exe Token: SeIncBasePriorityPrivilege 2500 wmic.exe Token: SeCreatePagefilePrivilege 2500 wmic.exe Token: SeBackupPrivilege 2500 wmic.exe Token: SeRestorePrivilege 2500 wmic.exe Token: SeShutdownPrivilege 2500 wmic.exe Token: SeDebugPrivilege 2500 wmic.exe Token: SeSystemEnvironmentPrivilege 2500 wmic.exe Token: SeRemoteShutdownPrivilege 2500 wmic.exe Token: SeUndockPrivilege 2500 wmic.exe Token: SeManageVolumePrivilege 2500 wmic.exe Token: 33 2500 wmic.exe Token: 34 2500 wmic.exe Token: 35 2500 wmic.exe Token: SeIncreaseQuotaPrivilege 1660 wmic.exe Token: SeSecurityPrivilege 1660 wmic.exe Token: SeTakeOwnershipPrivilege 1660 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2660 2252 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe 31 PID 2252 wrote to memory of 2660 2252 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe 31 PID 2252 wrote to memory of 2660 2252 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe 31 PID 2252 wrote to memory of 2660 2252 ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe 31 PID 2660 wrote to memory of 3036 2660 File.exe 32 PID 2660 wrote to memory of 3036 2660 File.exe 32 PID 2660 wrote to memory of 3036 2660 File.exe 32 PID 2660 wrote to memory of 3036 2660 File.exe 32 PID 3036 wrote to memory of 684 3036 1431745337.exe 33 PID 3036 wrote to memory of 684 3036 1431745337.exe 33 PID 3036 wrote to memory of 684 3036 1431745337.exe 33 PID 3036 wrote to memory of 684 3036 1431745337.exe 33 PID 3036 wrote to memory of 2500 3036 1431745337.exe 36 PID 3036 wrote to memory of 2500 3036 1431745337.exe 36 PID 3036 wrote to memory of 2500 3036 1431745337.exe 36 PID 3036 wrote to memory of 2500 3036 1431745337.exe 36 PID 3036 wrote to memory of 1660 3036 1431745337.exe 38 PID 3036 wrote to memory of 1660 3036 1431745337.exe 38 PID 3036 wrote to memory of 1660 3036 1431745337.exe 38 PID 3036 wrote to memory of 1660 3036 1431745337.exe 38 PID 3036 wrote to memory of 1924 3036 1431745337.exe 40 PID 3036 wrote to memory of 1924 3036 1431745337.exe 40 PID 3036 wrote to memory of 1924 3036 1431745337.exe 40 PID 3036 wrote to memory of 1924 3036 1431745337.exe 40 PID 3036 wrote to memory of 1964 3036 1431745337.exe 42 PID 3036 wrote to memory of 1964 3036 1431745337.exe 42 PID 3036 wrote to memory of 1964 3036 1431745337.exe 42 PID 3036 wrote to memory of 1964 3036 1431745337.exe 42 PID 3036 wrote to memory of 996 3036 1431745337.exe 44 PID 3036 wrote to memory of 996 3036 1431745337.exe 44 PID 3036 wrote to memory of 996 3036 1431745337.exe 44 PID 3036 wrote to memory of 996 3036 1431745337.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea94754c6d1a3ec7c46046b64a499505_JaffaCakes118.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\1431745337.exeC:\Users\Admin\AppData\Local\Temp\1431745337.exe 0\5\8\5\1\8\2\9\6\6\8 L0tBPzwxMDAqGidTUDpLSDw7JxopRkVPT0pRQ0c7NysYLz9BTlNBQjQrLywwMhgqQkFCNCoaJ1BNRz9UO1JWQz41MS8uNDUYLUo/TE5FTVdQUUQ7X25uaDoqJ25xbiw7P01DLU9HSyw5TkcoQ0ZGShgqQkRHOkVDPD0bJz8wNSsoGik8MjglLB8nQio3JykgKjwvPCUvFyk+LT0oKRsuSFBGPk87VFpITUhOPzpTNxgvS0pKQ01BS1k/TUw8NRsuSFBGPk87VFpGPEw9O0lfZ2d2YEFAHydDTz9ZTVJHNRsuPVY8WT1FREdBSUQ1IykqKW1yZzVjc2xuMSkpXG9yZmduWWJqKG5dY2NxYmRdaWpiaWVlKVtqLW1pJl1mXWFpJ01kZW1tX0M9LnVhayQqLiZoW2VlOEpgbGd0XEM/JnpkaBsuQE1KTlk6UkpPTkRKOykaKUxIPEZGWEdTVk9MRD0bJ1FMNTAXKT5LMTgYKlFNTEtDRz1fUj1HQkdLPENHOUdATU1LNR4mQ01XUlBGT0hFQzRubG1lGydNRExTSUhDRkdaTU5ESl07O1NLPS0YKkdBQjxSNykgKkFOXjxXRTtHQUNaPUlCSldHTj88PWFZZ3JdHiY+SU9OR0c8Q1dHRzczLS4yKCkwKzElKyouICpMREw9OyguLSk3MC0yNiweJj5JT05HRzxDV1JARz81NSopMS4qLigvJC06MC41MCwoOEcaJ1U8NUhucmdjZlsdMmEtKS8jJk5jaFxvcmsmTUwpLSgrISs8aGtrXVVcXEVhdCAqYTQrNSUtMCMoRkBPTEQjKV0lZGlmXSZGXWFiaSMjQ2NqamxdIylgLiouKyYtMikvJSsvKitOWWFgamccLGAtMzImLjUYLUxMRjVob2xrJCtfHCxgHTJhX2BzJmpmXW9rMCwoLS1hbF1pHypmTW1pU2FrXD5pb25nZ1xjRV9lW2FdclpcYG9kbXAfLF4xLyssNi0zLjAzHTJhKS8yKTUsLzEuOSAqYTAsMSgxLy03MTEgMl43LDIrLDQwKTQ4LVZkPG1GVFAvXHlvdUJOS2ZJUW8zS0xDbUZzLGRVckxyREJMK0dhRm9GPmZgVj9IXlFtZ19VMWBqTz5hYUk+aGdiTzNlRD1oYlQqb3VZQUhwUktBc1BNdmxWTTNoXG1rZ1xsOmBYY2ZqWUFsaWNPTF5UQUJxVCpVblBRKGBbcWwrUWN2bFZNL2VSRixpREM+YkpRPGNhaC1mUU1DZ19ROm5FYHJzUGsoXltPQWZDZ3NGVj5iaFxXQT5MQil2UEFtXFguPm9XT2piU2dOWVw+cjNLa0lqWytGZkk/dmBWTkxlUkdrXFxGSS5KUTxjYWgtZlFNQ19bQGhtXExMc0BsY2ZcPGdz3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81726719910.txt bios get serialnumber4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81726719910.txt bios get version4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81726719910.txt bios get version4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81726719910.txt bios get version4⤵
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81726719910.txt bios get version4⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 3684⤵
- Loads dropped DLL
- Program crash
PID:996
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
581KB
MD596f22762a3acd888ed276179a8494e3f
SHA1c70dbbc054917ffa3477a6d1ad50c23ed8abd91e
SHA25676532221bad5fbe988feb0ea55fcc5f0fb67708658e1f09d6ba49bf270d6a9e8
SHA512784a46475dc161c31ac0dad5fa5ee8f441d454ebb60f9243d8cad557cc45c71150062cb66ab25878b6b20b98dea342886e948f456bf141e98ec403057d1dc104
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
153KB
MD5f2e061f20337c7b923cc981ffa370843
SHA180462d66ee9d812b61dc4f63c1e305d9948be20e
SHA256473c19cb5364e51bcee4aa0639246a82b662a89e085bb3693c7a0d81e7ea6ef8
SHA512ce59611a1d7e2982db4c1a993f6005cc7d7f1b4a66eecbb6df9eab7840a99e5c0c21ae5dda3ffd0c16f97e2c880ff6de6df169f150676a91e28228fed8980a20
-
Filesize
788KB
MD594c3ce3856a17f09a845c84eef204247
SHA1aee6896be0f74e8a4f5b24a14922dccd011ca30f
SHA25637ecc9a349b93f3c02deb4ebcdc056de78fb11a1c1e76b0576b81a561205f502
SHA512dd2829a01ba441c6b95624e290eaf3cdba2b32c044a7b1b15bf55f2badf5ea3f1fa4387b39e7627e3226a0b140252810f7e67ac9148f879ad53465110ee73b40
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5