b7f38b88fccc60b1604149bb07752c914a01481027c470578354d0107ab333c2

Analysis

max time kernel
133s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 13:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe
Size

248KB
MD5

523ad4b9971c39788df876edbd25f253
SHA1

7abfe9f013298c8ab3a6c9522d3642cec8afe28f
SHA256

b7f38b88fccc60b1604149bb07752c914a01481027c470578354d0107ab333c2
SHA512

664da4c30954b5cb902a87b18086259fdfd0f125acca23c18496fa9f95451ed87e9f2f35dfe79b169158e5399617f5cf84c094819a7dbd13a4814e71c730c484
SSDEEP

3072:aNk7Sepe+nLNzBVeUDw5wz+D6ccjjFOjSW1jXcN/UF/a2Y+BFoxb+Goh/YKc5Sru:vBJtBVeKncXJNXK8E/+BFYbFoh/y5S

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
1636	powershell.exe
2812	powershell.exe
1364	powershell.exe
2236	powershell.exe
2836	powershell.exe
2764	powershell.exe
2556	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1736	svchost32.exe
1100	services32.exe
916	svchost32.exe
2396	sihost32.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	cmd.exe
1736	svchost32.exe
2520	cmd.exe
916	svchost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe
3012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2836	powershell.exe
2764	powershell.exe
2556	powershell.exe
2240	powershell.exe
1736	svchost32.exe
1636	powershell.exe
2812	powershell.exe
1364	powershell.exe
2236	powershell.exe
916	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1736	svchost32.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	916	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2760	2188	523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2760	2188	523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2760	2188	523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2836	2760	cmd.exe	32
PID 2760 wrote to memory of 2836	2760	cmd.exe	32
PID 2760 wrote to memory of 2836	2760	cmd.exe	32
PID 2760 wrote to memory of 2764	2760	cmd.exe	33
PID 2760 wrote to memory of 2764	2760	cmd.exe	33
PID 2760 wrote to memory of 2764	2760	cmd.exe	33
PID 2760 wrote to memory of 2556	2760	cmd.exe	34
PID 2760 wrote to memory of 2556	2760	cmd.exe	34
PID 2760 wrote to memory of 2556	2760	cmd.exe	34
PID 2760 wrote to memory of 2240	2760	cmd.exe	35
PID 2760 wrote to memory of 2240	2760	cmd.exe	35
PID 2760 wrote to memory of 2240	2760	cmd.exe	35
PID 2188 wrote to memory of 3044	2188	523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe	36
PID 2188 wrote to memory of 3044	2188	523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe	36
PID 2188 wrote to memory of 3044	2188	523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe	36
PID 3044 wrote to memory of 1736	3044	cmd.exe	38
PID 3044 wrote to memory of 1736	3044	cmd.exe	38
PID 3044 wrote to memory of 1736	3044	cmd.exe	38
PID 1736 wrote to memory of 328	1736	svchost32.exe	39
PID 1736 wrote to memory of 328	1736	svchost32.exe	39
PID 1736 wrote to memory of 328	1736	svchost32.exe	39
PID 328 wrote to memory of 2280	328	cmd.exe	41
PID 328 wrote to memory of 2280	328	cmd.exe	41
PID 328 wrote to memory of 2280	328	cmd.exe	41
PID 1736 wrote to memory of 1100	1736	svchost32.exe	42
PID 1736 wrote to memory of 1100	1736	svchost32.exe	42
PID 1736 wrote to memory of 1100	1736	svchost32.exe	42
PID 1736 wrote to memory of 1640	1736	svchost32.exe	43
PID 1736 wrote to memory of 1640	1736	svchost32.exe	43
PID 1736 wrote to memory of 1640	1736	svchost32.exe	43
PID 1640 wrote to memory of 2816	1640	cmd.exe	45
PID 1640 wrote to memory of 2816	1640	cmd.exe	45
PID 1640 wrote to memory of 2816	1640	cmd.exe	45
PID 1100 wrote to memory of 2832	1100	services32.exe	46
PID 1100 wrote to memory of 2832	1100	services32.exe	46
PID 1100 wrote to memory of 2832	1100	services32.exe	46
PID 2832 wrote to memory of 1636	2832	cmd.exe	48
PID 2832 wrote to memory of 1636	2832	cmd.exe	48
PID 2832 wrote to memory of 1636	2832	cmd.exe	48
PID 2832 wrote to memory of 2812	2832	cmd.exe	49
PID 2832 wrote to memory of 2812	2832	cmd.exe	49
PID 2832 wrote to memory of 2812	2832	cmd.exe	49
PID 2832 wrote to memory of 1364	2832	cmd.exe	50
PID 2832 wrote to memory of 1364	2832	cmd.exe	50
PID 2832 wrote to memory of 1364	2832	cmd.exe	50
PID 2832 wrote to memory of 2236	2832	cmd.exe	51
PID 2832 wrote to memory of 2236	2832	cmd.exe	51
PID 2832 wrote to memory of 2236	2832	cmd.exe	51
PID 1100 wrote to memory of 2520	1100	services32.exe	52
PID 1100 wrote to memory of 2520	1100	services32.exe	52
PID 1100 wrote to memory of 2520	1100	services32.exe	52
PID 2520 wrote to memory of 916	2520	cmd.exe	54
PID 2520 wrote to memory of 916	2520	cmd.exe	54
PID 2520 wrote to memory of 916	2520	cmd.exe	54
PID 916 wrote to memory of 2940	916	svchost32.exe	55
PID 916 wrote to memory of 2940	916	svchost32.exe	55
PID 916 wrote to memory of 2940	916	svchost32.exe	55
PID 916 wrote to memory of 2396	916	svchost32.exe	57
PID 916 wrote to memory of 2396	916	svchost32.exe	57
PID 916 wrote to memory of 2396	916	svchost32.exe	57
PID 2940 wrote to memory of 3012	2940	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\523ad4b9971c39788df876edbd25f253_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        7⤵
        
        PID:1360
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2944
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d3f65ebd0e5bab4b02baeee56babeaf

SHA1
d16a7debc7f65cd18ea49d9d286c8bb3eb98b2a1

SHA256
cfb03eb77476318a3f161bc7966774c51171370ca0883591f2608b06c00f15bc

SHA512
b7f592211e45d4af889442a2d7026f42eaab1b4de54c6dd97683809272df5f7ef6ff39317240a9e57366d976c4608819f8c32efb79f7d55cfd78690d6e5c8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab897D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar898F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d65283f1eed77c74fe9d80e3d14d070

SHA1
652de78a9c9e0e5e5222e8c21d634c2938bf295a

SHA256
4b6e3a624cab183fbcaff4957998782bfd718933e7e4b5b6ba39395ceedb4b9b

SHA512
4fe06cdbed9c1b252b9f0dbdb9df377018eed1a975bed77790ad4e561021ab07ed9e81c0db798ed5474f203d944d4d2351fe266d3c596b207f51ae607775acc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e93ae81717c4360a3fe051e81a465f6

SHA1
e0941313c001af536bba87d6e0c88a307fc7fbe4

SHA256
58cf59f44359452efce89ee4fecf7e2f358a71daf719ea9be8c4de684df2f938

SHA512
146a4db2fdd657aa945e403da82ce249a5da66735e2e8cfa65f58c6d981f1f34baa941cd9b9ce103f0698aeb402e287406a2049b5efc5d905f04b3d20ff76e13

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
118KB

MD5
2ba4b37b5160e93d8578cc99ab0dd23e

SHA1
7444d78bf084694120f61931d47600be9337395f

SHA256
ebdfeeb734fefdb799659eb05fe31c89f3c48fd9f7ba9da7642a5b8cfa999171

SHA512
9ba1d37c1ac6cf350b84a76a465ecf617a07dea1c8c46d7d77c2e1cd89eccf3fe173cd568656b12f3219ffad0ed86dd2c90dac13411f7a7593877ed0a73f701c

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
51KB

MD5
e3e3c0543e52f100cac1cd42d6108446

SHA1
a37d7dcc8465b9d8b97c5d00affeab9b791cc41f

SHA256
7a7a7c0e308096ba2cb78cf41bcdb0dbb5a6f91ce50086f5b87f490aa8bbe2b1

SHA512
937f49c2ad9b05a40896c28360fcda45f754e225f9004e29ceafeb1a8c5c9a7046bd631e1b1f5fac49fbab21c0d02c0ca68a90aa63e7c14b3cb453d72db9066a

Download Submit
\Windows\System32\services32.exe

Filesize
248KB

MD5
523ad4b9971c39788df876edbd25f253

SHA1
7abfe9f013298c8ab3a6c9522d3642cec8afe28f

SHA256
b7f38b88fccc60b1604149bb07752c914a01481027c470578354d0107ab333c2

SHA512
664da4c30954b5cb902a87b18086259fdfd0f125acca23c18496fa9f95451ed87e9f2f35dfe79b169158e5399617f5cf84c094819a7dbd13a4814e71c730c484

Download Submit
memory/916-78-0x000000013F950000-0x000000013F972000-memory.dmp

Filesize
136KB

Download
memory/1100-50-0x000000013F710000-0x000000013F752000-memory.dmp

Filesize
264KB

Download
memory/1736-43-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/1736-42-0x000000013FB60000-0x000000013FB82000-memory.dmp

Filesize
136KB

Download
memory/2188-34-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download
memory/2188-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download
memory/2188-35-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-37-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-1-0x000000013FF60000-0x000000013FFA2000-memory.dmp

Filesize
264KB

Download
memory/2188-2-0x0000000000550000-0x0000000000572000-memory.dmp

Filesize
136KB

Download
memory/2188-3-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-85-0x000000013FAD0000-0x000000013FAE2000-memory.dmp

Filesize
72KB

Download
memory/2396-86-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/2764-21-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2764-22-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2836-13-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-9-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2836-8-0x000007FEF28BE000-0x000007FEF28BF000-memory.dmp

Filesize
4KB

Download
memory/2836-11-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-10-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2836-12-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-14-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-15-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

Filesize
9.6MB

Download