4fc065352dca3d0cce4677396669b1a9558836324bd6dcebe4439d3768bfec75

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 09:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Size

53KB
MD5

ef780dcbdf40323e7a6601b4324f2ee2
SHA1

eaee585ed014b36805954f1f9bbab6d884b43605
SHA256

4fc065352dca3d0cce4677396669b1a9558836324bd6dcebe4439d3768bfec75
SHA512

4e0e95e2553d86b7786c7c77a8ff3acdaa7dc5783c0be0f109f8cdeec94b5cb144fe7a0f6bc05a992cab5bb30ccc454d9dc5c3d42e1ae9b5f2b55daa4a0326e2
SSDEEP

1536:I3SkgxVktwT7hxvbgCn7x0Vz6PGibYILO:IZgfTDcCnGOBL

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 34 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe\Debugger = "TASKMAN.EXE"	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	SETUP.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3980	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	82
PID 2172 wrote to memory of 3980	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	82
PID 2172 wrote to memory of 3980	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	82
PID 2172 wrote to memory of 984	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	83
PID 2172 wrote to memory of 984	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	83
PID 2172 wrote to memory of 984	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	83
PID 2172 wrote to memory of 1320	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	84
PID 2172 wrote to memory of 1320	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	84
PID 2172 wrote to memory of 1320	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	84
PID 2172 wrote to memory of 4608	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	85
PID 2172 wrote to memory of 4608	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	85
PID 2172 wrote to memory of 4608	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	85
PID 2172 wrote to memory of 2284	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	86
PID 2172 wrote to memory of 2284	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	86
PID 2172 wrote to memory of 2284	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	86
PID 2172 wrote to memory of 2160	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	87
PID 2172 wrote to memory of 2160	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	87
PID 2172 wrote to memory of 2160	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1660	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	88
PID 2172 wrote to memory of 1660	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	88
PID 2172 wrote to memory of 1660	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	88
PID 1660 wrote to memory of 3120	1660	SETUP.EXE	95
PID 1660 wrote to memory of 3120	1660	SETUP.EXE	95
PID 1660 wrote to memory of 3120	1660	SETUP.EXE	95
PID 2160 wrote to memory of 3728	2160	net.exe	97
PID 2160 wrote to memory of 3728	2160	net.exe	97
PID 2160 wrote to memory of 3728	2160	net.exe	97
PID 3980 wrote to memory of 4652	3980	net.exe	98
PID 3980 wrote to memory of 4652	3980	net.exe	98
PID 3980 wrote to memory of 4652	3980	net.exe	98
PID 1320 wrote to memory of 704	1320	net.exe	99
PID 1320 wrote to memory of 704	1320	net.exe	99
PID 1320 wrote to memory of 704	1320	net.exe	99
PID 4608 wrote to memory of 3944	4608	net.exe	100
PID 4608 wrote to memory of 3944	4608	net.exe	100
PID 4608 wrote to memory of 3944	4608	net.exe	100
PID 2284 wrote to memory of 4924	2284	net.exe	101
PID 2284 wrote to memory of 4924	2284	net.exe	101
PID 2284 wrote to memory of 4924	2284	net.exe	101
PID 984 wrote to memory of 1368	984	net.exe	102
PID 984 wrote to memory of 1368	984	net.exe	102
PID 984 wrote to memory of 1368	984	net.exe	102
PID 1660 wrote to memory of 2640	1660	SETUP.EXE	103
PID 1660 wrote to memory of 2640	1660	SETUP.EXE	103
PID 1660 wrote to memory of 2640	1660	SETUP.EXE	103
PID 2172 wrote to memory of 3608	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	109
PID 2172 wrote to memory of 3608	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	109
PID 2172 wrote to memory of 3608	2172	ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe	109

C:\Users\Admin\AppData\Local\Temp\ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef780dcbdf40323e7a6601b4324f2ee2_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1368
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:704
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3944
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3728
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\_uninsep.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\_uninsep.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\NTDUBECT.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
10KB

MD5
73ed194861441a4a11fd8305b1e7579c

SHA1
24d32b00779ee78b792808048a156ce1be8e1c18

SHA256
b9a2ddd2da792d7796dc5195495e2839c925fad9d400a2673b4d6233e2e51ed2

SHA512
8c35d7baea959970850fe212f1d92e9081f65f878445f955cc07faa231449902248615e453ebd89223228f03925a4ee2a2b944bf1be077afa7d0c7c93486c1e3

Download Submit
\??\c:\_uninsep.bat

Filesize
128B

MD5
518f996fb53ecd3d3748db8708c21908

SHA1
4c8834441fdcb4898d9d0607e9a9dfd2477a8bfa

SHA256
3770f9b5c752a17164ac0a8d361b01862ab186c2732cb659ce2519280bec79d4

SHA512
7ac8e8066ceefebf7dfd83ce877461a45ae0b1802883ae7b319c5b756cc65a4a58814370d381ec97338a9c18f49bf7966430f6d72ff2e27d6b844a56edfab6c4

Download Submit
memory/2172-0-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-9-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download