Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 18:02
Static task
static1
Behavioral task
behavioral1
Sample
0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll
-
Size
614KB
-
MD5
0ffe211e164a0a07cfec3790cab189e0
-
SHA1
1febd666ccb79988f6483b3d76521abf9b93203c
-
SHA256
486d1f139f0396f4cc8e840babc60b0a3001246d53c4b4fed1356f8000618f81
-
SHA512
a66ab4775c7168cd60acb690224db16bda50ba1e4640cb4f2534f14580696fec9796b68775d4ee928f63ec27d24059e2c434d3ecca53bb364d8defeb6b35d6c5
-
SSDEEP
6144:80IEu0/l7rUdoqWMvjcw3sWSAoITM+NPUHFWnejpgPftu5m1t1vlem7Z88N069fi:t79qXvjRc5AoIY+NPUlWnk2Rl37Z7R2r
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2096 rundll32mgr.exe 3032 rundll32mgrmgr.exe 2736 rundll32mgrmgrmgr.exe -
Loads dropped DLL 6 IoCs
pid Process 2100 rundll32.exe 2100 rundll32.exe 2096 rundll32mgr.exe 2096 rundll32mgr.exe 3032 rundll32mgrmgr.exe 3032 rundll32mgrmgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe rundll32mgrmgr.exe -
resource yara_rule behavioral1/memory/2096-33-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-30-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-29-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-26-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-25-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-24-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-23-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral1/memory/2096-37-0x0000000000400000-0x000000000041A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0116FF1-81B1-11EF-89F5-527E38F5B48B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B01632B1-81B1-11EF-89F5-527E38F5B48B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B00F0E91-81B1-11EF-89F5-527E38F5B48B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2096 rundll32mgr.exe 2096 rundll32mgr.exe 2096 rundll32mgr.exe 2096 rundll32mgr.exe 3032 rundll32mgrmgr.exe 3032 rundll32mgrmgr.exe 3032 rundll32mgrmgr.exe 3032 rundll32mgrmgr.exe 2736 rundll32mgrmgrmgr.exe 2736 rundll32mgrmgrmgr.exe 2736 rundll32mgrmgrmgr.exe 2736 rundll32mgrmgrmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2096 rundll32mgr.exe Token: SeDebugPrivilege 3032 rundll32mgrmgr.exe Token: SeDebugPrivilege 2736 rundll32mgrmgrmgr.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 584 iexplore.exe 2848 iexplore.exe 2788 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 584 iexplore.exe 584 iexplore.exe 2848 iexplore.exe 2848 iexplore.exe 2788 iexplore.exe 2788 iexplore.exe 532 IEXPLORE.EXE 532 IEXPLORE.EXE 2344 IEXPLORE.EXE 2344 IEXPLORE.EXE 2420 IEXPLORE.EXE 2420 IEXPLORE.EXE 2420 IEXPLORE.EXE 2420 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 2096 rundll32mgr.exe 3032 rundll32mgrmgr.exe 2736 rundll32mgrmgrmgr.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2104 wrote to memory of 2100 2104 rundll32.exe 30 PID 2100 wrote to memory of 2096 2100 rundll32.exe 31 PID 2100 wrote to memory of 2096 2100 rundll32.exe 31 PID 2100 wrote to memory of 2096 2100 rundll32.exe 31 PID 2100 wrote to memory of 2096 2100 rundll32.exe 31 PID 2096 wrote to memory of 3032 2096 rundll32mgr.exe 32 PID 2096 wrote to memory of 3032 2096 rundll32mgr.exe 32 PID 2096 wrote to memory of 3032 2096 rundll32mgr.exe 32 PID 2096 wrote to memory of 3032 2096 rundll32mgr.exe 32 PID 2096 wrote to memory of 584 2096 rundll32mgr.exe 33 PID 2096 wrote to memory of 584 2096 rundll32mgr.exe 33 PID 2096 wrote to memory of 584 2096 rundll32mgr.exe 33 PID 2096 wrote to memory of 584 2096 rundll32mgr.exe 33 PID 3032 wrote to memory of 2736 3032 rundll32mgrmgr.exe 34 PID 3032 wrote to memory of 2736 3032 rundll32mgrmgr.exe 34 PID 3032 wrote to memory of 2736 3032 rundll32mgrmgr.exe 34 PID 3032 wrote to memory of 2736 3032 rundll32mgrmgr.exe 34 PID 3032 wrote to memory of 2848 3032 rundll32mgrmgr.exe 35 PID 3032 wrote to memory of 2848 3032 rundll32mgrmgr.exe 35 PID 3032 wrote to memory of 2848 3032 rundll32mgrmgr.exe 35 PID 3032 wrote to memory of 2848 3032 rundll32mgrmgr.exe 35 PID 2736 wrote to memory of 2788 2736 rundll32mgrmgrmgr.exe 36 PID 2736 wrote to memory of 2788 2736 rundll32mgrmgrmgr.exe 36 PID 2736 wrote to memory of 2788 2736 rundll32mgrmgrmgr.exe 36 PID 2736 wrote to memory of 2788 2736 rundll32mgrmgrmgr.exe 36 PID 584 wrote to memory of 532 584 iexplore.exe 37 PID 584 wrote to memory of 532 584 iexplore.exe 37 PID 584 wrote to memory of 532 584 iexplore.exe 37 PID 584 wrote to memory of 532 584 iexplore.exe 37 PID 2848 wrote to memory of 2344 2848 iexplore.exe 38 PID 2848 wrote to memory of 2344 2848 iexplore.exe 38 PID 2848 wrote to memory of 2344 2848 iexplore.exe 38 PID 2848 wrote to memory of 2344 2848 iexplore.exe 38 PID 2788 wrote to memory of 2420 2788 iexplore.exe 39 PID 2788 wrote to memory of 2420 2788 iexplore.exe 39 PID 2788 wrote to memory of 2420 2788 iexplore.exe 39 PID 2788 wrote to memory of 2420 2788 iexplore.exe 39
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ffe211e164a0a07cfec3790cab189e0_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgrmgr.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:532
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50f022da353b4521dd504c902f86b5982
SHA1da7aa9a1d71a630520925e1a3f94a627682073fc
SHA2566a23717102a35b97190874395d1c77ed6786f6fd179812e7793285187bdc2abf
SHA5122f3ae96ce747a7070023529ddb5462dd224c5b2280466988d827a49c92872df25187683a99290db48b6178aa9f457c3eb48848e518c4642b38141a9ece7bb728
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586ccba6a17c602de77b34d3a016f056e
SHA1cc167bd2e1682a0ae0991ca80493f701a9d9e71c
SHA2563551e5f0b3c63673c8a6bef68c646ff5659d6ad3e273a46773f08f237e6e279e
SHA5124d9e7f71fc61e0bec2893426e8673a0ed78fe8d245dad9946ea10c4e7ca8ddfa4423056eb4c4e437907e40b28f644ba12bf779927c0ba16f4cb094d9a587e39f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD594a6a405370658b680f53e9b3b5c4526
SHA1d0ee39e67c5c4b4b64ac7fbdf3ad302255a22951
SHA256e9169e3fab8e121345189b6912f9834fa55444f639e95039d6bf802f4ce3477d
SHA5129e23e16c3cb182c54204bbf1c6e5704d8086e2491c1023a047e7d880dccec3094c032a69fe789cb3edeef70a0fe2f38f129135d4cfb5cd71e347eb401ef5192e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b932cc05c9f92e3a8f59d936769e7456
SHA13591132db25d8b8814b47ba61c85df7d1bfac85a
SHA256458e9e7c6a93ae82c9b87ea040a345533e765926ce4ad2139176d8826477586b
SHA512c56c94349ecce2ba128a5f8dc37142655e3b51f23664176d03bbeeecdbf19c2ecb8781984973dc7869e020f3daddd6a5147293e53d55c29aea9771cd431c8050
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD523a2adf98b60cbe6f19b2346f4db620f
SHA1f9508d28d117d81f335a8a54b9bd077a73953b3a
SHA2565d7f950a5be408285a95970d906be5dc0f0376e422a0a2a3124016a48937eab3
SHA512564c96a03c3f5fe287351a439b8dc8e92bd07c4f571ae8c8e22677cf1acdc6feb773c1412cbb023edece00ab3396df0a09f843dbad53ff04b0f7d0e5c35ebb87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c732f4bf6fcbb29adabc37475af21854
SHA18ed3f2a023b08fe1bf5412c6c9496ce240c057c3
SHA256326bd9f6c80a18d0b920a76e67eaf7c61b6d11636fecdb07f17cd351620f3ebb
SHA512c04c8f9c7bfddf2e944fc2935a9399ee6eeaa625da0fb30b4be18c3463c4c4a1bef6aa83bbf9c68b5c6dbd9b3da2b09c1e6e9419a06fb4c3aebff74f5e70d75a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2ca2d2769d788bbde07f7a071ecb4f8
SHA101354e12e55cf474b61001257008b40c6469a82a
SHA256e4f6904e124fa97da7f1caf3a0af227a3f06808b8e640e0b3fe7a3f8a5a07ed8
SHA51246f403378c585131273b3bee2e1f872aa772729f67a72679d12baad3c9605c7efdfb69492ad9004bce53500296235a4dd59aeb7db478024e0702ccb80d2affde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59510da2383a1a2bf8044abe9aa186105
SHA155c3cab0c960dfe3d71a742896f1eec428047124
SHA256b791c42af4c2df337fa3e2177c1abc81dc17c0836755cdf145be352c46eae9ae
SHA5127e25db9276f6804e27083d919b4477f26ed36dfd91ce73841299ded3ec3bf2df2fdbaf96b9b86d0d94f6a0a5082ecb549e4cadb83a2e595fd7c00c2e8aa3d02e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a33bca4b4ffafd6b3ece083a85d6a0a
SHA128514e01e0daa98afb72c58dcd066b16ba158d88
SHA256e125ffab0f1317d81c086d0b19ee675cef062d2a3c598bf58ba465440cb9776e
SHA5121eab9dece8c52508ed3292df434e2cb0025e50bc9132a283ddeef0fea16d532976a570c5572f50599b48f075895d83a4a030844c17adebee9d10d862a22e9c67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5381a13147c823acdd983427ec01f5408
SHA18d493e088778136c6cf2ea07f9b4318c15d3dc4b
SHA2568b203e2da8d846a318ab012b116bc10731201077ea5700ed8ebcbd954f1d5e99
SHA512625c511ead1a7a5953621b877db9807c7912cb148075ff329ea2944d6b7f3f1e296321708190cb73d8859014c22bb9f6882cde72ea97076e777ac6e2808e58de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c94dc6a5cfbc9ed5218b6c0c92144fd
SHA150d939cffcbbf7cf71f46f642dd71cf472ed3c6c
SHA256d43d328bfe2c9a46a9d6ad1f238e36eb391e40aa84e04c8e3a3ba2ec3fc018f5
SHA512c16ee12c2ee852e206ab979df448800637fa888ecf9244d0b9c2d22ea1f1d632c60c55175cc6912e3f95a7601dce74f1635eb36486e4b00bffef2e0ea88242cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519e108e6f343c828c1677fc1a8139854
SHA13194f3a5190469fb328c83e623d705593a08118f
SHA256cffee7ac8a24d478d45bfee79fb9fac701cfe440b3526ce9d6168f1f36f20857
SHA512dfe9389dd8b5d4f063acd75f4f6662d1b888858e1a6cb3270140b60a1c54b31a3037f60b4a0be9893188fc4f7ac00adc3750d74c7ffdf5cccedeffef1a22dc2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d0d5a7adad09ce00fee32493bb68d24f
SHA13459ebab357aa73c6273812ad0c2fedaf47ff45e
SHA2563ed58795c5599471779d1b3ded505e5db3a42c01b73934528b26baa56eafdc78
SHA512d6e03abb4aeda5868f46d690614bec34f28d78d5b24117c803c201248d78d42a015c65e6fc72c46cb8f7d945bf3e21129283ffc3bbf5d58188eda33b75353eec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5242aaa3d2889f14c35a5348fd3f3b2a9
SHA1c124a02bc8a155ce895634717e9a50ac612c198b
SHA256bd828df3ec69dc9f9743761aee4b11bc4c99ac3ec232973a7079274c2f52784c
SHA512bd90cf59b5d31bc7965469e1e1d712762fd3b266ff91ee052724fec94e21276e3a56e359b63d1cbac729c4241ad88ec2e97d86669ceb0f3f102ea22407893d5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d0bd8b82c8de62b4563efedea6756ff7
SHA15544b6392a9b68f054308732cdd36fc9bcd4cd9e
SHA2561c03539ef42ba85b0ad46aa018577fadfd912a687951cbb3fa1d19fec09323ac
SHA512b00629defe53c9b4ca99c0f77bbdb3171e49d9a7262426180fe3251ef621ddd416ab35ead80790e4b51d60de2259bb4e1354eb3610a383a86eee87a346dab2bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3c1603cf0d73b5a7fd97f6d10a70e52
SHA17f5673298f529180508b16edb68d1d3af4521aaf
SHA2560d6f9e4b5b7a7510277551b5c4362c7ee2013e8371ac3353adb352f299719153
SHA51297ed27e6a65a3de83010d08efb52d889db0173bf296b6d0e782e36a1c362d73320880d4f00a09b888a4c39e13e4a297dedd930b6c2f3067ef5413aeba77fda1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f6bead250908b676f275d8202e37bd7
SHA1362263d68f278498bd2d3e3fc60223224f9b9f55
SHA25687bcd1e4335a3ef01b11801a7dba9ab1a86e03e8be1bdbff97e3b42db3aa04aa
SHA5123176afef018f99f7ccc8ad7e19fb1a27853d5ab4f2eb282f56f1369d65fe644a463856e9a6ff1b765526dcff810a3ecd24ee87cf13d52c7a4ca76f4599555950
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b1fd1067f80341af522b3945db940702
SHA1c948b3332b2d608250ba6cea9b3bdd4fa29ef3cb
SHA2567c52b6b7236e2468efb15a8d230a324e1d239bfdd5ca8ad4ac7610bccb927a09
SHA512862a62d220fdd5f96c67bb392177bce1866bde4d454295ad427feea4a4769cd316cef74705a4a727a611c66da1754b6a18bcf3d1327c8f4c3e5238684c0a21ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff580d5d114511d8dbdbdce2e5958c7e
SHA19ea63d67c9eccf4ba46901fbbd3ff60b7ea9ab50
SHA256225f7ad196dbce7a751b0c2f2233a584b0b6cbb896b53bfbd44433067c4c0be1
SHA512ea03eba262ad6948c7296c65a58b4a7d88a490b699ed3f19de2f91348e61d87fc88bcc427a3566d0a96259169a572f64976b98e311acc60548f1df40d4b237e0
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00F0E91-81B1-11EF-89F5-527E38F5B48B}.dat
Filesize5KB
MD57e7ec0f96a8216e84941bd09c548beee
SHA121ddf0ad73da3215c8a43f09290b8dc3d45d5d56
SHA256061a20cf68ff0146d62a6ba8df3fd7115740273ffb22d7ecc9b4acd71e3d451c
SHA512e2544a515a764e32dcfcf01ee858d379dd917ad5e9d8832d43ee33b9a2423ff21c87e78720b6eb1a5e0c38bd718f176bf65b9e6e40e382081b30f4cfadd10971
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B00F0E91-81B1-11EF-89F5-527E38F5B48B}.dat
Filesize5KB
MD57aef8553281f15431929e0ac913f6247
SHA14fbde9ab40bdb9bdd9bf25007a0bb8b86ebbdd59
SHA256ff3f4d09ce42737820e1c99bd727b202c4596557cfc6e0ad460786a25502bd15
SHA512d1293203fb4efaa62ec5eb0e6bdecdecd49a12e28b2b59b03ab07c20a16586ba4f534fe422bf25ba1c11ed5598ab50efad189b2834b2de829ebf81cb758ceed8
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0116FF1-81B1-11EF-89F5-527E38F5B48B}.dat
Filesize4KB
MD5ed7ced3ced533fecebec573a97230647
SHA1ffb3106a7c3becb33f91552b1e96430b267d7366
SHA256095e353fceccb7488bd8f42461ab60c59762967c3ad12101745c1df3ee6ce4e3
SHA512ea9fd2c944b530a6d0340f7e9b085df2eb72854bd627ead2b2a4271c81d0ea1cede4ef9dc0f430191cd1996d1a4776494f0cb37b1a42384660b6ea7afb9a4246
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
91KB
MD5551161ba25d6c58cf6a4afe7587f7dcb
SHA13f36d947c0d082433bb121a9914b4841ffbfb5af
SHA256f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58
SHA512f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e
-
Filesize
279KB
MD56cd9867676d7745d3d892b9b1eeb087c
SHA1e27cd410d1e1cd2795931b2e9b4525ef2535ce8a
SHA256372e00e34f497e57ddc1762cc01ed91ff77e3d6c6745b37f209d29da9c2c3d94
SHA5125ab8bc024bedf78e585940e9d4e2e8b287591deadd4fe97880008b94609e1518ad430fba934f2c22227723f48deb72053a49bcf48d40e4fd85fd38069eba99e2
-
Filesize
184KB
MD59f643774ee392ba1e6c40644a9aa7de6
SHA18c55f086c5610977b4a84c0e0d77bfdf95bbe0d5
SHA256307f2832c7cc23dfecff7b9787f454bed0fc1e31f63950cff5660fabae333003
SHA5124b0effc99a0baa1de5d2a7f310c8c628e5ae5553ff5e31c7408751baddd9fd88fb22a12098cac22ec51edae84437cbb9fc0bd5f2ed645e7c6f30bfd69c08925b