Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 00:42
Static task
static1
Behavioral task
behavioral1
Sample
03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe
-
Size
207KB
-
MD5
03cae9ca903d0d948fd144ba9315a1a8
-
SHA1
c3929908918990100f1930c36509b37219aa1b85
-
SHA256
7b0deff51daba0c2967e71799ad43f2b7a53c36703051eb8e95bbe06df85c450
-
SHA512
385691a678941ad3bd116cb80d79c7daf55c36a097ed019392fceb2e884de7178d1a1eb2e5631b45fb5d3689c3a8056914541eed810d211c69780cb46d02e424
-
SSDEEP
3072:iNu9h3eiLZT2UTOyU2qTq/yecrqyEIlyny4iio1t1oBM9/AC99kLNh11GJ+UEtEj:lh3eeTXFUnq/yesLEoynn7BMJSXtt34
Malware Config
Signatures
-
Modifies security service 2 TTPs 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
pid Process 2944 Tilecomgm.com 1096 Tilecomgm.com 1160 Tilecomgm.com 1072 Tilecomgm.com 1704 Tilecomgm.com 2672 Tilecomgm.com 2484 Tilecomgm.com 2856 Tilecomgm.com 1316 Tilecomgm.com 2520 Tilecomgm.com -
Loads dropped DLL 20 IoCs
pid Process 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 2944 Tilecomgm.com 2944 Tilecomgm.com 1096 Tilecomgm.com 1096 Tilecomgm.com 1160 Tilecomgm.com 1160 Tilecomgm.com 1072 Tilecomgm.com 1072 Tilecomgm.com 1704 Tilecomgm.com 1704 Tilecomgm.com 2672 Tilecomgm.com 2672 Tilecomgm.com 2484 Tilecomgm.com 2484 Tilecomgm.com 2856 Tilecomgm.com 2856 Tilecomgm.com 1316 Tilecomgm.com 1316 Tilecomgm.com -
Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com File opened for modification \??\PhysicalDrive0 Tilecomgm.com -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe File created C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com File opened for modification C:\Windows\SysWOW64\Tilecomgm.com Tilecomgm.com -
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilecomgm.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Modifies registry class 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilecomgm.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilecomgm.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilecomgm.com -
Runs .reg file with regedit 10 IoCs
pid Process 1756 regedit.exe 2540 regedit.exe 2948 regedit.exe 2844 regedit.exe 2736 regedit.exe 1596 regedit.exe 2880 regedit.exe 2512 regedit.exe 1276 regedit.exe 1008 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2824 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2824 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2824 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2824 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 30 PID 2824 wrote to memory of 2880 2824 cmd.exe 31 PID 2824 wrote to memory of 2880 2824 cmd.exe 31 PID 2824 wrote to memory of 2880 2824 cmd.exe 31 PID 2824 wrote to memory of 2880 2824 cmd.exe 31 PID 1292 wrote to memory of 2944 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 32 PID 1292 wrote to memory of 2944 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 32 PID 1292 wrote to memory of 2944 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 32 PID 1292 wrote to memory of 2944 1292 03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe 32 PID 2944 wrote to memory of 1096 2944 Tilecomgm.com 34 PID 2944 wrote to memory of 1096 2944 Tilecomgm.com 34 PID 2944 wrote to memory of 1096 2944 Tilecomgm.com 34 PID 2944 wrote to memory of 1096 2944 Tilecomgm.com 34 PID 1096 wrote to memory of 844 1096 Tilecomgm.com 35 PID 1096 wrote to memory of 844 1096 Tilecomgm.com 35 PID 1096 wrote to memory of 844 1096 Tilecomgm.com 35 PID 1096 wrote to memory of 844 1096 Tilecomgm.com 35 PID 844 wrote to memory of 2540 844 cmd.exe 36 PID 844 wrote to memory of 2540 844 cmd.exe 36 PID 844 wrote to memory of 2540 844 cmd.exe 36 PID 844 wrote to memory of 2540 844 cmd.exe 36 PID 1096 wrote to memory of 1160 1096 Tilecomgm.com 37 PID 1096 wrote to memory of 1160 1096 Tilecomgm.com 37 PID 1096 wrote to memory of 1160 1096 Tilecomgm.com 37 PID 1096 wrote to memory of 1160 1096 Tilecomgm.com 37 PID 1160 wrote to memory of 2308 1160 Tilecomgm.com 38 PID 1160 wrote to memory of 2308 1160 Tilecomgm.com 38 PID 1160 wrote to memory of 2308 1160 Tilecomgm.com 38 PID 1160 wrote to memory of 2308 1160 Tilecomgm.com 38 PID 2308 wrote to memory of 2948 2308 cmd.exe 39 PID 2308 wrote to memory of 2948 2308 cmd.exe 39 PID 2308 wrote to memory of 2948 2308 cmd.exe 39 PID 2308 wrote to memory of 2948 2308 cmd.exe 39 PID 1160 wrote to memory of 1072 1160 Tilecomgm.com 40 PID 1160 wrote to memory of 1072 1160 Tilecomgm.com 40 PID 1160 wrote to memory of 1072 1160 Tilecomgm.com 40 PID 1160 wrote to memory of 1072 1160 Tilecomgm.com 40 PID 1072 wrote to memory of 1272 1072 Tilecomgm.com 41 PID 1072 wrote to memory of 1272 1072 Tilecomgm.com 41 PID 1072 wrote to memory of 1272 1072 Tilecomgm.com 41 PID 1072 wrote to memory of 1272 1072 Tilecomgm.com 41 PID 1272 wrote to memory of 2512 1272 cmd.exe 42 PID 1272 wrote to memory of 2512 1272 cmd.exe 42 PID 1272 wrote to memory of 2512 1272 cmd.exe 42 PID 1272 wrote to memory of 2512 1272 cmd.exe 42 PID 1072 wrote to memory of 1704 1072 Tilecomgm.com 43 PID 1072 wrote to memory of 1704 1072 Tilecomgm.com 43 PID 1072 wrote to memory of 1704 1072 Tilecomgm.com 43 PID 1072 wrote to memory of 1704 1072 Tilecomgm.com 43 PID 1704 wrote to memory of 2092 1704 Tilecomgm.com 44 PID 1704 wrote to memory of 2092 1704 Tilecomgm.com 44 PID 1704 wrote to memory of 2092 1704 Tilecomgm.com 44 PID 1704 wrote to memory of 2092 1704 Tilecomgm.com 44 PID 2092 wrote to memory of 2844 2092 cmd.exe 45 PID 2092 wrote to memory of 2844 2092 cmd.exe 45 PID 2092 wrote to memory of 2844 2092 cmd.exe 45 PID 2092 wrote to memory of 2844 2092 cmd.exe 45 PID 1704 wrote to memory of 2672 1704 Tilecomgm.com 46 PID 1704 wrote to memory of 2672 1704 Tilecomgm.com 46 PID 1704 wrote to memory of 2672 1704 Tilecomgm.com 46 PID 1704 wrote to memory of 2672 1704 Tilecomgm.com 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2880
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 480 "C:\Users\Admin\AppData\Local\Temp\03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 552 "C:\Windows\SysWOW64\Tilecomgm.com"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2540
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 560 "C:\Windows\SysWOW64\Tilecomgm.com"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2948
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 564 "C:\Windows\SysWOW64\Tilecomgm.com"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2512
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 568 "C:\Windows\SysWOW64\Tilecomgm.com"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2844
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 572 "C:\Windows\SysWOW64\Tilecomgm.com"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat8⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1276
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 576 "C:\Windows\SysWOW64\Tilecomgm.com"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat9⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1008
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 580 "C:\Windows\SysWOW64\Tilecomgm.com"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat10⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2736
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 584 "C:\Windows\SysWOW64\Tilecomgm.com"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat11⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1756
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 588 "C:\Windows\SysWOW64\Tilecomgm.com"11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat12⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1596
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
942B
MD54cee92ad10b11dbf325a40c64ff7d745
SHA1b395313d0e979fede2261f8cc558fcebfefcae33
SHA256eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1
SHA5123f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9
-
Filesize
360B
MD53a1a83c2ffad464e87a2f9a502b7b9f1
SHA14ffa65ecdd0455499c8cd6d05947605340cbf426
SHA25673ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6
SHA5128232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2
-
Filesize
476B
MD5a5d4cddfecf34e5391a7a3df62312327
SHA104a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA2568961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA51248024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643
-
Filesize
701B
MD5e427a32326a6a806e7b7b4fdbbe0ed4c
SHA1b10626953332aeb7c524f2a29f47ca8b0bee38b1
SHA256b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839
SHA5126bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd
-
Filesize
207KB
MD503cae9ca903d0d948fd144ba9315a1a8
SHA1c3929908918990100f1930c36509b37219aa1b85
SHA2567b0deff51daba0c2967e71799ad43f2b7a53c36703051eb8e95bbe06df85c450
SHA512385691a678941ad3bd116cb80d79c7daf55c36a097ed019392fceb2e884de7178d1a1eb2e5631b45fb5d3689c3a8056914541eed810d211c69780cb46d02e424