8901848415efad80bf430512f7d30ba9328e59e6359d9c94b3608f50d1347b9d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
Size

259KB
MD5

eac76fb6eb3d9ac9c72b151dfeaa7bbd
SHA1

76ff95766be6959843ae783195b68e44bc48e27a
SHA256

8901848415efad80bf430512f7d30ba9328e59e6359d9c94b3608f50d1347b9d
SHA512

b70bf7e19f59002e3c4d062bda13b900a71f0e13f864bbd3b5ce0b9f832659a591f3b71e1e5954e094cf6b72f98c37773fac1b37df5314b4cf6ce885340c8249
SSDEEP

6144:wgJrZAAkqnANv494D83pJKffKPOw7EMHHEMH:bJrZAAkkANv494D83p5cMEM

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1720	my account.exe

Executes dropped EXE 6 IoCs

pid	Process
1720	my account.exe
3060	wmiintegrator.exe
2340	wmihostwin.exe
1632	wmimic.exe
2212	wmisecure.exe
2232	wmisecure64.exe

Loads dropped DLL 6 IoCs

pid	Process
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
1720	my account.exe
3060	wmiintegrator.exe
2340	wmihostwin.exe
1632	wmimic.exe
1632	wmimic.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiintegrator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmihostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	my account.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
1720	my account.exe
1720	my account.exe
1720	my account.exe
1720	my account.exe
1720	my account.exe
1720	my account.exe
3060	wmiintegrator.exe
3060	wmiintegrator.exe
3060	wmiintegrator.exe
3060	wmiintegrator.exe
3060	wmiintegrator.exe
3060	wmiintegrator.exe
2340	wmihostwin.exe
2340	wmihostwin.exe
2340	wmihostwin.exe
2340	wmihostwin.exe
2340	wmihostwin.exe
2340	wmihostwin.exe
3060	wmiintegrator.exe
1632	wmimic.exe
1632	wmimic.exe
1632	wmimic.exe
1632	wmimic.exe
1632	wmimic.exe
1632	wmimic.exe
1632	wmimic.exe
3060	wmiintegrator.exe
2232	wmisecure64.exe
2232	wmisecure64.exe
2232	wmisecure64.exe
2232	wmisecure64.exe
2232	wmisecure64.exe
2340	wmihostwin.exe
3060	wmiintegrator.exe
1632	wmimic.exe
1632	wmimic.exe
2340	wmihostwin.exe
3060	wmiintegrator.exe
1632	wmimic.exe
1632	wmimic.exe
2340	wmihostwin.exe
3060	wmiintegrator.exe
1632	wmimic.exe
1632	wmimic.exe
2340	wmihostwin.exe
3060	wmiintegrator.exe
1632	wmimic.exe
1632	wmimic.exe
2340	wmihostwin.exe
3060	wmiintegrator.exe
1632	wmimic.exe
1632	wmimic.exe
2340	wmihostwin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1720	2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe	28
PID 2944 wrote to memory of 1720	2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe	28
PID 2944 wrote to memory of 1720	2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe	28
PID 2944 wrote to memory of 1720	2944	eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe	28
PID 1720 wrote to memory of 3060	1720	my account.exe	29
PID 1720 wrote to memory of 3060	1720	my account.exe	29
PID 1720 wrote to memory of 3060	1720	my account.exe	29
PID 1720 wrote to memory of 3060	1720	my account.exe	29
PID 3060 wrote to memory of 2340	3060	wmiintegrator.exe	30
PID 3060 wrote to memory of 2340	3060	wmiintegrator.exe	30
PID 3060 wrote to memory of 2340	3060	wmiintegrator.exe	30
PID 3060 wrote to memory of 2340	3060	wmiintegrator.exe	30
PID 2340 wrote to memory of 1632	2340	wmihostwin.exe	31
PID 2340 wrote to memory of 1632	2340	wmihostwin.exe	31
PID 2340 wrote to memory of 1632	2340	wmihostwin.exe	31
PID 2340 wrote to memory of 1632	2340	wmihostwin.exe	31
PID 1632 wrote to memory of 2212	1632	wmimic.exe	32
PID 1632 wrote to memory of 2212	1632	wmimic.exe	32
PID 1632 wrote to memory of 2212	1632	wmimic.exe	32
PID 1632 wrote to memory of 2212	1632	wmimic.exe	32
PID 1632 wrote to memory of 2232	1632	wmimic.exe	33
PID 1632 wrote to memory of 2232	1632	wmimic.exe	33
PID 1632 wrote to memory of 2232	1632	wmimic.exe	33
PID 1632 wrote to memory of 2232	1632	wmimic.exe	33
PID 2232 wrote to memory of 2620	2232	wmisecure64.exe	34
PID 2232 wrote to memory of 2620	2232	wmisecure64.exe	34
PID 2232 wrote to memory of 2620	2232	wmisecure64.exe	34
PID 2232 wrote to memory of 2620	2232	wmisecure64.exe	34
PID 2232 wrote to memory of 2540	2232	wmisecure64.exe	38
PID 2232 wrote to memory of 2540	2232	wmisecure64.exe	38
PID 2232 wrote to memory of 2540	2232	wmisecure64.exe	38
PID 2232 wrote to memory of 2540	2232	wmisecure64.exe	38
PID 2232 wrote to memory of 2516	2232	wmisecure64.exe	40
PID 2232 wrote to memory of 2516	2232	wmisecure64.exe	40
PID 2232 wrote to memory of 2516	2232	wmisecure64.exe	40
PID 2232 wrote to memory of 2516	2232	wmisecure64.exe	40
PID 2232 wrote to memory of 2148	2232	wmisecure64.exe	42
PID 2232 wrote to memory of 2148	2232	wmisecure64.exe	42
PID 2232 wrote to memory of 2148	2232	wmisecure64.exe	42
PID 2232 wrote to memory of 2148	2232	wmisecure64.exe	42
PID 2232 wrote to memory of 2020	2232	wmisecure64.exe	44
PID 2232 wrote to memory of 2020	2232	wmisecure64.exe	44
PID 2232 wrote to memory of 2020	2232	wmisecure64.exe	44
PID 2232 wrote to memory of 2020	2232	wmisecure64.exe	44
PID 2232 wrote to memory of 584	2232	wmisecure64.exe	46
PID 2232 wrote to memory of 584	2232	wmisecure64.exe	46
PID 2232 wrote to memory of 584	2232	wmisecure64.exe	46
PID 2232 wrote to memory of 584	2232	wmisecure64.exe	46
PID 2232 wrote to memory of 1588	2232	wmisecure64.exe	48
PID 2232 wrote to memory of 1588	2232	wmisecure64.exe	48
PID 2232 wrote to memory of 1588	2232	wmisecure64.exe	48
PID 2232 wrote to memory of 1588	2232	wmisecure64.exe	48
PID 2232 wrote to memory of 292	2232	wmisecure64.exe	50
PID 2232 wrote to memory of 292	2232	wmisecure64.exe	50
PID 2232 wrote to memory of 292	2232	wmisecure64.exe	50
PID 2232 wrote to memory of 292	2232	wmisecure64.exe	50
PID 2232 wrote to memory of 1864	2232	wmisecure64.exe	52
PID 2232 wrote to memory of 1864	2232	wmisecure64.exe	52
PID 2232 wrote to memory of 1864	2232	wmisecure64.exe	52
PID 2232 wrote to memory of 1864	2232	wmisecure64.exe	52
PID 2232 wrote to memory of 1172	2232	wmisecure64.exe	54
PID 2232 wrote to memory of 1172	2232	wmisecure64.exe	54
PID 2232 wrote to memory of 1172	2232	wmisecure64.exe	54
PID 2232 wrote to memory of 1172	2232	wmisecure64.exe	54

C:\Users\Admin\AppData\Local\Temp\eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Roaming\my account.exe
  "C:\Users\Admin\AppData\Roaming\my account.exe" C:\Users\Admin\AppData\Local\Temp\eac76fb6eb3d9ac9c72b151dfeaa7bbd_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
259KB

MD5
324867a80b0876e0d1836000aa3575b1

SHA1
240332626647b17bdd97345c66fca85965e1e5e6

SHA256
5e2d9450e783ef55a7f427229d28f2cccdb024c3f75af01ba61baadced16aea2

SHA512
425173c305ccdd27bca19430329d3f67e13474dd7d9eb8177cfd3a96478616a63741b8de89cf89d02e66a5555f38669615ecf7913548a6aedce81c965e0769da

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
259KB

MD5
42ea3891689da169befdc7787eca9d41

SHA1
e26c3964f408a8b4310ea00c66644c66030a5751

SHA256
5c91ea7b1b34340c5e2c0983cb0cdfef6e5022bb5e5dce6419cd44093f847b7d

SHA512
3d7e18d320e9a9b0196810b24065ad8eff967395a376878d236965c9a46e77cc0ac79c0646f094f4709ef5818aabff4ffa95a89c0cd620281faa1e77b63401c5

Download Submit
\Users\Admin\AppData\Roaming\my account.exe

Filesize
259KB

MD5
b599ce25866188616e7384ffd299c054

SHA1
ea9416a2bc9083d39fd264256dc15b49e7984edc

SHA256
99ad97cd612e04bc9171fd9bd85032d8ce69f29f6cec291ed0047c67ee7d30f4

SHA512
d2012b60b5daa1e37e423fafe25684d16dba478afce0bb3c940ecb1b833ed9db647b6cd68d5213130b6abd4922a59e98b95559eb79b814b807dd21f36bb3c956

Download Submit
memory/1720-17-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-16-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-12-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-24-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-0-0x00000000742A1000-0x00000000742A2000-memory.dmp

Filesize
4KB

Download
memory/2944-1-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-2-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-10-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download