asyncrat | cae246e1b4386518005749ac3958c4506d448f1f7efdd49d839dd10a5e01be2b

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
Size

1.3MB
MD5

59acf298702bd7b13089a8883460fde5
SHA1

3d757f96fb6fa2b2020c3072f7dfebcaddca59ab
SHA256

cae246e1b4386518005749ac3958c4506d448f1f7efdd49d839dd10a5e01be2b
SHA512

6e2b0b52d498d3c77cba2fa1ce348d0c5d15bea12065df52209c312db28f7a783cdd05905a9b2b418f25d171266f173a14dd0b48721a24bac48dd461e268d52e
SSDEEP

24576:seKBtGLmFZsPlMD7KleDlws8zqUNdKfYupom0LdeTUw1Z5gOENl2for92Pvolxv:seKBtfgG7KylX8FwUrdtw1zEL2for90e

Score

10^/10

asyncrat default discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

service32.sytes.net:8848

Mutex

NFHaufhauiwfhawfw

Attributes

delay
1
install
false
install_file
vmdservice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2244	powershell.exe
696	powershell.exe
2360	powershell.exe
2916	powershell.exe
2012	powershell.exe
2640	powershell.exe
868	powershell.exe
1300	powershell.exe
2456	powershell.exe
2120	powershell.exe
2904	powershell.exe
2732	powershell.exe
1720	powershell.exe
2128	powershell.exe
2248	powershell.exe
2692	powershell.exe
2672	powershell.exe
560	powershell.exe
3032	powershell.exe
1092	powershell.exe

Executes dropped EXE 15 IoCs

Processes:

Adobe-GenP-2.7.exeXMRfinal.exeETC1final.exeupdate.exesvchost32.exesvchost64.exeservices64.exeservices32.exesvchost64.exesvchost32.exesihost64.exesihost32.exeservices64.exesvchost64.exe

pid	process
2080	Adobe-GenP-2.7.exe
2920	XMRfinal.exe
2736	ETC1final.exe
2464	update.exe
1208
1812	svchost32.exe
2216	svchost64.exe
1980	services64.exe
2212	services32.exe
2120	svchost64.exe
2776	svchost32.exe
1044	sihost64.exe
1656	sihost32.exe
2272	services64.exe
2364	svchost64.exe

Loads dropped DLL 14 IoCs

Processes:

59acf298702bd7b13089a8883460fde5_JaffaCakes118.execmd.execmd.exesvchost64.exesvchost32.execmd.execmd.exesvchost64.exesvchost32.exesihost64.execmd.exe

pid	process
2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
1692	cmd.exe
2972	cmd.exe
2216	svchost64.exe
1812	svchost32.exe
2868	cmd.exe
2832	cmd.exe
2120	svchost64.exe
2776	svchost32.exe
1044	sihost64.exe
2124	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
16 raw.githubusercontent.com
21 raw.githubusercontent.com
14 raw.githubusercontent.com

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
21	raw.githubusercontent.com
14	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Adobe-GenP-2.7.exe	autoit_exe

Drops file in System32 directory 33 IoCs

Processes:

svchost64.exesvchost32.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exesvchost64.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe59acf298702bd7b13089a8883460fde5_JaffaCakes118.exepowershell.exesihost64.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File created	C:\Windows\SysWOW64\update.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\services64.exe	sihost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\Adobe-GenP-2.7.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ETC1final.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\XMRfinal.exe	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

update.exe

description pid process target process

PID 2464 set thread context of 2740 2464 update.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2464 set thread context of 2740	2464	update.exe	aspnet_compiler.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeaspnet_compiler.exe59acf298702bd7b13089a8883460fde5_JaffaCakes118.execmd.execmd.exepowershell.exeupdate.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exereg.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

svchost64.exesvchost32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

760 schtasks.exe
1520 schtasks.exe
560 schtasks.exe
2444 schtasks.exe
760 schtasks.exe

pid	process
760	schtasks.exe
1520	schtasks.exe
560	schtasks.exe
2444	schtasks.exe
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Adobe-GenP-2.7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exe

pid	process
2080	Adobe-GenP-2.7.exe
2080	Adobe-GenP-2.7.exe
2080	Adobe-GenP-2.7.exe
2080	Adobe-GenP-2.7.exe
2916	powershell.exe
2672	powershell.exe
2456	powershell.exe
2244	powershell.exe
696	powershell.exe
560	powershell.exe
2360	powershell.exe
2120	powershell.exe
2216	svchost64.exe
1812	svchost32.exe
2904	powershell.exe
3032	powershell.exe
2012	powershell.exe
1092	powershell.exe
1720	powershell.exe
2732	powershell.exe
2128	powershell.exe
2248	powershell.exe
2120	svchost64.exe
2776	svchost32.exe
868	powershell.exe
2692	powershell.exe
2640	powershell.exe
1300	powershell.exe
2364	svchost64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Adobe-GenP-2.7.exe

pid process

2080 Adobe-GenP-2.7.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

update.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exe

description	pid	process
Token: SeDebugPrivilege	2464	update.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2216	svchost64.exe
Token: SeDebugPrivilege	1812	svchost32.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2120	svchost64.exe
Token: SeDebugPrivilege	2776	svchost32.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2364	svchost64.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Adobe-GenP-2.7.exe

pid process

2080 Adobe-GenP-2.7.exe
2080 Adobe-GenP-2.7.exe
2080 Adobe-GenP-2.7.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Adobe-GenP-2.7.exe

pid process

2080 Adobe-GenP-2.7.exe
2080 Adobe-GenP-2.7.exe
2080 Adobe-GenP-2.7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59acf298702bd7b13089a8883460fde5_JaffaCakes118.exeXMRfinal.exeETC1final.execmd.execmd.exeupdate.execmd.exe

description	pid	process	target process
PID 2612 wrote to memory of 2080	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	Adobe-GenP-2.7.exe
PID 2612 wrote to memory of 2080	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	Adobe-GenP-2.7.exe
PID 2612 wrote to memory of 2080	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	Adobe-GenP-2.7.exe
PID 2612 wrote to memory of 2080	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	Adobe-GenP-2.7.exe
PID 2612 wrote to memory of 2920	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	XMRfinal.exe
PID 2612 wrote to memory of 2920	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	XMRfinal.exe
PID 2612 wrote to memory of 2920	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	XMRfinal.exe
PID 2612 wrote to memory of 2920	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	XMRfinal.exe
PID 2612 wrote to memory of 2736	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	ETC1final.exe
PID 2612 wrote to memory of 2736	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	ETC1final.exe
PID 2612 wrote to memory of 2736	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	ETC1final.exe
PID 2612 wrote to memory of 2736	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	ETC1final.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2612 wrote to memory of 2464	2612	59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe	update.exe
PID 2920 wrote to memory of 2776	2920	XMRfinal.exe	cmd.exe
PID 2920 wrote to memory of 2776	2920	XMRfinal.exe	cmd.exe
PID 2920 wrote to memory of 2776	2920	XMRfinal.exe	cmd.exe
PID 2920 wrote to memory of 2776	2920	XMRfinal.exe	cmd.exe
PID 2736 wrote to memory of 3036	2736	ETC1final.exe	cmd.exe
PID 2736 wrote to memory of 3036	2736	ETC1final.exe	cmd.exe
PID 2736 wrote to memory of 3036	2736	ETC1final.exe	cmd.exe
PID 2736 wrote to memory of 3036	2736	ETC1final.exe	cmd.exe
PID 3036 wrote to memory of 2672	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2672	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2672	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2672	3036	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2916	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2916	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2916	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2916	2776	cmd.exe	powershell.exe
PID 2464 wrote to memory of 2668	2464	update.exe	cmd.exe
PID 2464 wrote to memory of 2668	2464	update.exe	cmd.exe
PID 2464 wrote to memory of 2668	2464	update.exe	cmd.exe
PID 2464 wrote to memory of 2668	2464	update.exe	cmd.exe
PID 2668 wrote to memory of 1728	2668	cmd.exe	reg.exe
PID 2668 wrote to memory of 1728	2668	cmd.exe	reg.exe
PID 2668 wrote to memory of 1728	2668	cmd.exe	reg.exe
PID 2668 wrote to memory of 1728	2668	cmd.exe	reg.exe
PID 2776 wrote to memory of 2244	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2244	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2244	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2244	2776	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2456	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2456	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2456	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2456	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 696	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 696	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 696	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 696	3036	cmd.exe	powershell.exe
PID 2776 wrote to memory of 560	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 560	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 560	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 560	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2120	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2120	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2120	2776	cmd.exe	powershell.exe
PID 2776 wrote to memory of 2120	2776	cmd.exe	powershell.exe
PID 3036 wrote to memory of 2360	3036	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59acf298702bd7b13089a8883460fde5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\Adobe-GenP-2.7.exe
"C:\Windows\system32\Adobe-GenP-2.7.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2080

C:\Windows\SysWOW64\XMRfinal.exe
"C:\Windows\system32\XMRfinal.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\SysWOW64\XMRfinal.exe"
3⤵
- Loads dropped DLL
PID:2972

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\SysWOW64\XMRfinal.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
5⤵
PID:2320

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
6⤵
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
5⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
6⤵
- Loads dropped DLL
PID:2868

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
8⤵
PID:2508

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
9⤵
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1044

C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
9⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
10⤵
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
10⤵
- Loads dropped DLL
PID:2124

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
12⤵
PID:1672

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
13⤵
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
12⤵
PID:2980

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:1036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
8⤵
PID:1148

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
5⤵
PID:2728

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:2788

C:\Windows\SysWOW64\ETC1final.exe
"C:\Windows\system32\ETC1final.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\SysWOW64\ETC1final.exe"
3⤵
- Loads dropped DLL
PID:1692

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\SysWOW64\ETC1final.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
5⤵
PID:3052

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
5⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
6⤵
- Loads dropped DLL
PID:2832

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
8⤵
PID:1292

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
8⤵
PID:2668

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
5⤵
PID:2268

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:2948

C:\Windows\SysWOW64\update.exe
"C:\Windows\system32\update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c copy update.exe %APPDATA% && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Service /D "%APPDATA%\update.exe" -f
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Service /D "C:\Users\Admin\AppData\Roaming\update.exe" -f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
3⤵
- System Location Discovery: System Language Discovery
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2287c94389031e6cdff22c10bea2f62

SHA1
3f1b0d0790e8457ef283b5bb4aae05953116b035

SHA256
bc36b91a48a02d746fa91587d7a4208c67635bd886c864dbf7f5321f1c69b139

SHA512
85ca69ad2b9a64fc42a3aeb4638e4e617b7eea8789e6bdb5c49764794fae1b58fbc1073680a3b859eb474e3dc95a54a08d89f0ce4a76115fece90fdbb3d230d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ff893843cf8b1f55fd018ba0d481791

SHA1
246eefb08238eae051f27b9149fcd364ec6df64c

SHA256
b5698d895bd179eaaaef821d573dfd5cabb78cc4c9852b535dccbf0fe912f291

SHA512
d4c4844c35ae6544918659d8e3eb7f1e625e812aae23e8091e3c907ec5a58a275c47f893e351b743ffbf45cf9aa519dd4b0b1f79af1f2cf634293449b052df9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CD4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CE6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6c26dada2d562ae567cf2fb7c0a67a6e

SHA1
61a38a0dcb645bf82c9ba64431c68b63b3630478

SHA256
28fd2af81110a118dd386ba3f134022674d959ecffe99e03587e2fa7757928ed

SHA512
84a05bc7b3b136a8d26564def4712929a448405f29910d8233bfa41b36a93fba63db8903afd747cf68abb30cfa4e589a1970cc80fed9150423517879375eb011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
271fe32753b67a53d4786ada2ddd02ca

SHA1
bf98145c132b3ab7560c672a4614cecf8e9ca1ab

SHA256
243ab3c27b8172c6a59527463101420a345445a34ade82c35dd0bc7219328fb4

SHA512
8bd3079422420a616c4eb38ffac601d676d0a979d49c21f17ad26aa24ada2218cecd4fc16aca6368bead4e73440d70efccb8a2d8e0604b10bbcb6a415c9aafba

Download Submit
C:\Windows\SysWOW64\Adobe-GenP-2.7.exe

Filesize
1.3MB

MD5
6467e9dd5d86c741aed49060e6d3fcd2

SHA1
a3c784836d993cc2cd9a9087a23559fa05567d02

SHA256
7b8d9ff34315e1787cdb62e682b3ba8dedd9f28d7cd374afe057babaf335edd4

SHA512
9f3b46f4b4c2839e2cd6c6ca2fb2b859af0e22a9c8276b26b32c83ca5f9d95c3cefb44cd82dc78cbe427de04e92e86ceface836f45c3263a8a5a1ca7c1dc48e7

Download Submit
C:\Windows\SysWOW64\ETC1final.exe

Filesize
31KB

MD5
e6eef993d7cdd5b5d3ba14c22ba7347b

SHA1
921bcf0d4bf3fd3cebd706a6e9dfe3901e32caea

SHA256
c84043ea0e8a98b478bbe03bfc16f0d64de4eb3e99ea5f7717b5d37843fe247e

SHA512
f832a156d8bfb45a81806563265bc78712a3cdfe7217efdd7515d5a01b846416f362a41ea97037e02461ce971ce9548e4265a84baa480af05d36223e994272bf

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
56da2835319cea01989c1c9974e3d92d

SHA1
6af5d3e866a1d84149aaed7866cbcd81bbbf1997

SHA256
d4671ce89aad24e2d2dd69afdc41d9b917e5aadeca4a1d0d3f41f0a2ed20748b

SHA512
275fdf1a5ee1b5010896c342acac1b3062908c574be5cb865afe9608017cef09f47147d375089bfa325c038647b68a3a48f48e9c535191d6160beac8591eaba2

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
23KB

MD5
a62ea2ade261009540d77e9fe64151c3

SHA1
6e49139ba8715a6604cce412a70ae3aaab85da25

SHA256
e9310bece7f0b3a543f727e4eb893ed3bea6694287a00bdf56f90591e0eb4221

SHA512
b36baddd4314cd6553d59701ab7c622b69c19754182755f75060e431372f79fa17ef3f6a72369cd783cd835959ca1151eed754544bf2b1ded72913d6f9263732

Download Submit
\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
37KB

MD5
2398af19987fa42ea0b0af39f971dac0

SHA1
e2d74b1bb2d7dd705c95be5e9c28dd7a2ba5e646

SHA256
716849b27ea4000c6711238980d7de59adda3cf0dcd5055b06d84b361f6402f2

SHA512
0eb926162a4fdbb9a0ea31ba49ad9e8deb5bf6faece4bf0785c46a83d405464294ec38aa4d08104de892219d1a3d8c9c87885c7d9629e792d8aec1168338296f

Download Submit
\Windows\SysWOW64\XMRfinal.exe

Filesize
45KB

MD5
34c74daeeaf8a3aab61553a507b329c7

SHA1
8a28ede427de7fc4088a8ababe018c2284b93c2b

SHA256
8ad91fe964e0a868a0260a6142a94a2b7fa930be6d79fff4dbe199f38f7be17b

SHA512
114571ba25987bdbdb623d233bd9f52b9ff049ce52723cc0e68d715eed633c62b604e95ec8191e2bda10fe6aaa55d63ccbc1f9af36f2a6d11d2ac744ee2adf73

Download Submit
\Windows\SysWOW64\update.exe

Filesize
375KB

MD5
3ea6458b6a66860e0b494f4d23d80991

SHA1
e32f4c1d1601997a6c3a5745de5be87b84ffb167

SHA256
005e7927bf7df1153921f511ac3fe6527f039db911cec0d9ad7201bfa65054bf

SHA512
44487f251fd8f9f0a0adfaf7da10da43a58d22b3332cf15a8d88a407c56838f331468eb249d995a28a57c0992361c810501c0062be53791d12000df267ab5cee

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
5b89737512666e0c07e776cb507243b5

SHA1
07ac2821e0fd2a91740e8b82c0a99cf5aa029270

SHA256
4cd89e7f4e6df328938daddcb7f96ae91408dba48c57727e3c36b424a221be50

SHA512
e2496518de02f2a4b731a1f2938a45eefbf4e070af7b1d35c03d81b8fdecc710d62aca40be4d57b4f0b479ed8699eb03586518bb3cc1815820a35cb69f46ae95

Download Submit
memory/1044-170-0x000000013FC20000-0x000000013FC26000-memory.dmp

Filesize
24KB

Download
memory/1656-177-0x000000013F0E0000-0x000000013F0E6000-memory.dmp

Filesize
24KB

Download
memory/1812-89-0x000000013FC10000-0x000000013FC1A000-memory.dmp

Filesize
40KB

Download
memory/1980-100-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/2120-161-0x000000013FDE0000-0x000000013FDEE000-memory.dmp

Filesize
56KB

Download
memory/2212-106-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2216-92-0x000000013F550000-0x000000013F55E000-memory.dmp

Filesize
56KB

Download
memory/2272-334-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2364-353-0x000000013F4A0000-0x000000013F4AE000-memory.dmp

Filesize
56KB

Download
memory/2464-28-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/2732-145-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2732-146-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

Filesize
32KB

Download
memory/2736-26-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2740-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2776-163-0x000000013F7A0000-0x000000013F7AA000-memory.dmp

Filesize
40KB

Download
memory/2904-117-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2904-118-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2920-25-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download