4fc065352dca3d0cce4677396669b1a9558836324bd6dcebe4439d3768bfec75

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 09:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Size

53KB
MD5

ef780dcbdf40323e7a6601b4324f2ee2
SHA1

eaee585ed014b36805954f1f9bbab6d884b43605
SHA256

4fc065352dca3d0cce4677396669b1a9558836324bd6dcebe4439d3768bfec75
SHA512

4e0e95e2553d86b7786c7c77a8ff3acdaa7dc5783c0be0f109f8cdeec94b5cb144fe7a0f6bc05a992cab5bb30ccc454d9dc5c3d42e1ae9b5f2b55daa4a0326e2
SSDEEP

1536:I3SkgxVktwT7hxvbgCn7x0Vz6PGibYILO:IZgfTDcCnGOBL

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 34 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1512	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	SETUP.EXE

Loads dropped DLL 4 IoCs

pid	Process
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2884	SETUP.EXE
2884	SETUP.EXE
2884	SETUP.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2140	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2140	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2140	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2140	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2720	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2720	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2720	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2720	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2708	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2708	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2708	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2708	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2852	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2852	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2852	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2852	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2840	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2840	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2840	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2840	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2832	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2832	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2832	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2832	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2884	2668	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	39
PID 2720 wrote to memory of 2968	2720	net.exe	43
PID 2720 wrote to memory of 2968	2720	net.exe	43
PID 2720 wrote to memory of 2968	2720	net.exe	43
PID 2720 wrote to memory of 2968	2720	net.exe	43
PID 2832 wrote to memory of 2600	2832	net.exe	44
PID 2832 wrote to memory of 2600	2832	net.exe	44
PID 2832 wrote to memory of 2600	2832	net.exe	44
PID 2832 wrote to memory of 2600	2832	net.exe	44
PID 2840 wrote to memory of 2596	2840	net.exe	45
PID 2840 wrote to memory of 2596	2840	net.exe	45
PID 2840 wrote to memory of 2596	2840	net.exe	45
PID 2840 wrote to memory of 2596	2840	net.exe	45
PID 2708 wrote to memory of 2748	2708	net.exe	46
PID 2708 wrote to memory of 2748	2708	net.exe	46
PID 2708 wrote to memory of 2748	2708	net.exe	46
PID 2708 wrote to memory of 2748	2708	net.exe	46
PID 2140 wrote to memory of 2744	2140	net.exe	47
PID 2140 wrote to memory of 2744	2140	net.exe	47
PID 2140 wrote to memory of 2744	2140	net.exe	47
PID 2140 wrote to memory of 2744	2140	net.exe	47
PID 2852 wrote to memory of 2620	2852	net.exe	48
PID 2852 wrote to memory of 2620	2852	net.exe	48
PID 2852 wrote to memory of 2620	2852	net.exe	48
PID 2852 wrote to memory of 2620	2852	net.exe	48
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2640	2884	SETUP.EXE	49
PID 2884 wrote to memory of 2096	2884	SETUP.EXE	51
PID 2884 wrote to memory of 2096	2884	SETUP.EXE	51

C:\Users\Admin\AppData\Local\Temp\ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\_uninsep.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\_uninsep.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\NTDUBECT.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\_uninsep.bat

Filesize
128B

MD5
518f996fb53ecd3d3748db8708c21908

SHA1
4c8834441fdcb4898d9d0607e9a9dfd2477a8bfa

SHA256
3770f9b5c752a17164ac0a8d361b01862ab186c2732cb659ce2519280bec79d4

SHA512
7ac8e8066ceefebf7dfd83ce877461a45ae0b1802883ae7b319c5b756cc65a4a58814370d381ec97338a9c18f49bf7966430f6d72ff2e27d6b844a56edfab6c4

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
10KB

MD5
73ed194861441a4a11fd8305b1e7579c

SHA1
24d32b00779ee78b792808048a156ce1be8e1c18

SHA256
b9a2ddd2da792d7796dc5195495e2839c925fad9d400a2673b4d6233e2e51ed2

SHA512
8c35d7baea959970850fe212f1d92e9081f65f878445f955cc07faa231449902248615e453ebd89223228f03925a4ee2a2b944bf1be077afa7d0c7c93486c1e3

Download Submit
memory/2668-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2668-19-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download