Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/10/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
-
Size
26KB
-
MD5
269e0491e7c1a47010f538856e543042
-
SHA1
44a7d4af4ba59b4ea9bec696d122c35f829586eb
-
SHA256
f1237a50fd17301f0bb52462bdae3c3bd4647e7b92a9843bb1beafe40a0bcb3d
-
SHA512
5ce61129ddb198b5d3749dca22df81beb9b54b3c9f5a3dac911aeec9450d9b42e1c7301a8f175e4f43da30cae574f87710c65c29105e612335ef1f74d97c494a
-
SSDEEP
384:1M3PnQoHDCpHf4I4Qwdc0G5KDJ9MFoe7vfO1Ld7:1m/QojCpHfx09MF3vgLd7
Malware Config
Signatures
-
Drops file in Drivers directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2764 winlogon.exe 2644 AE 0124 BE.exe 2892 winlogon.exe 2736 winlogon.exe -
Loads dropped DLL 8 IoCs
pid Process 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 2764 winlogon.exe 2764 winlogon.exe 2892 winlogon.exe 2644 AE 0124 BE.exe 2644 AE 0124 BE.exe 2736 winlogon.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 28 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf AE 0124 BE.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\wiabr006.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\powercfg.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\prnts002.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\cxraptor_FM1216MK5_IBV64.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\NlsLexicons0024.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\DWWIN.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\EP7MDL0Q.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMT634.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR9100D6.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterE\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dssec.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\pnidui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\mpio.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_neutral_84eee4cc19fd00dc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\NAPMONTR.DLL.MUI AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\xpsrchvw.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\netb57va.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\netvfx64.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\hpoa1nd.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\nshipsec.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\C_20001.NLS AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00a.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_neutral_857b8ff74e5a7073\mdmracal.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\sppcomapi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\winsrv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\prnlx007.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\dssec.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ph6xib64c1.inf_amd64_neutral_68c99681343e9b68\Ph6xIB64MV.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bluetooth-Config\BthMigPlugin.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\C_21025.NLS AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\IPHLPAPI.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\ts_wpdmtp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\bthprint.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_neutral_2b583ce4a6a029a1\ks.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA3010.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SV8070.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\cpfilters.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\wlanpref.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\hpsamd.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaxx002.inf_amd64_neutral_fbe080a7dd77c4a3\xrWPpb4.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\dc21x4vm.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\CSRR.rs.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\TerminalServices-AppServer-Licensing-replacement.man AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\powershell.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NRC6000.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnbr003.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netl1c64.inf_amd64_neutral_30b0b06f47cab8cf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\EhStorShell.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\de-DE\mof.xsl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\osk.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it\AuthFWWizFwk.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\authfwcfg.mof AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\mspaint.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\Enterprise\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\mcicda.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\odbcji32.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR18.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\wialx003.PNF AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\inf\MSDTC Bridge 4.0.0.0\0416\_TransactionBridgePerfCounters.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..tion-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_281669809605b913 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_wiabr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d74bc45bcdcee83f\wiabr006.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_38696c18b8b83621.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_tpm.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b407ce57a4162dc8.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-alg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_df6e5718e33fb3ee\alg.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_9b79043567dee40c\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1da7b47b4dd36814\BrSerIb.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_en-us_9a34be91b5863879\wextract.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-time-tool.resources_31bf3856ad364e35_6.1.7601.17514_en-us_809d3bb22eaa0382\w32tm.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\nfsrc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_prnca00x.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b4e588d7bba165e.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\msil_system.printing.resources_31bf3856ad364e35_6.1.7600.16385_es-es_90f754daa0d640f3.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..orkcenter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3faa671a376a6a56.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-openfiles.resources_31bf3856ad364e35_6.1.7600.16385_es-es_78f55c28dac4a01a\openfiles.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8fad68f797468d.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1693f82b65a2d7cc.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-gisha_31bf3856ad364e35_6.1.7600.16385_none_9cb7ddca79444d70 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf\AxInstSv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_boot_pcat_cs-cz_da8bfa0c28cad1cc.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_inf_servicemodelendpoint_3.0.0.0_0000_1441b5e36e0dde07.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..oyment-languagepack_31bf3856ad364e35_6.1.7601.17514_it-it_0e4e9599723fa009.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-speech-iekillbits_31bf3856ad364e35_6.1.7600.16385_none_a0d1eae76e2d1cb6.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..stringime.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b85cbe096064b9bb.manifest AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Power\es-ES\Power_Troubleshooter.psd1 AE 0124 BE.exe File opened for modification C:\Windows\inf\bda.inf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_server-help-chm.perfmon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1bb55f2ad31f8fc5\perfmon.CHM AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_de-de_eec5a30173304188.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..nguageautodetection_31bf3856ad364e35_6.1.7600.16385_none_1cf3ab846377af87.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_netfx-aspnet_webadmin_prov_res_b03f5f7f11d50a3a_6.1.7600.16385_none_6eabfbd9c29ea607.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_hal.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_de-de_54306e5d08f21051.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-usbceip_31bf3856ad364e35_6.1.7600.16385_none_00d405a78e7c4a30.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_microsoft.tpm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_97a55618ccc227c7\microsoft.tpm.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2df33a926479c43d\cmmon32.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\es\Microsoft.JScript.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-bubbles.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbfa32a8fea20f26 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-yibaiti_31bf3856ad364e35_6.1.7600.16385_none_b436b1f0d44f46f1\msyi.ttf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d3f17da70bee0f28\Wpc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b15a73888fb2674d\racengn.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_prnbr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f0d430ebb73eaed.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_ja-jp_4ca2a9c889b14516.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\vbc7ui.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_pcmcia.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2704f2b7c177fbfc\pcmcia.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_system32_it-it_licenses_eval_starter_8f4fc40e0e4543a2.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_981bb108a193e625.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-optionaltsps.resources_31bf3856ad364e35_6.1.7600.16385_es-es_42410cf2f0de8c35\tcmsetup.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_it-it_714c780c0f33b227\iscomlog.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_44fce29ac76d1a39\kerberos.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-u..lsettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9be399f36d1b1ff8\UserAccountControlSettings.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\Amd64\BRCI06A.GPD AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-dot3-netsh-helper_31bf3856ad364e35_6.1.7601.17514_none_38cd19d2dab6f4ad.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-getuname.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e794bdad50a953ef.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\FileTrackerUI.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2618715ea4ed58f AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-taskkill.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5c3db67537ec1a5d.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-photosamples.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_28b530d6f923d5ac.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-imapiv2-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_07c24db6284f4de4\imapi2.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\inf\winusb.inf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_amdsata.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c21da54655fab3d AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lmhsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_97b87d613674f022 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-upnpssdp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_52db6a1d49fd646a\ssdpsrv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-appman_31bf3856ad364e35_6.1.7600.16385_none_7f36184ce0a3b532.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_6.1.7601.17514_en-us_eee506200bd43e29\Microsoft.IIS.PowerShell.Provider.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-directx-direct3d8_31bf3856ad364e35_6.1.7600.16385_none_c222c27ec21ab213.manifest AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AE 0124 BE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2432 DllHost.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 2764 winlogon.exe 2644 AE 0124 BE.exe 2892 winlogon.exe 2736 winlogon.exe 2432 DllHost.exe 2432 DllHost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2764 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 31 PID 2424 wrote to memory of 2764 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 31 PID 2424 wrote to memory of 2764 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 31 PID 2424 wrote to memory of 2764 2424 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 31 PID 2764 wrote to memory of 2644 2764 winlogon.exe 32 PID 2764 wrote to memory of 2644 2764 winlogon.exe 32 PID 2764 wrote to memory of 2644 2764 winlogon.exe 32 PID 2764 wrote to memory of 2644 2764 winlogon.exe 32 PID 2764 wrote to memory of 2892 2764 winlogon.exe 33 PID 2764 wrote to memory of 2892 2764 winlogon.exe 33 PID 2764 wrote to memory of 2892 2764 winlogon.exe 33 PID 2764 wrote to memory of 2892 2764 winlogon.exe 33 PID 2644 wrote to memory of 2736 2644 AE 0124 BE.exe 34 PID 2644 wrote to memory of 2736 2644 AE 0124 BE.exe 34 PID 2644 wrote to memory of 2736 2644 AE 0124 BE.exe 34 PID 2644 wrote to memory of 2736 2644 AE 0124 BE.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\269e0491e7c1a47010f538856e543042_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\269e0491e7c1a47010f538856e543042_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD50d9c9359e346ef632c2108c104e36c05
SHA12d74ef26d137a4acec487f122ce797b98d002b70
SHA256cf5e9016fd478aa56458e0456224f66bd50ec3009c0dd19689feab9c656b843a
SHA512eb780568a4ff8ad230b08c67c8645c8f820433242145fb59e790e9a961a8917e653796681b26ee615d79f29b7186c52c6e7eddca3115dc9bb6f9f9dcdcfce7d1
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
40KB
MD5e26e215c3645e9da7b826e1afb56ae97
SHA147e4f926cb72617dfe0026aa1472896eb2da659f
SHA256fe2315e195061f11b6e2091c5a8e763adc1b880fa5b53e3bbbe65127585f509d
SHA512876ac72710da29428bb784dcfd7036d5c907f3a7f061c645002eb0dc7bd044618c4dbdd8cca1aab3fd358eb048f374eb2207e483dc0a62b917cd04e85ce4f59e
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb