ffc7faf16966b6fd23565655fc2bd27c9b105e9ca6d083a7b8836c5669a25a1d

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
Size

100KB
MD5

eb9b63f473a7c24d00ae5bcc432b5e72
SHA1

5d0656b800d8625808d823c619ca46806515460f
SHA256

ffc7faf16966b6fd23565655fc2bd27c9b105e9ca6d083a7b8836c5669a25a1d
SHA512

50129cd20b8af0542fa99b861302a22a728cec2307fadfd992d8a78ca49a5ee3c92fa0553e7a198cd741bea44c3eb96cec399cde45ae08e71e5eea481e973c62
SSDEEP

1536:amlUoMlBjU/ByDdVBWDOiUfHmDLDCDb/tDLnDaNCIDEoITPr:tlUbvBTPiUfHmfm3/tnWNCIYr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe

Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{D56A1203-1452-EBA1-7294-EE3377770000} = "Interlinking Memory Support"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0016000000018657-7.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2160	rundll32.exe
2100	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0016000000018657-7.dat	upx
behavioral1/memory/2100-9-0x0000000010000000-0x000000001000F000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Party Poker.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\guninst.exe	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Remove Spyware.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Viagra.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Britney Spears.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Pornstars.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\param32.dll	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Car Insurance.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cruises.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Credit Card.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Pharmacy.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Lesbian Sex.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\searchdll.dll	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\popup_bl.dll	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BlackJack.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Phentermine.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Online Casino.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MP3.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Forex Trading.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Big Tits.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Air Tickets.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Online Betting.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cigarettes.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Oral Sex.ico	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.newgenlook.info/ad/ad0058/"	rundll32.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\ = "ItransURL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL\ = "transURL Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\ = "serch_hook 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL\CurVer\ = "Serch_hook.transURL.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL.1\CLSID\ = "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL.1\ = "transURL Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\TypeLib\ = "{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\VersionIndependentProgID\ = "Serch_hook.transURL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\TypeLib\ = "{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\searchdll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\ = "ItransURL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\TypeLib\ = "{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}\InProcServer32\ = "C:\\Windows\\SysWow64\\param32.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Serch_hook.transURL\CLSID\ = "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\InprocServer32\ = "C:\\Windows\\SysWow64\\SEARCH~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\ = "transURL Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\ProgID\ = "Serch_hook.transURL.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}\Programmable	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2160	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2100	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	32
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33
PID 2232 wrote to memory of 376	2232	eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb9b63f473a7c24d00ae5bcc432b5e72_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\System32\param32.dll,load
  2⤵
  - Modifies Shared Task Scheduler registry keys
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2160
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\System32\searchdll.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2100
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\System32\popup_bl.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\param32.dll

Filesize
15KB

MD5
414a8fb2ab1634ee9f6fc0c09134f3c8

SHA1
c731cfb027449ec2bdf38c0c632f048e913b73b5

SHA256
9a1dcecdbc2953eb492ac1b5f2c60007da97d52a973a16e8dbd0edd744d6f47c

SHA512
e083a2314a3cb40311bdc236e37eb23d71491bb9fe897c91e65a707a82202f33ae832e52b78223643fe7e56b928ab1d47338fc2fa8deb80a2f0c0030b4be0ffc

Download Submit
C:\Windows\SysWOW64\searchdll.dll

Filesize
21KB

MD5
372babf0acfda624032371cd99749ea5

SHA1
b5d582b22ab0e1ccc0eba9a9f4ad15a7050bfd78

SHA256
7ba74d15605422650635d1095608c8755f8109c4f6688886c1896bff2880df42

SHA512
31e49ad49615db6d437ac32a30d3bb6abe2c61813fa7f372c7df44b05a2d48751ed5fb88a91845c7ef692d8848019980d761ada7c7952566b07ebda7ee9258ba

Download Submit
memory/2100-9-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2232-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads