bd8dd45285c8dc69f46910f3076392a4cffb67d523a40dff324cc4378d848d09

Analysis

max time kernel
141s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Size

548KB
MD5

faeead23b7fcdbbd68306a094a77b863
SHA1

fa79021ca0e27c9885a927a3323581d80da1d46e
SHA256

bd8dd45285c8dc69f46910f3076392a4cffb67d523a40dff324cc4378d848d09
SHA512

1cf383cb23533b1477d80e01f11e19adbce4b8b335e09c245a5383cad3cda8a45ee71928a84570682aa668f440f4352271175539e6a701e4b2174298212ea3e4
SSDEEP

6144:cRO63Q738NwY7AmlGR0uYFpvcrfgcGS52C7pzEYK2iEC4aZbhhIUrx1KO589Mv84:s53Qb8IWGR0LGgDSEEPC4aFIUb5h

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3652	svchost.exe
4636	svchost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\\|MicServiceAQ	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\\|MicServiceAQ\ = "Service"	svchost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\combm\roptions.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\combm\roptions.ini	svchost.exe
File created	C:\Windows\SysWOW64\combm\winhelper.dat	svchost.exe
File created	C:\Windows\SysWOW64\combm\winhelper.dll	svchost.exe
File created	C:\Windows\SysWOW64\combm\$$$.dat	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\combm\roptions.ini	svchost.exe
File created	C:\Windows\SysWOW64\combm\winlogon.dat	svchost.exe
File created	C:\Windows\SysWOW64\combm\winlogon.dll	svchost.exe
File created	C:\Windows\SysWOW64\desktop.dat	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\combm\$$$.dat	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
4636	svchost.exe
4636	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSecurityPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeShutdownPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeDebugPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeUndockPrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 33	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 34	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 35	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: 36	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3652	svchost.exe
Token: SeSecurityPrivilege	3652	svchost.exe
Token: SeTakeOwnershipPrivilege	3652	svchost.exe
Token: SeLoadDriverPrivilege	3652	svchost.exe
Token: SeSystemProfilePrivilege	3652	svchost.exe
Token: SeSystemtimePrivilege	3652	svchost.exe
Token: SeProfSingleProcessPrivilege	3652	svchost.exe
Token: SeIncBasePriorityPrivilege	3652	svchost.exe
Token: SeCreatePagefilePrivilege	3652	svchost.exe
Token: SeShutdownPrivilege	3652	svchost.exe
Token: SeDebugPrivilege	3652	svchost.exe
Token: SeSystemEnvironmentPrivilege	3652	svchost.exe
Token: SeRemoteShutdownPrivilege	3652	svchost.exe
Token: SeUndockPrivilege	3652	svchost.exe
Token: SeManageVolumePrivilege	3652	svchost.exe
Token: 33	3652	svchost.exe
Token: 34	3652	svchost.exe
Token: 35	3652	svchost.exe
Token: 36	3652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4636	svchost.exe
Token: SeIncreaseQuotaPrivilege	4636	svchost.exe
Token: SeSecurityPrivilege	4636	svchost.exe
Token: SeTakeOwnershipPrivilege	4636	svchost.exe
Token: SeLoadDriverPrivilege	4636	svchost.exe
Token: SeSystemtimePrivilege	4636	svchost.exe
Token: SeShutdownPrivilege	4636	svchost.exe
Token: SeSystemEnvironmentPrivilege	4636	svchost.exe
Token: SeUndockPrivilege	4636	svchost.exe
Token: SeManageVolumePrivilege	4636	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3652	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	82
PID 3716 wrote to memory of 3652	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	82
PID 3716 wrote to memory of 3652	3716	faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe	82
PID 4636 wrote to memory of 612	4636	svchost.exe	5
PID 4636 wrote to memory of 668	4636	svchost.exe	7
PID 4636 wrote to memory of 776	4636	svchost.exe	8
PID 4636 wrote to memory of 784	4636	svchost.exe	9
PID 4636 wrote to memory of 792	4636	svchost.exe	10
PID 4636 wrote to memory of 900	4636	svchost.exe	11
PID 4636 wrote to memory of 952	4636	svchost.exe	12
PID 4636 wrote to memory of 60	4636	svchost.exe	13
PID 4636 wrote to memory of 464	4636	svchost.exe	14
PID 4636 wrote to memory of 948	4636	svchost.exe	15
PID 4636 wrote to memory of 1060	4636	svchost.exe	16
PID 4636 wrote to memory of 1092	4636	svchost.exe	17
PID 4636 wrote to memory of 1104	4636	svchost.exe	18
PID 4636 wrote to memory of 1120	4636	svchost.exe	19
PID 4636 wrote to memory of 1144	4636	svchost.exe	20
PID 4636 wrote to memory of 1260	4636	svchost.exe	21
PID 4636 wrote to memory of 1280	4636	svchost.exe	22
PID 4636 wrote to memory of 1364	4636	svchost.exe	23
PID 4636 wrote to memory of 1384	4636	svchost.exe	24
PID 4636 wrote to memory of 1420	4636	svchost.exe	25
PID 4636 wrote to memory of 1540	4636	svchost.exe	26
PID 4636 wrote to memory of 1556	4636	svchost.exe	27
PID 4636 wrote to memory of 1616	4636	svchost.exe	28
PID 4636 wrote to memory of 1708	4636	svchost.exe	29
PID 4636 wrote to memory of 1732	4636	svchost.exe	30
PID 4636 wrote to memory of 1772	4636	svchost.exe	31
PID 4636 wrote to memory of 1804	4636	svchost.exe	32
PID 4636 wrote to memory of 1892	4636	svchost.exe	33
PID 4636 wrote to memory of 1900	4636	svchost.exe	34
PID 4636 wrote to memory of 1940	4636	svchost.exe	35
PID 4636 wrote to memory of 1960	4636	svchost.exe	36
PID 4636 wrote to memory of 1176	4636	svchost.exe	37
PID 4636 wrote to memory of 1600	4636	svchost.exe	38
PID 4636 wrote to memory of 1832	4636	svchost.exe	39
PID 4636 wrote to memory of 2200	4636	svchost.exe	40
PID 4636 wrote to memory of 2208	4636	svchost.exe	41
PID 4636 wrote to memory of 2392	4636	svchost.exe	42
PID 4636 wrote to memory of 2404	4636	svchost.exe	43
PID 4636 wrote to memory of 2436	4636	svchost.exe	44
PID 4636 wrote to memory of 2512	4636	svchost.exe	45
PID 4636 wrote to memory of 2524	4636	svchost.exe	46
PID 4636 wrote to memory of 2556	4636	svchost.exe	47
PID 4636 wrote to memory of 2572	4636	svchost.exe	48
PID 4636 wrote to memory of 2896	4636	svchost.exe	49
PID 4636 wrote to memory of 2952	4636	svchost.exe	50
PID 4636 wrote to memory of 3068	4636	svchost.exe	51
PID 4636 wrote to memory of 732	4636	svchost.exe	53
PID 4636 wrote to memory of 2928	4636	svchost.exe	54
PID 4636 wrote to memory of 3348	4636	svchost.exe	55
PID 4636 wrote to memory of 3452	4636	svchost.exe	56
PID 4636 wrote to memory of 3568	4636	svchost.exe	57
PID 4636 wrote to memory of 3748	4636	svchost.exe	58
PID 4636 wrote to memory of 3836	4636	svchost.exe	59
PID 4636 wrote to memory of 3904	4636	svchost.exe	60
PID 4636 wrote to memory of 3992	4636	svchost.exe	61
PID 4636 wrote to memory of 3476	4636	svchost.exe	62
PID 4636 wrote to memory of 4348	4636	svchost.exe	65
PID 4636 wrote to memory of 2432	4636	svchost.exe	66
PID 4636 wrote to memory of 4564	4636	svchost.exe	68
PID 4636 wrote to memory of 2532	4636	svchost.exe	69
PID 4636 wrote to memory of 1876	4636	svchost.exe	70

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3068
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3748
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3836
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3904
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3992
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3476
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2284
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4720
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:2376
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4968

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1120
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:732
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1420
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1960

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2512

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\faeead23b7fcdbbd68306a094a77b863_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\combm\svchost.exe
    C:\Windows\System32\combm\svchost.exe /i
    3⤵
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2532

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1396

C:\Windows\SysWOW64\combm\svchost.exe
C:\Windows\SysWOW64\combm\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\combm\roptions.ini

Filesize
520B

MD5
e49bf0180f26fbd58b10e157739c894f

SHA1
2da264a8b27d47211a76a1400a2a9c4900d83424

SHA256
8ef90e70d7b8e60c1140b19292d8315e8ef484bf13684fac86f07d6ada52ac0a

SHA512
7ededa18c7401dc8d322fa3238de2e0ae219d92a34a1c71c09ed7a1565122d86c777d63d7df3bcbd5447c24a672b876954dae624d82f4f81d8c41d66413d4be3

Download Submit
C:\Windows\SysWOW64\combm\svchost.exe

Filesize
504KB

MD5
d8ab639771c8d20d8e2feb0d3be75186

SHA1
0d7ee6bc86fb182b5823c4a76a78ec936fc02b63

SHA256
fb3e694ad8c9c4d528af2cdb935acc3811795c07b2a2406ad3a25da1a2351fc7

SHA512
c7324fd3107b36687bd30d0067d9bbb24fe410d20b7ed2ac8545a0f3801f6895be2098d762cca55f1f4a9c3256ba154f1320d8a454ad08a49b38d18d5d1b3b24

Download Submit
memory/3652-14-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3716-19-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4636-22-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4636-24-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4636-27-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4636-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4636-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download