b24313cd1008daef65c1280d03b25ba263110c3fecd8ab1c2537b41914bfe933

Analysis

max time kernel
118s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 09:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Size

1.5MB
MD5

055c6f81126c12579f1c3ef3de1506af
SHA1

08d877fe3651f2c7a41ddd208ad3f36c863b08fd
SHA256

b24313cd1008daef65c1280d03b25ba263110c3fecd8ab1c2537b41914bfe933
SHA512

43b981a76ec43d08445a44c6a669e21a23abeda8bdb3269774193ded7afce170b481abb8bcb9db76c8b8bd4577de1cf89bec407e962a0425571fe0fbe4069d17
SSDEEP

24576:rH/8ic4C0688CPUeMc6PtWsjGoyARUHrf1+iCM6qEVq:rf8ic4H68rPUZc6yxLfAiZ6qE0

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012117-4.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012117-4.dat	upx
behavioral1/memory/2696-6-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2696-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2696-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2696-11-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2768	cmd.exe
2736	cmd.exe
1788	PING.EXE
2636	PING.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005e5328f0dcc17914643588015089c5f163c36ede784d6d4fb6d641ca9f6761f6000000000e8000000002000020000000867ed759996f6baae8006d52ea4a8028273e5c7e8dc1e799bef9286fe8c9af35900000006a848ee9af294d3b034284d4c093fdab2d9831d7f11045f954ecf249eb5ba12cb383cc4fb9aeb0f9bbf5c2df0481ecc837610d38d6d1df7b38a99ac6412f95e0377bf817fd405ac5457e3b1461f7712b0868c4a23455fc50e3a4fac27202b8353a29e328c01f277c81abc9818a6fdaeea69c69fb9b2012bbd670835ae662256c1f4179b6b327f5af0cae2096573bd52340000000aafd1b9fd0453dcfeeaf59217066f61051e5bf9d49e2a4395fd84ac0bdfe12f1d90b467c802a7ea5ceee896c84bbeae92b751b9b346836e510dbb8af1ca8a84a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433938590"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000003829352055cfc5a8686c3cdcc451dab054611c787d3aafd316ebe135950a6314000000000e8000000002000020000000170f845d6c6c2af6860d4996b152c2a7a0e5569160bd3dac4322dc3166a739c52000000090e0cc7c371a241ca1a847607136754e914835ba3233ca72da33cfc2eb2cd57440000000a5e16ff001edb0f1a86122ee81b38fec7e5f44e1dbf4252e0629d3664e63584a74606edf5c55fcf411cf9aad258f8db650bc606c46364386783e1949b832228c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE15CD81-7FDB-11EF-81C1-5EE01BAFE073} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ffb8abe813db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1788	PING.EXE
2636	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: 33	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
2808	iexplore.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
2808	iexplore.exe
2808	iexplore.exe
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2808	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2808	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2808	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2808	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2768	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2768	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2768	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2768	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2736	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2736	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2736	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2736	2696	055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2636	2736	cmd.exe	36
PID 2768 wrote to memory of 1788	2768	cmd.exe	37
PID 2736 wrote to memory of 2636	2736	cmd.exe	36
PID 2736 wrote to memory of 2636	2736	cmd.exe	36
PID 2768 wrote to memory of 1788	2768	cmd.exe	37
PID 2736 wrote to memory of 2636	2736	cmd.exe	36
PID 2768 wrote to memory of 1788	2768	cmd.exe	37
PID 2768 wrote to memory of 1788	2768	cmd.exe	37
PID 2808 wrote to memory of 2892	2808	iexplore.exe	38
PID 2808 wrote to memory of 2892	2808	iexplore.exe	38
PID 2808 wrote to memory of 2892	2808	iexplore.exe	38
PID 2808 wrote to memory of 2892	2808	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\055c6f81126c12579f1c3ef3de1506af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://synqqt.cn/BetaNT.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 &del "C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 &del "C:\Users\Admin\AppData\Local\Temp\55589.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9962ca79157a0fd728fcec5e32aabb89

SHA1
f65efcf0ffc19730340eeeb411d6ea460dae3608

SHA256
206279c53561599cb870928e7439fd42dd443880a35509304f584e253d17f137

SHA512
76697ec1558c90adaa4e41c4747e7ecb085a63d01145464a3338e6bb18a189cf6682cc91fbb63ac18fbe39d52f29b33329326dfb1260d8664f334bcad4098cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e725718f85cd3e250cf9b158c366a9c

SHA1
c73c57d6498f667e9505f250b1280c7575bb8c47

SHA256
b03d430c79a510c3064f06eff67ec425735fe6733d90254404856bceed4675bf

SHA512
6c38113bc955b0e6ea3d705d84ad4f267a70f7f2480f881aac85a4464f15c73175d54b3005bf3091428e04eb5f1f6bb15f82d11f42aa74e1d4fb4b63f7bff395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c59f5b58b9f1b17561c5ab13b3d0912

SHA1
b61df1d9453ee2fb4f38ce47561e84839260f9f8

SHA256
0715e3692067b1026dbbce43300ed1d50c86e9f673027236df4d97a59b141308

SHA512
54d18ffb3ec2f32923afb8e88f491ae741e1644c80bb4cb4fafe1656ef52fb83e30a84e5535d82ccf78ca01cccada1944be12a917898397bb5ccff93d60cc0e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb4c7723150532f52021ac6fa774242a

SHA1
e6988b557d87a6527e7cc2154381e7155774f113

SHA256
f1b2d0b29186d715a88fd9834160f2d5cdf19d56e5180b6ff44d8c3b52280b24

SHA512
cf968d9f9915e1e167da66d120f6fbc55f6a521be620d814e25a39ce88d26ed4fb3041871161e08e7b48b3c650bae28ef864e1557a6231a42e2d440e8bbfb084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09e80835ba1045c29cbf37fa41b8089e

SHA1
da286f2a832615d5224ceb83e4788dafae3ead73

SHA256
b6b3ea7c678e763cb7095ba8c170d6f16cb68107f5e742b9a47ca6f89f16db6a

SHA512
723dedfaebcdfb5e85370ecdb6efe86f742cbcc676ee0fd06ac1a8be8c9997d5ce6c1774ffe27378b3008919cd4c8f6050f4702c80b2e0a2576ae0d0232c0080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
747bc90f04ad3d21038bda7fc4064410

SHA1
eea63b7eab4db0bc9d29535eb22f5353b8281560

SHA256
d4528827e41e02d77c7be749f69f9de2a6a03e03c5975477a97ee59eecbcae5c

SHA512
ee4c4a11f136452fb4cb8bcc8f3dd3881c286bc72ef7db068f537b01f98eeee007375d4974bf524bc8ae68371fdd5e6c94c7ee2c7b20dad6e8c1884ec6fc0328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63e8609ae8096bfa93834676ab16f70c

SHA1
5296c4c71eaf1a0e7cf6334116e9cedcf7de8cea

SHA256
ee1fa6fa6be093fb2063b59f6c7a32a6750f29090abc00ab86db062c0c0ffb64

SHA512
094ac8266f4cae31ec7edbf1017db855e92925d4eaf8faab84797162c1c4be0e216d8a5aca12ff9aee03a4df67813c75cab3e472c5557c69bf19e8290500c581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe5659396ab9d7d134b0e2f1bd89c187

SHA1
21f9e951409c8f33c75276532d8ed875958f01f4

SHA256
8abe6a85ac922872d06079f854159e37682781ea53548f50d56a554712686e9e

SHA512
cb5947e28dbbd35cfea85871d3889806827eb990a2b23c1586ba80d122995047c8423a74f795f85156367a9c0e1ba16e21b2ab11ca45f483da7088e8f0627b12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
442cd1b814985543d48336473f7db6eb

SHA1
fc6cec4b1c264b5506b45a6855c4b97d69e967b8

SHA256
35649d1f179696e1025e8078224a5ceb218aada9e1f377328e1c9fa465fccad8

SHA512
85a756f47b9e8bc10edd7c8dc1a6573654a25115e82c6c92412a03053ef28df406c148eb0c6fb96887ed06f92dcfc5ec46f6cbbbd12972e3362363bae812ebbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88c595b007933415cd81baaca148c69a

SHA1
eeefeaf2ce4ca66e0bad8fa5bca98110f1b420a3

SHA256
8b438c74c1d1e9f532b19d137783e452aaa053e341e1e5da161e4d8fa375383b

SHA512
0e5dd9570dfc9e484981d6aaf03c591146059fa8950ef6bb45a63c89b32c368d1823015150e57c2fc223645efcd441af100e274ae804701fd8d33a2fdfa4f0e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af42adf7a76dec7c03922c49bc8b4482

SHA1
7b888ebee51c04968638150bc4916f91c7c8ed87

SHA256
0dd9f9f17710f4c03aca1f3116da6cb05aaf2f716679b2546107571332eb45ff

SHA512
897d007569a3be2b16d9602196a3c59bc1c8376d25547c1b0f64530309dbf1e446fef3210cc5abc7001a628c8a1011bdaff8819ee3bb5a7e81411fd43c0dbe6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
155a690a60852cd2fe65df97b94bb9e9

SHA1
e5bf9afd2a02eb2af57722120e4258e842567f41

SHA256
4526bd55e22087e6a9fabbff8e496f0ab3f2393f14971f8ec5fafbf3b0b1bf02

SHA512
e2f6b101d2958e75a9d2ae0dd5040555f913dff45ad8f287100cee7e2cba9f47ba8db85f2d9fd2998971acf43d18ee5cdfa5ba5f1a997029228b48a517e728bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d773e5ddb7c39efcb183db4250296d3

SHA1
aaa149107a3961ad290487f0e7640b860c986639

SHA256
69c644095bea8aaf2c955b39fe82cfd2718ec4c46bfb26b5c84b0131f68a0af9

SHA512
759c8d11dc82d3b71f62ab9a147fff8fd82f9434278aa47858a15a97e0550bc7dce14af783d717da935973fb1105d342a486a577b6731871f8967d1616898c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06435e764573834bdb264c11b4f43c85

SHA1
605a940269fc10cd5f01c5b978b46bef839d7ca9

SHA256
fa21ae487827a825926958c9271153a623e9611320d933b3d10e7ac8cb782e90

SHA512
23787bf362b59f4e4694ec62d2443df2e9dfd839d398fb22023d30e3d5df280f1e3dd3b2b3ca85a4278cf6390d054fc01c0ff3566533223d7fbfd86a3275e846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2df5b8a80b68c7b7be053485731ef4ff

SHA1
9eb9369a98d090f2fa133397b9bf32ca3d3b7b5c

SHA256
5bc49ed8b1a7e58ab6e69166df2f728ff87a786f8abc00a838aa7fdc27cfb50e

SHA512
923e31957fd1ee338a96c2af0a4e8be42687e89348f5383b7b833426bd487307584006a6bc22ba1420ba9021cbcf165a8e4ef2111062bbc731a7caf62135f24a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c27ba0204fc39b46ab8b9a1d3c0309c1

SHA1
223a974b83e6b094769b0dd3604f9826a1a8ccdf

SHA256
eec50d15d7b8726ab5602fd383c72b96f467745c0f7e45f38eaa094d44610654

SHA512
94961d598d0e0489f4d57cd9c36d47753cf618a2758d265f7a131bbaa2473c22ed9d884228dad617d82409616b8a4923dbca3ef9cc6ddf9059d509f8fcb0cf5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d53d6e3c089f52cd18498c7798fef00c

SHA1
0f8143b1b83aa473e9b0904d092f284d029bad89

SHA256
6903f5a0a576388c67b00ecdb96a5eabceba2003f00726b602cf0bff4e447ad9

SHA512
8957f152dcad1dc8357a37d0e96e418707af1939a074b41ed9036b63e062497126a83f828e849060efa8861a99a7417b5a49da888ab65b2352b0f171e4cf52f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c248bd500ca751f86bf4ad93351ed5b

SHA1
b08b73467fc670fe1be127dec7fa82a27291ad49

SHA256
39648d60daba2358b1e7c810204c59fabad462899d67b7fea504b3b1903a41d0

SHA512
1fd5b321ffaced0aa1635e097c347742a4a93dddb1d3736e7b9c04fa5cd1880eab36742cd2b43ffd25a4e45cdb9dca2dff98521c12bc15412075d32b1f0c90ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e4051dc70f2f127d889246a5b12a0e9

SHA1
dc18ebfe894b1d861bfe2cb972296881c7c63939

SHA256
aa29ea785ae293a1bae700a7ec057bb22c22302a013a2d191cb07651c837a17a

SHA512
9797c4de5976f765ad50bf2238b37926ac26d46668b62c5fa4408e3be673c3f613b858804ccc1ba8a4286803788312931ac66f3d89ae8e12020317d0144c89c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71E8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7249.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/2696-11-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2696-0-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2696-6-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2696-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2696-8-0x0000000010009000-0x000000001000A000-memory.dmp

Filesize
4KB

Download
memory/2696-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2696-12-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download