d7daedbc93cf7fa57d5998d6645d1574bb8eced8a17c67ec2ebc06dea6b97934

Analysis

max time kernel
122s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Size

82KB
MD5

f03a671ec7616e7870b64684c283ea59
SHA1

f0231397442192ea6d0574a7fd5d10fea7d41f7f
SHA256

d7daedbc93cf7fa57d5998d6645d1574bb8eced8a17c67ec2ebc06dea6b97934
SHA512

787e31471aa5a039eaa9f2dfa9c4ddf3d88e0a269e9237417de21709e51f943c676b9426082cb2084c1a8c10c8528f9f69b8d9b71b681162834911ca3c209dbc
SSDEEP

768:uI/xZk/P9tVTseoQJcWjbnqC03T/rE4ndf/zJ4Pi3Jno3tiFCVm3PDWCGKuTsMC5:zsuQJc7vZ1bZW7VnCaTsL

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 2 IoCs

pid	Process
2764	wmimgmt.exe
2736	avp.exe

Loads dropped DLL 4 IoCs

pid	Process
2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
2764	wmimgmt.exe
2764	wmimgmt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	wmimgmt.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
808	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3048	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimgmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2432	PING.EXE
1648	findstr.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2832	NETSTAT.EXE

Discovers systems in the same network 1 TTPs 4 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1852	net.exe
1904	net.exe
2020	net.exe
1628	net.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1000	ipconfig.exe
2832	NETSTAT.EXE
2212	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2940	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2432	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeBackupPrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeBackupPrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeRestorePrivilege	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
Token: SeDebugPrivilege	3048	tasklist.exe
Token: SeDebugPrivilege	2832	NETSTAT.EXE
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeRestorePrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe
Token: SeBackupPrivilege	2764	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2764	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2764	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2764	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2764	2636	f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2736	2764	wmimgmt.exe	31
PID 2764 wrote to memory of 2736	2764	wmimgmt.exe	31
PID 2764 wrote to memory of 2736	2764	wmimgmt.exe	31
PID 2764 wrote to memory of 2736	2764	wmimgmt.exe	31
PID 2764 wrote to memory of 2872	2764	wmimgmt.exe	32
PID 2764 wrote to memory of 2872	2764	wmimgmt.exe	32
PID 2764 wrote to memory of 2872	2764	wmimgmt.exe	32
PID 2764 wrote to memory of 2872	2764	wmimgmt.exe	32
PID 2872 wrote to memory of 2700	2872	cmd.exe	34
PID 2872 wrote to memory of 2700	2872	cmd.exe	34
PID 2872 wrote to memory of 2700	2872	cmd.exe	34
PID 2872 wrote to memory of 2700	2872	cmd.exe	34
PID 2872 wrote to memory of 2580	2872	cmd.exe	35
PID 2872 wrote to memory of 2580	2872	cmd.exe	35
PID 2872 wrote to memory of 2580	2872	cmd.exe	35
PID 2872 wrote to memory of 2580	2872	cmd.exe	35
PID 2872 wrote to memory of 2588	2872	cmd.exe	36
PID 2872 wrote to memory of 2588	2872	cmd.exe	36
PID 2872 wrote to memory of 2588	2872	cmd.exe	36
PID 2872 wrote to memory of 2588	2872	cmd.exe	36
PID 2588 wrote to memory of 2532	2588	net.exe	37
PID 2588 wrote to memory of 2532	2588	net.exe	37
PID 2588 wrote to memory of 2532	2588	net.exe	37
PID 2588 wrote to memory of 2532	2588	net.exe	37
PID 2872 wrote to memory of 2552	2872	cmd.exe	38
PID 2872 wrote to memory of 2552	2872	cmd.exe	38
PID 2872 wrote to memory of 2552	2872	cmd.exe	38
PID 2872 wrote to memory of 2552	2872	cmd.exe	38
PID 2552 wrote to memory of 2596	2552	net.exe	39
PID 2552 wrote to memory of 2596	2552	net.exe	39
PID 2552 wrote to memory of 2596	2552	net.exe	39
PID 2552 wrote to memory of 2596	2552	net.exe	39
PID 2872 wrote to memory of 3048	2872	cmd.exe	40
PID 2872 wrote to memory of 3048	2872	cmd.exe	40
PID 2872 wrote to memory of 3048	2872	cmd.exe	40
PID 2872 wrote to memory of 3048	2872	cmd.exe	40
PID 2872 wrote to memory of 2940	2872	cmd.exe	42
PID 2872 wrote to memory of 2940	2872	cmd.exe	42
PID 2872 wrote to memory of 2940	2872	cmd.exe	42
PID 2872 wrote to memory of 2940	2872	cmd.exe	42
PID 2872 wrote to memory of 2504	2872	cmd.exe	44
PID 2872 wrote to memory of 2504	2872	cmd.exe	44
PID 2872 wrote to memory of 2504	2872	cmd.exe	44
PID 2872 wrote to memory of 2504	2872	cmd.exe	44
PID 2872 wrote to memory of 444	2872	cmd.exe	45
PID 2872 wrote to memory of 444	2872	cmd.exe	45
PID 2872 wrote to memory of 444	2872	cmd.exe	45
PID 2872 wrote to memory of 444	2872	cmd.exe	45
PID 2872 wrote to memory of 2232	2872	cmd.exe	46
PID 2872 wrote to memory of 2232	2872	cmd.exe	46
PID 2872 wrote to memory of 2232	2872	cmd.exe	46
PID 2872 wrote to memory of 2232	2872	cmd.exe	46
PID 2872 wrote to memory of 1964	2872	cmd.exe	47
PID 2872 wrote to memory of 1964	2872	cmd.exe	47
PID 2872 wrote to memory of 1964	2872	cmd.exe	47
PID 2872 wrote to memory of 1964	2872	cmd.exe	47
PID 2872 wrote to memory of 1348	2872	cmd.exe	48
PID 2872 wrote to memory of 1348	2872	cmd.exe	48
PID 2872 wrote to memory of 1348	2872	cmd.exe	48
PID 2872 wrote to memory of 1348	2872	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f03a671ec7616e7870b64684c283ea59_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\avp.exe
    C:\Users\Admin\AppData\Local\Temp\avp.exe
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      System Location Discovery: System Language Discovery
      PID:2580
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3048
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      System Location Discovery: System Language Discovery
      PID:444
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      System Location Discovery: System Language Discovery
      PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:332
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1000
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      System Location Discovery: System Language Discovery
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:808
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      System Location Discovery: System Language Discovery
      PID:292
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      System Location Discovery: System Language Discovery
      PID:552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1100
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2172
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1160
  - - C:\Windows\SysWOW64\net.exe
      net view /domain:"WORKGROUP"
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1384
  - - C:\Windows\SysWOW64\find.exe
      find "\\"
      4⤵
      System Location Discovery: System Language Discovery
      PID:852
  - - C:\Windows\SysWOW64\net.exe
      net view \\ZQABOPWE
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1628
  - - C:\Windows\SysWOW64\net.exe
      net view \\ZQABOPWE
      4⤵
      System Location Discovery: System Language Discovery
      Discovers systems in the same network
      PID:1852
  - - C:\Windows\SysWOW64\find.exe
      find "Disk"
      4⤵
      System Location Discovery: System Language Discovery
      PID:928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 ZQABOPWE
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2432
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Pinging Reply Request Unknown"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
c46903099c41ad82f3a134a1d9d62223

SHA1
076aa7b654665188ceb5c2d7fcbd0d22b948163b

SHA256
b84f9dde7feafe234e2daed5c4e0078404c1a08efabd5efd49b26774a8bd3ee6

SHA512
dd01122df330c8526cff225ac4ab979079fc0c86730a43bba45a2765104e57d915c339fe3caa8230351ec081dc7b34930199e1285a8eafaeaa0eca0a8d71bc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
7KB

MD5
2d33cfb5039ebb82bdff946dabae8d02

SHA1
2fe2700577640e7e4ef342e1f25acb8e3fe67732

SHA256
7d9c0ecffd2b1a508b60c55fa19f7e5fca5eebc66c9f5eabdf4051f2ed0409d6

SHA512
a63f00e77098f26761fd35e8b304a1e39a30431e30ec836ee91df81d4b82350de61c69c25a3738a4f986a5923832c9d843fa1a752c86b26d92723471b25e8d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
15KB

MD5
efe7bcd4dce64eac3ef0fc371719e7ef

SHA1
a9600ba9e05cdd195bc20256f446dfb176d66dfa

SHA256
c93ef40bd12e364339d51399a6bf0b92b5039eed453a06e378a31ba74e0408fa

SHA512
f60d98d0178266dbcdbb78799a4c89a64d0855e3d2b197e29c89c8021add2206a949c3829bc1b7fd6d340038b3972aa62225f943961de9de2565f74356e9bf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
24.9MB

MD5
d9a334279b473f7371665845436d5842

SHA1
86f3b86a6492cf2897525e927eb9f610db4106e0

SHA256
e96e522338e003d992bce5b8bb4008d26296e93b7c98dc614de71f86272b6064

SHA512
4fe0df5cd77f6b8b936f64d6ebdd14a0488f6534d287516456273015d0c9f8765229dfef4e1c0bd202de2b73d548dd9a3e6076ee476c6ac48aba3c908ceeedc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
b98e8fcde49a1caee295a6bd3d264e56

SHA1
71c82391a8617212ad48c8d79755e71be2e20be9

SHA256
e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

SHA512
fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
153B

MD5
b256c8a481b065860c2812e742f50250

SHA1
51ddf02764fb12d88822450e8a27f9deac85fe54

SHA256
b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

SHA512
f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.log

Filesize
72B

MD5
59f2768506355d8bc50979f6d64ded26

SHA1
b2d315b3857bec8335c526a08d08d6a1b5f5c151

SHA256
7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

SHA512
e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

Filesize
234B

MD5
9f514a9a9be8c276f087b96c5672793f

SHA1
1246bb423354f1d2933b6ba349afc4cdc9081d7a

SHA256
1bad6d563fe359f1efab71d957041f1dc000b35b324a77e60e0d5333b3790107

SHA512
8fee0279266c8e27a3d4970881bad1767f7a7fd2ee7424b2bee5c5e2d2298f17788fd55ccbe874c076772c25f8a787b74b5c9256d6ed189ba77e7112640d7f1e

Download Submit
\ProgramData\wmimgmt.exe

Filesize
82KB

MD5
f03a671ec7616e7870b64684c283ea59

SHA1
f0231397442192ea6d0574a7fd5d10fea7d41f7f

SHA256
d7daedbc93cf7fa57d5998d6645d1574bb8eced8a17c67ec2ebc06dea6b97934

SHA512
787e31471aa5a039eaa9f2dfa9c4ddf3d88e0a269e9237417de21709e51f943c676b9426082cb2084c1a8c10c8528f9f69b8d9b71b681162834911ca3c209dbc

Download Submit
\Users\Admin\AppData\Local\Temp\avp.exe

Filesize
24KB

MD5
d0f4e76ba18f7417cd633298335d7173

SHA1
95779eda281afeb2126c801b7eca3f16875bbeec

SHA256
8bf863a2acd05ee6587f2660e822d38839a09f8e4bd447146edad8c124f8f648

SHA512
d4a2f3ab1897594f2ace4a78b029629a62aa93b473443321ad6359c1c3b0c6e8b77ab3ceb01242d48e619c8243bab46cf896f038eb10a72ebf676f99d73b1bc8

Download Submit
memory/2636-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-10-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/2636-74-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/2764-75-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads