latentbot | ea82fd18e2bc55984294a2f16f5fa56c6f6917cfd11b7199934a5f2ae3957f98

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe
Size

1.6MB
MD5

5647eaaab2fdb519ee6dfa37c41ed4bc
SHA1

e4a8d404159f195dd0f697d54c7048f7a1052f6d
SHA256

ea82fd18e2bc55984294a2f16f5fa56c6f6917cfd11b7199934a5f2ae3957f98
SHA512

41929071f4f2a284b3229b15359cacf5a84c8320913438fe49f950b0403e1b67af56e8459cc2a780eaa8206d729fdf8c88a966fbda0d38ce1434e25404fd18a7
SSDEEP

49152:dNHe8fAIwgw4lAAx9BhmaCldEbi0z2sD9XYxfXCogCbF51+/ng6g/tu7jbCIeI:/He8fAIwgw4lAAx9Bhma+4isnBYxfXCz

Score

10^/10

latentbot credential_access discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

latentbot

dr00wsupden.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\4ozcy5729OZ.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ozcy5729OZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	4ozcy5729OZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	4ozcy5729OZ.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

4ozcy5729OZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD870AD-7ACC-1FA0-77DB-08BAB1DDBD76}	4ozcy5729OZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD870AD-7ACC-1FA0-77DB-08BAB1DDBD76}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	4ozcy5729OZ.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{1AD870AD-7ACC-1FA0-77DB-08BAB1DDBD76}	4ozcy5729OZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{1AD870AD-7ACC-1FA0-77DB-08BAB1DDBD76}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	4ozcy5729OZ.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ozcy5729OZ.exe3swrq7270SW.exe5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3ozcy5729OZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3swrq7270SW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

3ozcy5729OZ.exe4ozcy5729OZ.exe3swrq7270SW.exe4swrq7270SW.exe

pid process

4936 3ozcy5729OZ.exe
1204 4ozcy5729OZ.exe
4416 3swrq7270SW.exe
4924 4swrq7270SW.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
4936	3ozcy5729OZ.exe
1204	4ozcy5729OZ.exe
4416	3swrq7270SW.exe
4924	4swrq7270SW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ozcy5729OZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	4ozcy5729OZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	4ozcy5729OZ.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 whatismyip.com

flow	ioc
25	whatismyip.com

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe	upx
behavioral2/memory/1204-31-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1204-71-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1204-73-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1204-76-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1204-81-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1204-90-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetimeout.exe4ozcy5729OZ.execmd.execmd.execmd.exereg.exe3swrq7270SW.execmd.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ozcy5729OZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3swrq7270SW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2100 timeout.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3976 reg.exe
1836 reg.exe
3696 reg.exe
4232 reg.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4swrq7270SW.exe

pid process

4924 4swrq7270SW.exe
4924 4swrq7270SW.exe
4924 4swrq7270SW.exe
4924 4swrq7270SW.exe
4924 4swrq7270SW.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4swrq7270SW.exe

pid process

4924 4swrq7270SW.exe

pid	process
2100	timeout.exe

pid	process
3976	reg.exe
1836	reg.exe
3696	reg.exe
4232	reg.exe

pid	process
4924	4swrq7270SW.exe
4924	4swrq7270SW.exe
4924	4swrq7270SW.exe
4924	4swrq7270SW.exe
4924	4swrq7270SW.exe

pid	process
4924	4swrq7270SW.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe4ozcy5729OZ.exe3ozcy5729OZ.exe4swrq7270SW.exe

description	pid	process
Token: SeDebugPrivilege	4784	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe
Token: 1	1204	4ozcy5729OZ.exe
Token: SeCreateTokenPrivilege	1204	4ozcy5729OZ.exe
Token: SeAssignPrimaryTokenPrivilege	1204	4ozcy5729OZ.exe
Token: SeLockMemoryPrivilege	1204	4ozcy5729OZ.exe
Token: SeIncreaseQuotaPrivilege	1204	4ozcy5729OZ.exe
Token: SeMachineAccountPrivilege	1204	4ozcy5729OZ.exe
Token: SeTcbPrivilege	1204	4ozcy5729OZ.exe
Token: SeSecurityPrivilege	1204	4ozcy5729OZ.exe
Token: SeTakeOwnershipPrivilege	1204	4ozcy5729OZ.exe
Token: SeLoadDriverPrivilege	1204	4ozcy5729OZ.exe
Token: SeSystemProfilePrivilege	1204	4ozcy5729OZ.exe
Token: SeSystemtimePrivilege	1204	4ozcy5729OZ.exe
Token: SeProfSingleProcessPrivilege	1204	4ozcy5729OZ.exe
Token: SeIncBasePriorityPrivilege	1204	4ozcy5729OZ.exe
Token: SeCreatePagefilePrivilege	1204	4ozcy5729OZ.exe
Token: SeCreatePermanentPrivilege	1204	4ozcy5729OZ.exe
Token: SeBackupPrivilege	1204	4ozcy5729OZ.exe
Token: SeRestorePrivilege	1204	4ozcy5729OZ.exe
Token: SeShutdownPrivilege	1204	4ozcy5729OZ.exe
Token: SeDebugPrivilege	1204	4ozcy5729OZ.exe
Token: SeAuditPrivilege	1204	4ozcy5729OZ.exe
Token: SeSystemEnvironmentPrivilege	1204	4ozcy5729OZ.exe
Token: SeChangeNotifyPrivilege	1204	4ozcy5729OZ.exe
Token: SeRemoteShutdownPrivilege	1204	4ozcy5729OZ.exe
Token: SeUndockPrivilege	1204	4ozcy5729OZ.exe
Token: SeSyncAgentPrivilege	1204	4ozcy5729OZ.exe
Token: SeEnableDelegationPrivilege	1204	4ozcy5729OZ.exe
Token: SeManageVolumePrivilege	1204	4ozcy5729OZ.exe
Token: SeImpersonatePrivilege	1204	4ozcy5729OZ.exe
Token: SeCreateGlobalPrivilege	1204	4ozcy5729OZ.exe
Token: 31	1204	4ozcy5729OZ.exe
Token: 32	1204	4ozcy5729OZ.exe
Token: 33	1204	4ozcy5729OZ.exe
Token: 34	1204	4ozcy5729OZ.exe
Token: 35	1204	4ozcy5729OZ.exe
Token: SeDebugPrivilege	1204	4ozcy5729OZ.exe
Token: SeDebugPrivilege	4936	3ozcy5729OZ.exe
Token: SeDebugPrivilege	4924	4swrq7270SW.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4ozcy5729OZ.exe4swrq7270SW.exe

pid process

1204 4ozcy5729OZ.exe
1204 4ozcy5729OZ.exe
4924 4swrq7270SW.exe

pid	process
1204	4ozcy5729OZ.exe
1204	4ozcy5729OZ.exe
4924	4swrq7270SW.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe4ozcy5729OZ.execmd.execmd.execmd.execmd.exe3ozcy5729OZ.exe3swrq7270SW.execmd.exe

description	pid	process	target process
PID 4784 wrote to memory of 4936	4784	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe	3ozcy5729OZ.exe
PID 4784 wrote to memory of 4936	4784	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe	3ozcy5729OZ.exe
PID 4784 wrote to memory of 1204	4784	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe	4ozcy5729OZ.exe
PID 4784 wrote to memory of 1204	4784	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe	4ozcy5729OZ.exe
PID 4784 wrote to memory of 1204	4784	5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe	4ozcy5729OZ.exe
PID 1204 wrote to memory of 2528	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 2528	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 2528	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3100	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3100	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3100	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3804	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3804	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3804	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3036	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3036	1204	4ozcy5729OZ.exe	cmd.exe
PID 1204 wrote to memory of 3036	1204	4ozcy5729OZ.exe	cmd.exe
PID 3804 wrote to memory of 3976	3804	cmd.exe	reg.exe
PID 3804 wrote to memory of 3976	3804	cmd.exe	reg.exe
PID 3804 wrote to memory of 3976	3804	cmd.exe	reg.exe
PID 2528 wrote to memory of 1836	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 1836	2528	cmd.exe	reg.exe
PID 2528 wrote to memory of 1836	2528	cmd.exe	reg.exe
PID 3100 wrote to memory of 3696	3100	cmd.exe	reg.exe
PID 3100 wrote to memory of 3696	3100	cmd.exe	reg.exe
PID 3100 wrote to memory of 3696	3100	cmd.exe	reg.exe
PID 3036 wrote to memory of 4232	3036	cmd.exe	reg.exe
PID 3036 wrote to memory of 4232	3036	cmd.exe	reg.exe
PID 3036 wrote to memory of 4232	3036	cmd.exe	reg.exe
PID 4936 wrote to memory of 4416	4936	3ozcy5729OZ.exe	3swrq7270SW.exe
PID 4936 wrote to memory of 4416	4936	3ozcy5729OZ.exe	3swrq7270SW.exe
PID 4936 wrote to memory of 4416	4936	3ozcy5729OZ.exe	3swrq7270SW.exe
PID 4936 wrote to memory of 4924	4936	3ozcy5729OZ.exe	4swrq7270SW.exe
PID 4936 wrote to memory of 4924	4936	3ozcy5729OZ.exe	4swrq7270SW.exe
PID 4416 wrote to memory of 392	4416	3swrq7270SW.exe	cmd.exe
PID 4416 wrote to memory of 392	4416	3swrq7270SW.exe	cmd.exe
PID 4416 wrote to memory of 392	4416	3swrq7270SW.exe	cmd.exe
PID 392 wrote to memory of 2100	392	cmd.exe	timeout.exe
PID 392 wrote to memory of 2100	392	cmd.exe	timeout.exe
PID 392 wrote to memory of 2100	392	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5647eaaab2fdb519ee6dfa37c41ed4bc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Roaming\3ozcy5729OZ.exe
  "C:\Users\Admin\AppData\Roaming\3ozcy5729OZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Roaming\3swrq7270SW.exe
    "C:\Users\Admin\AppData\Roaming\3swrq7270SW.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Roaming\3SWRQ7~1.EXE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2100
- - C:\Users\Admin\AppData\Roaming\4swrq7270SW.exe
    "C:\Users\Admin\AppData\Roaming\4swrq7270SW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4924
- C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe
  "C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3ozcy5729OZ.exe

Filesize
1.3MB

MD5
149da29919fe1d4e3e9e55bee2be2648

SHA1
a2e9401e1c6b17f70d004381637dd7d84714d6e9

SHA256
f56f353c87a1e492208756a4d9788d82953ef1d565ec6f4404e5ec10024230a9

SHA512
99b035a9a76343ded42f359a93702d2ae843ebd6f863ef093556ae9eaffc32395ee027d2b71dd2b9c092a34a2fccbb7e3865e2d71518eeccbaacdb2907348215

Download Submit
C:\Users\Admin\AppData\Roaming\3swrq7270SW.exe

Filesize
18KB

MD5
c1d71ae4a72894851d141ac619d98214

SHA1
cc94fea6ad8fe862bf042619ec66604e4203bfad

SHA256
feb8687e854e1b65613adf8b93155ea6f6d48a4c7e7e92ac1f3d62636c3a9deb

SHA512
8e2307c75a07bd1db0d7da47abcae10ca678425a7eec9f0095d418bc17882b3a848f7b0656a64f6b2ff404faf824869d10d3f9f5fc2d9e9f56c8409d23bbce8b

Download Submit
C:\Users\Admin\AppData\Roaming\4ozcy5729OZ.exe

Filesize
129KB

MD5
35fc32c18b4b90779f019acc95010e7b

SHA1
d886b87fac85a585f85c831504dece1f78219898

SHA256
1d2d5c51711e369ec41e7ff54e97420cf2b6c3d589efed25a9ad6b4ddc8f2f10

SHA512
1f22e259ecdc7ed076f0f9479d612ee7c12d301ad4d4e52ead97b09fae46c361fb75e0b13ddf5db05cb4ec90739755ba944b92ff14eb24773ec65d47dfc55ec5

Download Submit
C:\Users\Admin\AppData\Roaming\4swrq7270SW.exe

Filesize
1.1MB

MD5
cdbce78bd80687b566d97b0dc81e700c

SHA1
5f7a6c19a25973db9905bbc9c7530106d74543a0

SHA256
3fe06750849ae72a8584a4bc44e83139d494d046f45c05eb23d6b6d374e5ba18

SHA512
18e505ff713e93c25da30c51228ce462edb5e69e3f204710092086b4790e53ce2b5b9fbc2cee85eac23ddeba0ff55d3b043ed7c9c0f8a7bdcbe11cde8b4b3ba2

Download Submit
C:\Users\Admin\AppData\Roaming\data.dat

Filesize
34B

MD5
16e0abc6bba66ebb9e8e3626da5e4e67

SHA1
3fe92695e95313d9fd998c6c5d5aa0d42bf0777d

SHA256
330df529d0e4a065b67e4fcb59df03549dac1cb8db472996b2c9137c27b194cb

SHA512
e87ef159d90fbecbe97b1b83196c6d8b30b113d7f9966235ee23d7653e1ea904c59c03e5390b3d09d629fd220fb440782a6ab55c1da9a4370518fc31672724dc

Download Submit
memory/1204-31-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-73-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-76-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-81-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-90-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1204-71-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4784-7-0x000000001BA20000-0x000000001BA6C000-memory.dmp

Filesize
304KB

Download
memory/4784-2-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download
memory/4784-34-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download
memory/4784-8-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download
memory/4784-1-0x000000001B120000-0x000000001B1C6000-memory.dmp

Filesize
664KB

Download
memory/4784-3-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download
memory/4784-6-0x000000001B200000-0x000000001B208000-memory.dmp

Filesize
32KB

Download
memory/4784-0-0x00007FFEE9EE5000-0x00007FFEE9EE6000-memory.dmp

Filesize
4KB

Download
memory/4784-5-0x000000001B890000-0x000000001B92C000-memory.dmp

Filesize
624KB

Download
memory/4784-4-0x000000001BEF0000-0x000000001C3BE000-memory.dmp

Filesize
4.8MB

Download
memory/4924-66-0x000000001D500000-0x000000001D519000-memory.dmp

Filesize
100KB

Download
memory/4924-70-0x000000001F2E0000-0x000000001F5EE000-memory.dmp

Filesize
3.1MB

Download
memory/4924-68-0x000000001F3C0000-0x000000001F49E000-memory.dmp

Filesize
888KB

Download
memory/4936-65-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download
memory/4936-37-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download
memory/4936-33-0x00007FFEE9C30000-0x00007FFEEA5D1000-memory.dmp

Filesize
9.6MB

Download