b4ed6d871e7ba08ec4c99e0923268f531c14da34b4c178e0740f2c1e8a204fcb

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
Size

3.5MB
MD5

eab4ea5c7ebd0271f2f8b0e27ec91961
SHA1

3ecad10c9de1c5f5ef8eb10c95af01f69f61edae
SHA256

b4ed6d871e7ba08ec4c99e0923268f531c14da34b4c178e0740f2c1e8a204fcb
SHA512

0da3644baf6a5b1fe50e48e6de694216f80a125be02aaa18dba1f454bb85e88ce04f8dd23321e609113f5c45671823752930d02e26e37c61e4eb0b3e1ef3d9a9
SSDEEP

98304:2mGJ64NQWdEB+x28el/WRv0BJC6eypFOKdNVPstYyShZvp+76J4:2mYnU+08ecWCHOFOKdDUtlmyZ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
1660	SD1.4.0.672_Setup.exe
1668	QQ.exe
2452	Setup.exe
2172	Esseeg.exe
2212	Setup_x64.exe
3032	Esseeg.exe
1912	Setup.exe
1176	Process not Found

Loads dropped DLL 13 IoCs

pid	Process
1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
1660	SD1.4.0.672_Setup.exe
1660	SD1.4.0.672_Setup.exe
1660	SD1.4.0.672_Setup.exe
1660	SD1.4.0.672_Setup.exe
2452	Setup.exe
2452	Setup.exe
2452	Setup.exe
2212	Setup_x64.exe
2212	Setup_x64.exe
2212	Setup_x64.exe
1176	Process not Found

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1648-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00080000000173c8-19.dat	upx
behavioral1/memory/1648-18-0x0000000002B20000-0x0000000002BB2000-memory.dmp	upx
behavioral1/memory/1648-17-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1668-54-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral1/memory/2172-95-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral1/memory/3032-96-0x0000000000400000-0x0000000000492000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\F:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe

Creates a Windows Service
persistence

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Esseeg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475	Esseeg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475	Esseeg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E	Esseeg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E	Esseeg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe	QQ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe	QQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SD1.4.0.672_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Esseeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Esseeg.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-a6-45-44-1f-38\WpadDecision = "0"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5685C446-5C36-439C-8E8C-B7C7DCF45072}	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	Esseeg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5685C446-5C36-439C-8E8C-B7C7DCF45072}\WpadDecisionTime = 9076145f580adb01	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-a6-45-44-1f-38\WpadDecisionReason = "1"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Esseeg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5685C446-5C36-439C-8E8C-B7C7DCF45072}\WpadDecisionReason = "1"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-a6-45-44-1f-38	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Esseeg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Esseeg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Esseeg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Esseeg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-a6-45-44-1f-38\WpadDecisionTime = 9076145f580adb01	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Esseeg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5685C446-5C36-439C-8E8C-B7C7DCF45072}\e6-a6-45-44-1f-38	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Esseeg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f018d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Esseeg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5685C446-5C36-439C-8E8C-B7C7DCF45072}\WpadDecision = "0"	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Esseeg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Esseeg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Esseeg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5685C446-5C36-439C-8E8C-B7C7DCF45072}\WpadNetworkName = "Network 3"	Esseeg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	Setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	QQ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1668	QQ.exe
2172	Esseeg.exe
3032	Esseeg.exe
1912	Setup.exe
1912	Setup.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1660	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1668	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	32
PID 1648 wrote to memory of 1668	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	32
PID 1648 wrote to memory of 1668	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	32
PID 1648 wrote to memory of 1668	1648	eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 1660 wrote to memory of 2452	1660	SD1.4.0.672_Setup.exe	33
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2452 wrote to memory of 2212	2452	Setup.exe	35
PID 2172 wrote to memory of 3032	2172	Esseeg.exe	36
PID 2172 wrote to memory of 3032	2172	Esseeg.exe	36
PID 2172 wrote to memory of 3032	2172	Esseeg.exe	36
PID 2172 wrote to memory of 3032	2172	Esseeg.exe	36
PID 2212 wrote to memory of 1912	2212	Setup_x64.exe	37
PID 2212 wrote to memory of 1912	2212	Setup_x64.exe	37
PID 2212 wrote to memory of 1912	2212	Setup_x64.exe	37
PID 2212 wrote to memory of 1912	2212	Setup_x64.exe	37

C:\Users\Admin\AppData\Local\Temp\eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\7z6F13067C\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\7z6F13067C\Setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\7z6F13067C\Setup_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\7z6F13067C\Setup_x64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\7z6FBF48A4\Setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7z6FBF48A4\Setup.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1912
- C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1668

C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe
"C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe
  "C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z6F13067C\Setup_x64.exe

Filesize
2.1MB

MD5
ccf8d4eec6390047289b31806535829b

SHA1
b4f90305821e9adc4b72c0b25591ec8b42437565

SHA256
de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703

SHA512
3776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6FBF48A4\Setup.exe

Filesize
906KB

MD5
4cd89312146f921fd08d5f285852023b

SHA1
56eb14ebe14f367a69084a79943e4f74eb8d5b2d

SHA256
d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593

SHA512
1a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe

Filesize
208KB

MD5
6677db1cde1b22640181e907c75c12e1

SHA1
5abd23d739e99e411dec8f7f6a4b931491170c53

SHA256
c98c15e681d7f7e0e06173560476a5a8546699dfc8f85c505a794423076247af

SHA512
40073ce2715ff28eeaa521365804f0bb8c864f930f026b8528f619ca58d9febdf5f7e1088ce9139343294afbc650523501f81064c32fd40f21a26f4ed7dbdefe

Download Submit
\Users\Admin\AppData\Local\Temp\7z6F13067C\Setup.exe

Filesize
114KB

MD5
b453cd30e5a8883f2f88856fef990abd

SHA1
6a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a

SHA256
e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb

SHA512
12938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe

Filesize
3.3MB

MD5
d948dd85b8edb5391a5e04e274533558

SHA1
775aa63441a1ad26699b33bb8646006376fbdf35

SHA256
b4e7960ef248b8a35f8cd33962dae252e33d177822c9e8dbf40fdfbfe9e2e850

SHA512
34720a095d22733c57c47f5b37ff7171c9cf1c1654d9c759640baa84cca3f77cae032706d323363c25421c959decb49cd441dcada30195bc0cacce1281f06d61

Download Submit
memory/1648-18-0x0000000002B20000-0x0000000002BB2000-memory.dmp

Filesize
584KB

Download
memory/1648-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1648-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1668-28-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1668-54-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1912-92-0x0000000140000000-0x00000001400E9000-memory.dmp

Filesize
932KB

Download
memory/1912-99-0x0000000140000000-0x00000001400E9000-memory.dmp

Filesize
932KB

Download
memory/2172-95-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2212-88-0x0000000002240000-0x0000000002329000-memory.dmp

Filesize
932KB

Download
memory/3032-96-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download