Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
269e0491e7c1a47010f538856e543042_JaffaCakes118.exe
-
Size
26KB
-
MD5
269e0491e7c1a47010f538856e543042
-
SHA1
44a7d4af4ba59b4ea9bec696d122c35f829586eb
-
SHA256
f1237a50fd17301f0bb52462bdae3c3bd4647e7b92a9843bb1beafe40a0bcb3d
-
SHA512
5ce61129ddb198b5d3749dca22df81beb9b54b3c9f5a3dac911aeec9450d9b42e1c7301a8f175e4f43da30cae574f87710c65c29105e612335ef1f74d97c494a
-
SSDEEP
384:1M3PnQoHDCpHf4I4Qwdc0G5KDJ9MFoe7vfO1Ld7:1m/QojCpHfx09MF3vgLd7
Malware Config
Signatures
-
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 4 IoCs
pid Process 4148 winlogon.exe 556 AE 0124 BE.exe 4740 winlogon.exe 4444 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 556 AE 0124 BE.exe 4740 winlogon.exe 4444 winlogon.exe -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 28 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf AE 0124 BE.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\fr-FR\c_camera.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\provsvc.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wscui.cpl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Dism\fr-FR\DismCore.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SMB-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Identity-Foundation-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\es-ES\MSFT_FileDirectoryConfiguration.Registration.mfl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\MSFT_WindowsOptionalFeature.psm1 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_189d0189716edeb1 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\volmgr.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\mswstr10.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\TtlsCfg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\grb.rs AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDHE.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IntegrationComponents-VirtualDevice-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\bthspp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_9be5ff0f15b15eb7\mdmnokia.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\mdmgen.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\sdstor.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\rshx32.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx4-WCF-US-OC-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\msfeedsbs.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\schedcli.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\smrdisk.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Client-Admin-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\netrast.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\PSDSCxMachine.strings.psd1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\ResiliencySetting.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfsvr.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SmartcardCredentialProvider.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\es-ES\wsp_health.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\winusb.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Install-Group-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\netvwifimp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HypervisorPlatform-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsExt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\Winrs.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\globinputhost.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\miguiresource.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msctfp.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\cli.mof AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\newdev.mof AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_snk.inf_amd64_213eeba98cc6f2f4 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\SDFLauncher.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\dc1-controller.inf_amd64_63236b4ab51ad398\dc1-controller.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_setup.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Server-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\DevicePairingFolder.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dsquery.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LanguageFeatures-OCR-en-us-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_glk.inf_amd64_dad1e0a2b185e32b AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\zh-TW\APHostRes.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Entity.Design.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ywmdmcesp.resources_31bf3856ad364e35_10.0.19041.1_it-it_84b624e3bdad75fa AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_prnms004.inf_31bf3856ad364e35_10.0.19041.1_none_f59945c05aa85d79\Amd64\unisharev4-manifest.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_he-il_5d63a4c17806f149.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_c9531e019f9be234df9ecd4ac69e2922_31bf3856ad364e35_10.0.19200.101_none_55da42ce624bdfb5.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_multipoint-wmsdashboard.resources_31bf3856ad364e35_10.0.19041.1_en-us_f7e7f4de797fc24f.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\DataSvcUtil.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1031\alinkui.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-ShellExperienceHost-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershell.dsc.proxy.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_757c25085c60d905 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\msil_system.runtime.serialization.resources_b77a5c561934e089_10.0.19041.1_ja-jp_5efca45d29d1792e AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..encontent.resources_31bf3856ad364e35_10.0.19041.1_it-it_315a7f6a59d01e90\LockScreenContent.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.1165_none_a82485b8f343811f\WaaSMedicPS.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_windowssearchengine_31bf3856ad364e35_7.0.19041.1151_none_ec390bd802a1c630\SearchProtocolHost.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-system.security_b03f5f7f11d50a3a_10.0.19041.1_none_1e117d6c6e596d04 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_multimedia-restrict..ore-full-deployment_31bf3856ad364e35_10.0.19041.1_none_4eb077678d2b54df.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_dual_prnms003.inf_31bf3856ad364e35_10.0.19041.906_none_989c54dfe8b63c18\I386\unishare.gpd AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_10.0.19041.1_it-it_9eb2fa09466cd9a1\System.Management.Instrumentation.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\BITS\DiagPackage.diagpkg AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..files-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_37c80eaf011451c1 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netvwifimp.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_5e118e3b20f814e6\netvwifimp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f AE 0124 BE.exe File opened for modification C:\Windows\apppatch\msimain.sdb AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.it.resx AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.fr.resx AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..k-library.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_96bc4689091c7817 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_edmgen.resources_b77a5c561934e089_4.0.15805.0_ja-jp_3c0494920e612e3a\EdmGen.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_40d14f6c04397868\r\agentactivationruntimewindows.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gameoverlay.resources_31bf3856ad364e35_10.0.19041.1_de-de_a5abe97df80b20ed\GamePanel.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_es-es_765c3c4b51e37b49\dfshim.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-xwizards-registration_31bf3856ad364e35_10.0.19041.746_none_0166c3237bd08b72\r AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\SystemResources\imagesp1.dll.mun AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-r..ckgroundmediapolicy_31bf3856ad364e35_10.0.19041.746_none_2b52281297de22ce AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_multipoint-wmswssgcommon_31bf3856ad364e35_10.0.19041.1_none_8dd736a2e253ab4b.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_appinstallerprompt-desktop_31bf3856ad364e35_10.0.19041.746_none_df9eceb60009427e\f AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ice-winrt.resources_31bf3856ad364e35_10.0.19041.964_en-us_ef9e96aeb010cd06\Windows.Management.Service.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\icsunattend.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..roperties.resources_31bf3856ad364e35_10.0.19041.1_de-de_4c4377c7df55b008.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventviewer.resources_31bf3856ad364e35_10.0.19041.1_en-us_da9719030926a2b0 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_c_fsquotamgmt.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_a97d0f24d5eac9a9\c_fsquotamgmt.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\mspaint.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\IpsPlugin.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_windows-id-connecte..-provider-tokenprov_31bf3856ad364e35_10.0.19041.746_none_ad8e2c77dad9fb8e\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_system.servicemodel.web.resources_31bf3856ad364e35_4.0.15805.0_de-de_ea29d01d75de827c.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e02f8b2d2fc6f3d1\Microsoft.Web.Management.FtpClient.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-deploymentcsps_31bf3856ad364e35_10.0.19041.1_none_24012e8e9dd1d9a9 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-_dataoraclec..hared12_neutral_ini_b03f5f7f11d50a3a_4.0.15805.0_none_3acbbf3a213ac4a7 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3c6f5fff8bc67fd7\connect.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\logo.contrast-black_scale-100.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\BreadcrumbScrollRight.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..t-roaming.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_97cfb7235576a5c8\VaultRoaming.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_uiautomationtypes_31bf3856ad364e35_4.0.15805.110_none_eecc6ea50c290db1\UIAutomationTypes.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_it-it_4d26d7eedd99271f_keyiso.dll.mui_4bbf12ff AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_dual_usbcir.inf_31bf3856ad364e35_10.0.19041.1_none_4e4e2a9b5e98e503.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_10.0.19041.1266_none_e32e0904acfc408f\f AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_10.0.19041.1_de-de_69175ae68d63e057\System.Management.Instrumentation.Resources.dll AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AE 0124 BE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1648 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 4148 winlogon.exe 556 AE 0124 BE.exe 4740 winlogon.exe 4444 winlogon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4148 1648 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 86 PID 1648 wrote to memory of 4148 1648 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 86 PID 1648 wrote to memory of 4148 1648 269e0491e7c1a47010f538856e543042_JaffaCakes118.exe 86 PID 4148 wrote to memory of 556 4148 winlogon.exe 87 PID 4148 wrote to memory of 556 4148 winlogon.exe 87 PID 4148 wrote to memory of 556 4148 winlogon.exe 87 PID 4148 wrote to memory of 4740 4148 winlogon.exe 88 PID 4148 wrote to memory of 4740 4148 winlogon.exe 88 PID 4148 wrote to memory of 4740 4148 winlogon.exe 88 PID 556 wrote to memory of 4444 556 AE 0124 BE.exe 89 PID 556 wrote to memory of 4444 556 AE 0124 BE.exe 89 PID 556 wrote to memory of 4444 556 AE 0124 BE.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\269e0491e7c1a47010f538856e543042_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\269e0491e7c1a47010f538856e543042_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4444
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5b9a35ff1add2903da0bf38a15045a3ad
SHA1693758106f3c82938c005940ec9ab1bdc734db8c
SHA256528faf85909342d410e9d5f3bd5a49444c98a76a6acdeee8a0616ac0cf11fbb3
SHA5126a592e3cb87307258dd08fed8a516652c090c2971958f54445321f05f8b7b0c685b648fdc96eac9ee756c6c007fca4838d59661549148a3cb6420c67d4fe0f74
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
40KB
MD5e26e215c3645e9da7b826e1afb56ae97
SHA147e4f926cb72617dfe0026aa1472896eb2da659f
SHA256fe2315e195061f11b6e2091c5a8e763adc1b880fa5b53e3bbbe65127585f509d
SHA512876ac72710da29428bb784dcfd7036d5c907f3a7f061c645002eb0dc7bd044618c4dbdd8cca1aab3fd358eb048f374eb2207e483dc0a62b917cd04e85ce4f59e
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb