ac4b37a2facba94ee05030e6ef3a0898b6078a96bbb798ae9c1e6d075827beb2

Analysis

max time kernel
143s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe
Size

398KB
MD5

fbc2c420abf78cac67f0ad1b699d498a
SHA1

6d8b9ca17a5c7ce312108a7a8ea36c5052bc0c05
SHA256

ac4b37a2facba94ee05030e6ef3a0898b6078a96bbb798ae9c1e6d075827beb2
SHA512

8a131e3bc8d86c9a97c7b749eea520561a92d05a2c7fb02f18facf9be246ad508ba1a73b0ea1779573a800c336b3c3a8265e6532fefa473756d2fcb15f25a569
SSDEEP

12288:0BZHH6OfVl9JvtJ5mVicCocaC+jbDEdzknOhzEvboE:8aOdltJ5mVqMlbarhgvsE

Score

10^/10

defense_evasion discovery evasion execution persistence trojan upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	7bsxzxl.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	3E4U - Bucks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1EuroP.exe

Executes dropped EXE 8 IoCs

pid	Process
824	cb.exe
3872	1EuroP.exe
3432	2IC.exe
5012	3E4U - Bucks.exe
3696	6tbp.exe
1288	IR.exe
1560	7bsxzxl.exe
4020	7bsxzxl.exe

Loads dropped DLL 2 IoCs

pid	Process
3788	rundll32.exe
4592	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Whined = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\rnatex.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\46f2 = "C:\\Users\\Admin\\AppData\\Roaming\\7bsxzxl.exe"	IR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002343a-58.dat	upx
behavioral2/memory/1288-78-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5012-80-0x0000000000BC0000-0x0000000000BDB000-memory.dmp	upx
behavioral2/memory/1560-87-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1288-98-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1560-106-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4020-108-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4020-131-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1560-136-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1368	sc.exe
800	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
912	3432	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2IC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1EuroP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3E4U - Bucks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bsxzxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bsxzxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5012	3E4U - Bucks.exe
5012	3E4U - Bucks.exe
5012	3E4U - Bucks.exe
5012	3E4U - Bucks.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5012	3E4U - Bucks.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3696	6tbp.exe
3788	rundll32.exe
1288	IR.exe
1288	IR.exe
1288	IR.exe
1560	7bsxzxl.exe
1560	7bsxzxl.exe
1560	7bsxzxl.exe
4020	7bsxzxl.exe
4020	7bsxzxl.exe
4020	7bsxzxl.exe
4592	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 824	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	82
PID 1684 wrote to memory of 824	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	82
PID 1684 wrote to memory of 824	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	82
PID 1684 wrote to memory of 3872	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	83
PID 1684 wrote to memory of 3872	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	83
PID 1684 wrote to memory of 3872	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	83
PID 1684 wrote to memory of 3432	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	84
PID 1684 wrote to memory of 3432	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	84
PID 1684 wrote to memory of 3432	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	84
PID 1684 wrote to memory of 5012	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	85
PID 1684 wrote to memory of 5012	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	85
PID 1684 wrote to memory of 5012	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	85
PID 1684 wrote to memory of 3696	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	86
PID 1684 wrote to memory of 3696	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	86
PID 1684 wrote to memory of 3696	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	86
PID 1684 wrote to memory of 1288	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	88
PID 1684 wrote to memory of 1288	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	88
PID 1684 wrote to memory of 1288	1684	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	88
PID 3696 wrote to memory of 3788	3696	6tbp.exe	89
PID 3696 wrote to memory of 3788	3696	6tbp.exe	89
PID 3696 wrote to memory of 3788	3696	6tbp.exe	89
PID 5012 wrote to memory of 4920	5012	3E4U - Bucks.exe	93
PID 5012 wrote to memory of 4920	5012	3E4U - Bucks.exe	93
PID 5012 wrote to memory of 4920	5012	3E4U - Bucks.exe	93
PID 3872 wrote to memory of 5044	3872	1EuroP.exe	95
PID 3872 wrote to memory of 5044	3872	1EuroP.exe	95
PID 3872 wrote to memory of 5044	3872	1EuroP.exe	95
PID 1288 wrote to memory of 4564	1288	IR.exe	97
PID 1288 wrote to memory of 4564	1288	IR.exe	97
PID 1288 wrote to memory of 4564	1288	IR.exe	97
PID 1288 wrote to memory of 1368	1288	IR.exe	98
PID 1288 wrote to memory of 1368	1288	IR.exe	98
PID 1288 wrote to memory of 1368	1288	IR.exe	98
PID 1288 wrote to memory of 4032	1288	IR.exe	99
PID 1288 wrote to memory of 4032	1288	IR.exe	99
PID 1288 wrote to memory of 4032	1288	IR.exe	99
PID 1288 wrote to memory of 800	1288	IR.exe	100
PID 1288 wrote to memory of 800	1288	IR.exe	100
PID 1288 wrote to memory of 800	1288	IR.exe	100
PID 1288 wrote to memory of 1560	1288	IR.exe	103
PID 1288 wrote to memory of 1560	1288	IR.exe	103
PID 1288 wrote to memory of 1560	1288	IR.exe	103
PID 1288 wrote to memory of 4784	1288	IR.exe	106
PID 1288 wrote to memory of 4784	1288	IR.exe	106
PID 1288 wrote to memory of 4784	1288	IR.exe	106
PID 4564 wrote to memory of 1720	4564	net.exe	107
PID 4564 wrote to memory of 1720	4564	net.exe	107
PID 4564 wrote to memory of 1720	4564	net.exe	107
PID 4032 wrote to memory of 4064	4032	net.exe	108
PID 4032 wrote to memory of 4064	4032	net.exe	108
PID 4032 wrote to memory of 4064	4032	net.exe	108
PID 4784 wrote to memory of 4148	4784	Rundll32.exe	109
PID 4784 wrote to memory of 4148	4784	Rundll32.exe	109
PID 4784 wrote to memory of 4148	4784	Rundll32.exe	109
PID 1288 wrote to memory of 5116	1288	IR.exe	110
PID 1288 wrote to memory of 5116	1288	IR.exe	110
PID 1288 wrote to memory of 5116	1288	IR.exe	110
PID 1560 wrote to memory of 4020	1560	7bsxzxl.exe	112
PID 1560 wrote to memory of 4020	1560	7bsxzxl.exe	112
PID 1560 wrote to memory of 4020	1560	7bsxzxl.exe	112
PID 4148 wrote to memory of 1848	4148	runonce.exe	113
PID 4148 wrote to memory of 1848	4148	runonce.exe	113
PID 4148 wrote to memory of 1848	4148	runonce.exe	113
PID 3788 wrote to memory of 4592	3788	rundll32.exe	122

C:\Users\Admin\AppData\Local\Temp\fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\cb.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\cb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\1EuroP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Bwb..bat" > nul 2> nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 488
    3⤵
    - Program crash
    PID:912
- C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\3E4U - Bucks.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\3E4U-B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\rnatex.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\rnatex.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4592
- C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1720
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1368
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4064
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:800
- - C:\Users\Admin\AppData\Roaming\7bsxzxl.exe
    C:\Users\Admin\AppData\Roaming\7bsxzxl.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Roaming\7bsxzxl.exe
      C:\Users\Admin\AppData\Roaming\7bsxzxl.exe -d0112C52F9F58558A5AAB022551154144C95C5A2A9CFEA861F894DEA81BCD4C24F38F7D60D1ADACF289FDD679B48A7B53F5364BA36CC7500CBD84572B58279FEDDB92218ED2DAE8041B5A5116B44F2E24C4F3226E1AABABAB7AC8B8D06A9EC2446334B4A6928C3585894F0750915298CD803D033039620631486AB8F6334D12A374627DD4430100C78CBDCD9ECD0835B6B15C55559962EDD17FE44A15D30D2CC43752007D5622F7EE1E49B9E329B6C361204BBA094A6F2E98B9B4A52AAB93ED0B166902107B3606FB77071F85A6373F77D7691A5F9FD1D6AACF2C3CAC5D9B72A5B8048884A3115AEB0F0E9405854FE5A61E2B98B1285B3185D969C54DC932187307E9D872018960D4A245EED2470E32F47FDF9AA3B699CE553106357D10BD7C462B677582044FC6FB2618413EACB2E408C214C47E5AD878497043C1B694ED7C0E8FC1265C5DB978C7D5C4E3AEB677F81FF1FAFCBC65E03DC16FC6DDB7F511334BDBBEEEF3FEE0A30829FB6834A670AACD54FB670F683B6A5946BD40541595FF44F8D714DC1868B440DAA9A635FD1177FB757B695235068BF14FFCDDAD13097D680F681CB51BB95910E162B0DA7CA71DD71CBEA84BDB966E852207EB2D52678A5E8822CC85B9CC7E587815DE13245D991A53B60976
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4020
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\7zd70ah5.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bwb..bat

Filesize
182B

MD5
bd70afb0aa3e19025db8f0a6214c1859

SHA1
88aac5c6e85ed4ea4a17b0bf65d29f973787fdd7

SHA256
fffada7eef4a5aaa6a59af17a354cf2fb548aaa055f3fbe43249e2d70f88e421

SHA512
6a424b12764683a7d939c8affef57b110c817f555dc53b565c48613f014b3ba606a4ddd97c1828a2ffcd661a47fbeb4e9b1dedc561cd5d15b598a01721bcb12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\1EuroP.exe

Filesize
75KB

MD5
87fb5442c7843acf787ea54f50d27ef3

SHA1
e2c0bc89abdf1cc14f030633b8520fa488c2ee7c

SHA256
40abf4fe2142f94b0a9b6ebf933423b47a975b4b6a67332545e9dc7afcfbd1e2

SHA512
09307d21725976717bd162c019ffccd3f7667eee0506de009df99ce52d220b56452530df51275638a5298ac11ca6ab3b11ce29270e5f8b66c8547f34c407488c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\2IC.exe

Filesize
168KB

MD5
84d7956209c39cde3b9b02d1b6c64113

SHA1
9feb8cb82f178be3180d033d9b1715b0d5114c58

SHA256
28e120376e926940dc45f8cc2f9193457bf8b89671901453d30e996ca617a29a

SHA512
03a55ad0b5ec4913b3a53b6cb67afbf661c0321a6e059a6e01272c9e7fc10935c2f9297640d905eeb3d00a1b5154269052be4b6bf74627c3577722ea7c91ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\3E4U - Bucks.exe

Filesize
29KB

MD5
bc1e9eefab202aa96ca36e2de9e0d167

SHA1
2a7f254e2ede629db228f95075eaa9c74f5f7586

SHA256
e5775cc832c611d33bae42484d318e62b374fcf8786f11d5ae8087e5fb6d011f

SHA512
8e8c00acae442246de1aaf821d7f0a5a3d77c64f3946ad48caebdf841b790472be2f4bdc6027103ca695f10101869382e5a43aec023164d0fac136bb8528a773

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\6tbp.exe

Filesize
112KB

MD5
e9f63abc82ffabfaa4c325da1554af7c

SHA1
9bd51f5695225f7a13a44a03d0eac2b1339dab5f

SHA256
7ff56015fd3fe7ccec00eb198318d8647c0c3386974f1889abc632a55ceafa80

SHA512
2721a5cdae7c0a066defe65b7e9e4f15bab7b0ffbffe0eb72e2c3d21c0f2fe547def37df3ec1c7ccdae7a89383d9514d44f386e0c0ab8f14b69c666f9c8b8ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\IR.exe

Filesize
61KB

MD5
b4060ce0c8f8a3bad7a63b9fa95c1464

SHA1
f77bb4306747258219f2b97693d62eedc438ccae

SHA256
cd964af4e62c9007c4aaedd9ccab5cf84a78b51e11332ded2b591c81b23872d6

SHA512
35eb45b85f3166a5f007465911e04669e8182df1cf23815ab109868507c95479561950faf918afe8d3664a6f0f04492d6742b74369d7e85f1090f964ecb9544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8148.tmp\cb.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\rnatex.dll

Filesize
112KB

MD5
7131c18f90b51938fbe7f4e5744a82b6

SHA1
3c69d3e7b45bd4a6d2aaf8096a6448b93fd4f550

SHA256
0fff9ca615a9371402721e8b3a4c99ef846bff7e5e663b764660edae138f5fa7

SHA512
dc982b471b0bc27e5358bb5ca3fa948a76d407251f66c040e8499a07e104f41d53a85db398b6bf2e709347dda55dee062005adfd2bc19263051a05ef0382135b

Download Submit
C:\Users\Admin\AppData\Roaming\7zd70ah5.bat

Filesize
154B

MD5
a280278bb9c797f33ac5935760597c17

SHA1
25bebd5743b88ed4c054f4756dd6e7472aa0a674

SHA256
e586ae3ff04c846a28f89d2f01e6dc9ceb7b761a58ac6c362154b67bfbc1c0b4

SHA512
dfa2cf2ad1f4dee6bc57ae766e4721de2c8c1702f69599804e38ca09085ad42f31c404251f5c601559fd8b1a84df1bfaf33834fc8fba2706cbbfb03fdb621b57

Download Submit
C:\Users\Admin\AppData\Roaming\mdinstall.inf

Filesize
410B

MD5
3ccb3b743b0d79505a75476800c90737

SHA1
b5670f123572972883655ef91c69ecc2be987a63

SHA256
5d96bec9bc06fd8d7abc11efbb3cb263844ee0416910f63581dd7848b4e1d8dd

SHA512
09b1cdd4393f515f7569fbccc3f63051823ed7292b6e572bc9a34e4389b727b2914b22118e874864ccb32ef63016b2abd6d84510fd46fdee712fd84be59c114e

Download Submit
memory/1288-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1288-98-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1560-106-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1560-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1560-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3696-104-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3696-67-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3788-105-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3788-74-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3788-116-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3788-119-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3872-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3872-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3872-35-0x0000000001F60000-0x0000000001F85000-memory.dmp

Filesize
148KB

Download
memory/4020-108-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4020-131-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4592-120-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5012-80-0x0000000000BC0000-0x0000000000BDB000-memory.dmp

Filesize
108KB

Download
memory/5012-77-0x0000000002EA0000-0x0000000003E50000-memory.dmp

Filesize
15.7MB

Download