4aa5f5138f47225accc17e22463ccaa0e6f6f6f4a3a6bd9abb131b39803c6e34

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Size

20KB
MD5

ebf0477ea66e2b448e03c7d894b55764
SHA1

68943914562bc01f5d7c2002898de95720cc9b60
SHA256

4aa5f5138f47225accc17e22463ccaa0e6f6f6f4a3a6bd9abb131b39803c6e34
SHA512

05d74d0a3199f862fd5f18ebb453f4515b9e8186f0eaf57fdcc0a88ecf3585365bcb07f6246bd2940b8d0d014633011535d11633b3b1d482aa72ddfd44b7df5b
SSDEEP

384:icBKBJGvdw7/bGtOl5YC5HhRI83YdwbomCH7Xrgo7IX3:fBKBJGVw7jGt+55RdnBCHTk

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
552	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\Common Files\\Services\\svchost.exe"	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\A:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\G:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\I:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\N:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\O:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\B:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\L:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\P:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\R:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\S:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\U:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\W:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\H:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\K:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\M:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\T:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\E:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\J:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened (read-only)	\??\V:	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File created	F:\autorun.inf	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DirectX10.dll	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DirectX10.dll	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\svchost.exe	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\svchost.exe	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA6D8A31-76B4-11EF-8C8A-62CAC36041A9} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "2029826559"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Token: SeDebugPrivilege	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Token: SeDebugPrivilege	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Token: SeDebugPrivilege	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2800	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2592	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2592	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2592	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2592	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2568	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2568	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2568	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2568	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2736	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	33
PID 3064 wrote to memory of 2736	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	33
PID 3064 wrote to memory of 2736	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	33
PID 3064 wrote to memory of 2736	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	33
PID 3064 wrote to memory of 2032	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	34
PID 3064 wrote to memory of 2032	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	34
PID 3064 wrote to memory of 2032	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	34
PID 3064 wrote to memory of 2032	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	34
PID 3064 wrote to memory of 2800	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	38
PID 3064 wrote to memory of 2800	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	38
PID 3064 wrote to memory of 2800	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	38
PID 3064 wrote to memory of 2800	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	38
PID 2592 wrote to memory of 2376	2592	Net.exe	39
PID 2592 wrote to memory of 2376	2592	Net.exe	39
PID 2592 wrote to memory of 2376	2592	Net.exe	39
PID 2592 wrote to memory of 2376	2592	Net.exe	39
PID 2032 wrote to memory of 2612	2032	net.exe	40
PID 2032 wrote to memory of 2612	2032	net.exe	40
PID 2032 wrote to memory of 2612	2032	net.exe	40
PID 2032 wrote to memory of 2612	2032	net.exe	40
PID 2568 wrote to memory of 2340	2568	Net.exe	41
PID 2568 wrote to memory of 2340	2568	Net.exe	41
PID 2568 wrote to memory of 2340	2568	Net.exe	41
PID 2568 wrote to memory of 2340	2568	Net.exe	41
PID 2736 wrote to memory of 2104	2736	net.exe	42
PID 2736 wrote to memory of 2104	2736	net.exe	42
PID 2736 wrote to memory of 2104	2736	net.exe	42
PID 2736 wrote to memory of 2104	2736	net.exe	42
PID 2800 wrote to memory of 552	2800	IEXPLORE.EXE	43
PID 2800 wrote to memory of 552	2800	IEXPLORE.EXE	43
PID 2800 wrote to memory of 552	2800	IEXPLORE.EXE	43
PID 2800 wrote to memory of 552	2800	IEXPLORE.EXE	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43
PID 3064 wrote to memory of 552	3064	ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\Net.exe
  Net Stop Norton Antivirus Auto Protect Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop Norton Antivirus Auto Protect Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- C:\Windows\SysWOW64\Net.exe
  Net Stop mcshield
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop mcshield
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\svchost.exe

Filesize
20KB

MD5
ebf0477ea66e2b448e03c7d894b55764

SHA1
68943914562bc01f5d7c2002898de95720cc9b60

SHA256
4aa5f5138f47225accc17e22463ccaa0e6f6f6f4a3a6bd9abb131b39803c6e34

SHA512
05d74d0a3199f862fd5f18ebb453f4515b9e8186f0eaf57fdcc0a88ecf3585365bcb07f6246bd2940b8d0d014633011535d11633b3b1d482aa72ddfd44b7df5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51f4c21c976bf7068214a3f4c5e9bb7b

SHA1
493304b58d56063e1b8ca1ccab7eef2c38241261

SHA256
b45c129ded74138c09e204d1aff342d7ade026a02764511337904551d11f2dde

SHA512
25cc2c339246fa9130dcf30561f4c8ba531b13123331edd91f4f523c4d7ff10a1358b4f19ca7adb6d65a5daccb553b7c485c005da36175318a27a4c6a413cd7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0509e9e41f21dba7324643cb436703c9

SHA1
a7df3ed11a10be8195e939067496cd5df4d2d3b7

SHA256
30cad27d00a25aae7c9c762b28c9d566078df5de95e6eaaa9d8e95c6fea0b33d

SHA512
94242ba6f08a046a19c7d745d9324e2b37582d6dfa7d816b99be29221dd76205e48bd0a3cb2d64819cb3c8c1a2f1f95b7ddea106815dece7584276b565abb958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6a5651e5e11540b70572a07f8dab4b3

SHA1
e480a9759bd0f747fbdb77b656beb7e5f2d33c1d

SHA256
52cf1f205d2943ebb63f09287b61343df832b7ce60e263b9cc1085aefe242077

SHA512
3e10aa81bc15cb5382b32ae3a20c35d31222f2b6551fa551f130fa691f8ca6fb51ae27bd49e04f3d90187b2ed736f098b62d5834ee8704f8afbf92486ce8e242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25fd2300898fbbf6bc7314dcee243518

SHA1
1d49ba2f2d2a7d8530038c4d6a8620fb386efd22

SHA256
58c4c15d136cd9d80bb37393214a93329097229ebc43e82d57ebcafe412417df

SHA512
596f34d6f40cbfcd1d0723fbabec812720080e35374a1850d90fae5a368934062aa4044a533a69ae52f738996acea2fce97f99160b6cc09e1599e4cc233d909b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
813435af746bde3a0048a97f891f295a

SHA1
17c8d6067326fb2b68523a7ba6680328a736bfc8

SHA256
43c533c1dcfc3c74e1faf87847352f0ac09956fe88a7ad3bef91adcbfe5cf8f6

SHA512
60b9b86363f33b8e169704407fdb908a1afe7d27e54ce966c6b1b24aa7df01a053fc6b0f9bee13665bd7d457107d6bbc63231b67450fc412e6071604fe900164

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46f97f6c93e008c90be3bd6621f2e131

SHA1
eca71eb9856ddc78a32d4f557da36b6b67771717

SHA256
8aecca4266bbc6baeb752308b6576644b921dc0d7d15952dde702de303eb0561

SHA512
50e899ce317eda7e5e9adf6e0fa511c63d73d13aa6bc0b1d74f6fae3393582bb0bf9c2083e7c2ba5ea02c85eaab05e265970ccf94061350220b0b6aca5855d12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f55ea52802c8392ca875e69eb558283

SHA1
3ef73c0e30c2239451e0cf5132b89916f291001d

SHA256
5d353344d517f837afe38d5bfdfbd6a3458c3bc8c5241445df99a7e38b506a53

SHA512
83919332b3c751827f361e43e567ba1210a8eba5371494fdb93eac1920392a20252f93c30938b461edae973d93184b4cdc66dd420b8bc3f0e0e3c6a31d46bdac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55c3914e23ed86fd9c70734047545527

SHA1
686a392e203f824fcd9b4b6dec7227dc2104aa1d

SHA256
bed8fd1c06249958ae057041fe94b7a89d602eb190622772dab7d9f8de95a55b

SHA512
4fe1ef35f62bcc07b843330f40c8bec419b22e2f9e6275c92604973211239efa1ab49ee363ab81dcfce71a3268ebeb0e7125b647bde16bc3d5385a9066828a23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fc64081b47df983db4f12b77f696898

SHA1
18f3f0fcf31f334eeb089c20603880e842822497

SHA256
afc9e1ca84c9446f1298dadfc5f440446a509e6fc7b23a50000118d9faa68bb0

SHA512
028603d2ada79b93bc23b996a4265ee130dc88ab69ea387fdd070de33138604ad21b2caf58a155e86ffe8fac9117e8a03a99b178cd866f5edc87256770d56a3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db433f9497f9596ae6de0054110201a6

SHA1
29f804604bc5e2450d2c776f844295eef7f0d4f7

SHA256
8f92276834d8b9a05d2b5b429aede0373fc005460e7dfef11c6d8026cabd5d44

SHA512
a71c09dd7977718c26c958b974d1a51dc86e256dc374f16352f5d501019a54511e000e5b23690d1afdbfa5bcedabda66f271fb69442285ddb2f5ec90794fc532

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcf4eb2a1602a86e44a04fe5b8cd8207

SHA1
430f9cabbba5ad0902764c8b1be9fe2f8b2f0e79

SHA256
5aa0cc2d472c8ef22258671b059a394f65a5372e0b5346365013613201324c76

SHA512
2e3766082f6fe7daa6514ab438ac2c790d69429fa13163f979787d21944a0352928d1b9dfeb81b02648a05c80a6992778159f415e787281d3564d8ec87b86fa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87f1e21fb6a01f76b3f6d053aa1cee77

SHA1
11e8708320eeb7ca3b05affcbb3b55a16292bd5b

SHA256
81c712059ea25d8a09f8e27b05c56dedb0e93b96f3d1c9cd4b4f55506f8a8d53

SHA512
069350354f8887727e5989537f3a454222d799d5bf262f16fc15df9319590071a6fe5b19e12acdfb2a7f2860a77441ca80c445ad31b28c412faec2183df6b8d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42eaf4bd93e5013f3e5b1b7647a76007

SHA1
1f9d5a003eed30bfd06024a23b8c3535588790db

SHA256
133c4140d3570ab0f86b67c6efc89c0d21ee0b3ee094fc60f7821061dbcc5649

SHA512
54a31088896e60031a0afd62ccf8213898b3cc0d557ad9dd095e8d85aa6f9d054afd046850382bf86f5091342014e6e6dac5c9ea69ed878943196d8fa70d073d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d87d8b45f174df3c2983efb0c2eb711

SHA1
e2316d4a4e4da1ab391b67ef3015819d8252fdf9

SHA256
c5223aecac9b140855e810b4d391b546b1843bd3a3f48ec95216f9329da02542

SHA512
6145823fe89911af70fc0913f0f46fc8c131c64603674d6c97fd020b044985c21c8d16c97f8f7378e80ee6194c5669e8a5709b8269994692a2c9106ba84cd8d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e607b8afa06145a4da37f68b0e1d52b0

SHA1
20725beb5b098501b6707de8a4b3886acf88c31e

SHA256
a8b732ea3ca1db4bb3229abdfb58f424eaf048f1446c0c9417e6f54f6c4501f0

SHA512
558630ff2a6d3852e7218b326d9c63d83a62357fdd466d4b3aa32638f2129cde96a94866d63c6c0d5eabdfb486866547e30df4b285eeb15427bc6b84a2dc1712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05c79bb1ae9ad5219b229edccc9a4a7e

SHA1
1b6bf3f76c0d6f5000ff9453641cb74334998cda

SHA256
96643c64fc72056039296eeb2216ab64fca60545a948faefefe642bdb4a36a84

SHA512
809bd6a1f7df0827414234f4fc410d00ac84a333b5fe23f0aabd862d8db76fe0b1487339faf2ed6ac805afd3346a01610061119c7f5c58a7c44c72d5690d7de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbc174ba5083a44654c3933dab10f1dc

SHA1
f0931def34c087c19a04352526f590a3074e6bbf

SHA256
d3154d6c413468497d0e549f11988286c93b98efab74d3b5fe2d81f9b8247244

SHA512
5ffd5fa90f18e94f420cca2c3b87106f7a2c86217d42c72df8217c6c822fbce6541b9613e3af95a8e6bd60d25365457a1a002688b6cb90042ef66565e000011c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3280c0410c108c4811478acdfb1e243c

SHA1
1aacea2eaef7bbc57ee5370b2360e40293afab8d

SHA256
b10db3ef721c01f0817c97921a5c6c75830d1c8ae57847a608079216f46068ad

SHA512
4ccd707e33314d891700dca2dbd8d3bdf0a55751e63b241f1991d68e035c307d408a06c5779b83dd9be69d450ce3b5b2818f903c60fc6c53cec55f68a03458cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFFC5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar64.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\DirectX10.dll

Filesize
1.1MB

MD5
2ee1e467d73642afddb03019f58c252b

SHA1
ea1f3b03f46db029a955190692cecbc571e1d46c

SHA256
5a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3

SHA512
3482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082

Download Submit
memory/3064-4-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3064-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3064-454-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3064-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3064-442-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3064-441-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3064-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3064-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download