Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 11:28
Static task
static1
Behavioral task
behavioral1
Sample
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
7c15fb3e213e1071e2f4fe2656ff8c72
-
SHA1
3f1a13661076f7ef318dc6e23a9299481a1176e5
-
SHA256
ba195a7c0affd458a7ecd4cdb1d04638a4d3f6c36b45e994bc055df1b59351df
-
SHA512
17f9d42e18d1d559d2852734eadfc70e1882e9a9c49913f3a01a01048c173d8a48c2aa9126675a035b6ea5bcbd78ebf613bc3636a7972d8417dbe5a0760bb3fb
-
SSDEEP
49152:m32jqCCU1B51m84CU+sen2MGm2Dr5vdezjjygGTcE:
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Server-UNIQUE.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Adobe\\Flash.exe" Server-UNIQUE.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
Flash.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Flash.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Flash.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" Flash.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Flash.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Flash.exe -
Processes:
Flash.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Flash.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Flash.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Flash.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Flash.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Server-UNIQUE.exeFlash.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Server-UNIQUE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Flash.exe -
Executes dropped EXE 4 IoCs
Processes:
msnmsgr.exeServer-UNIQUE.exeServer.exeFlash.exepid Process 2808 msnmsgr.exe 2856 Server-UNIQUE.exe 2596 Server.exe 2836 Flash.exe -
Loads dropped DLL 8 IoCs
Processes:
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exemsnmsgr.exedw20.exeServer-UNIQUE.exepid Process 1692 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe 1692 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe 2808 msnmsgr.exe 2808 msnmsgr.exe 2808 msnmsgr.exe 2392 dw20.exe 2856 Server-UNIQUE.exe 2856 Server-UNIQUE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Processes:
Flash.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Flash.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Flash.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Server.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Server.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Server.exe Key queried \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exeServer-UNIQUE.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\flash32 = "C:\\Users\\Admin\\Documents\\Adobe\\Flash.exe" Server-UNIQUE.exe -
Processes:
resource yara_rule behavioral1/files/0x0007000000016307-25.dat upx behavioral1/memory/2856-30-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-51-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2856-50-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-54-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-55-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-56-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-71-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-92-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-93-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-94-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-95-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-96-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-97-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-98-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-99-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-100-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-101-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2836-102-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
REG.exeREG.exeREG.exemsnmsgr.exeServer-UNIQUE.exeServer.exeREG.exedw20.execmd.exereg.exeREG.exe7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exeFlash.exeREG.exeREG.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server-UNIQUE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flash.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Flash.exeServer-UNIQUE.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Flash.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Flash.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Flash.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Server-UNIQUE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Server-UNIQUE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Server-UNIQUE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Server-UNIQUE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Flash.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Server-UNIQUE.exeFlash.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Server-UNIQUE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Flash.exe -
Processes:
Server.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main Server.exe -
Modifies registry key 1 TTPs 8 IoCs
Processes:
REG.exeREG.exereg.exeREG.exeREG.exeREG.exeREG.exeREG.exepid Process 1768 REG.exe 2056 REG.exe 2896 reg.exe 2052 REG.exe 2164 REG.exe 1892 REG.exe 1820 REG.exe 1004 REG.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Server.exepid Process 2596 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Flash.exepid Process 2836 Flash.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
Server-UNIQUE.exeFlash.exeServer.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2856 Server-UNIQUE.exe Token: SeSecurityPrivilege 2856 Server-UNIQUE.exe Token: SeTakeOwnershipPrivilege 2856 Server-UNIQUE.exe Token: SeLoadDriverPrivilege 2856 Server-UNIQUE.exe Token: SeSystemProfilePrivilege 2856 Server-UNIQUE.exe Token: SeSystemtimePrivilege 2856 Server-UNIQUE.exe Token: SeProfSingleProcessPrivilege 2856 Server-UNIQUE.exe Token: SeIncBasePriorityPrivilege 2856 Server-UNIQUE.exe Token: SeCreatePagefilePrivilege 2856 Server-UNIQUE.exe Token: SeBackupPrivilege 2856 Server-UNIQUE.exe Token: SeRestorePrivilege 2856 Server-UNIQUE.exe Token: SeShutdownPrivilege 2856 Server-UNIQUE.exe Token: SeDebugPrivilege 2856 Server-UNIQUE.exe Token: SeSystemEnvironmentPrivilege 2856 Server-UNIQUE.exe Token: SeChangeNotifyPrivilege 2856 Server-UNIQUE.exe Token: SeRemoteShutdownPrivilege 2856 Server-UNIQUE.exe Token: SeUndockPrivilege 2856 Server-UNIQUE.exe Token: SeManageVolumePrivilege 2856 Server-UNIQUE.exe Token: SeImpersonatePrivilege 2856 Server-UNIQUE.exe Token: SeCreateGlobalPrivilege 2856 Server-UNIQUE.exe Token: 33 2856 Server-UNIQUE.exe Token: 34 2856 Server-UNIQUE.exe Token: 35 2856 Server-UNIQUE.exe Token: SeIncreaseQuotaPrivilege 2836 Flash.exe Token: SeSecurityPrivilege 2836 Flash.exe Token: SeTakeOwnershipPrivilege 2836 Flash.exe Token: SeLoadDriverPrivilege 2836 Flash.exe Token: SeSystemProfilePrivilege 2836 Flash.exe Token: SeSystemtimePrivilege 2836 Flash.exe Token: SeProfSingleProcessPrivilege 2836 Flash.exe Token: SeIncBasePriorityPrivilege 2836 Flash.exe Token: SeCreatePagefilePrivilege 2836 Flash.exe Token: SeBackupPrivilege 2836 Flash.exe Token: SeRestorePrivilege 2836 Flash.exe Token: SeShutdownPrivilege 2836 Flash.exe Token: SeDebugPrivilege 2836 Flash.exe Token: SeSystemEnvironmentPrivilege 2836 Flash.exe Token: SeChangeNotifyPrivilege 2836 Flash.exe Token: SeRemoteShutdownPrivilege 2836 Flash.exe Token: SeUndockPrivilege 2836 Flash.exe Token: SeManageVolumePrivilege 2836 Flash.exe Token: SeImpersonatePrivilege 2836 Flash.exe Token: SeCreateGlobalPrivilege 2836 Flash.exe Token: 33 2836 Flash.exe Token: 34 2836 Flash.exe Token: 35 2836 Flash.exe Token: SeDebugPrivilege 2596 Server.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Flash.exeServer.exepid Process 2836 Flash.exe 2596 Server.exe 2596 Server.exe 2596 Server.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exemsnmsgr.exeServer-UNIQUE.exeServer.execmd.exedescription pid Process procid_target PID 1692 wrote to memory of 2808 1692 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2808 1692 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2808 1692 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe 30 PID 1692 wrote to memory of 2808 1692 7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe 30 PID 2808 wrote to memory of 2856 2808 msnmsgr.exe 31 PID 2808 wrote to memory of 2856 2808 msnmsgr.exe 31 PID 2808 wrote to memory of 2856 2808 msnmsgr.exe 31 PID 2808 wrote to memory of 2856 2808 msnmsgr.exe 31 PID 2808 wrote to memory of 2596 2808 msnmsgr.exe 32 PID 2808 wrote to memory of 2596 2808 msnmsgr.exe 32 PID 2808 wrote to memory of 2596 2808 msnmsgr.exe 32 PID 2808 wrote to memory of 2596 2808 msnmsgr.exe 32 PID 2808 wrote to memory of 2392 2808 msnmsgr.exe 33 PID 2808 wrote to memory of 2392 2808 msnmsgr.exe 33 PID 2808 wrote to memory of 2392 2808 msnmsgr.exe 33 PID 2808 wrote to memory of 2392 2808 msnmsgr.exe 33 PID 2856 wrote to memory of 2836 2856 Server-UNIQUE.exe 34 PID 2856 wrote to memory of 2836 2856 Server-UNIQUE.exe 34 PID 2856 wrote to memory of 2836 2856 Server-UNIQUE.exe 34 PID 2856 wrote to memory of 2836 2856 Server-UNIQUE.exe 34 PID 2596 wrote to memory of 788 2596 Server.exe 35 PID 2596 wrote to memory of 788 2596 Server.exe 35 PID 2596 wrote to memory of 788 2596 Server.exe 35 PID 2596 wrote to memory of 788 2596 Server.exe 35 PID 788 wrote to memory of 2896 788 cmd.exe 37 PID 788 wrote to memory of 2896 788 cmd.exe 37 PID 788 wrote to memory of 2896 788 cmd.exe 37 PID 788 wrote to memory of 2896 788 cmd.exe 37 PID 2596 wrote to memory of 2052 2596 Server.exe 39 PID 2596 wrote to memory of 2052 2596 Server.exe 39 PID 2596 wrote to memory of 2052 2596 Server.exe 39 PID 2596 wrote to memory of 2052 2596 Server.exe 39 PID 2596 wrote to memory of 2164 2596 Server.exe 40 PID 2596 wrote to memory of 2164 2596 Server.exe 40 PID 2596 wrote to memory of 2164 2596 Server.exe 40 PID 2596 wrote to memory of 2164 2596 Server.exe 40 PID 2596 wrote to memory of 1892 2596 Server.exe 42 PID 2596 wrote to memory of 1892 2596 Server.exe 42 PID 2596 wrote to memory of 1892 2596 Server.exe 42 PID 2596 wrote to memory of 1892 2596 Server.exe 42 PID 2596 wrote to memory of 2056 2596 Server.exe 44 PID 2596 wrote to memory of 2056 2596 Server.exe 44 PID 2596 wrote to memory of 2056 2596 Server.exe 44 PID 2596 wrote to memory of 2056 2596 Server.exe 44 PID 2596 wrote to memory of 1820 2596 Server.exe 45 PID 2596 wrote to memory of 1820 2596 Server.exe 45 PID 2596 wrote to memory of 1820 2596 Server.exe 45 PID 2596 wrote to memory of 1820 2596 Server.exe 45 PID 2596 wrote to memory of 1004 2596 Server.exe 48 PID 2596 wrote to memory of 1004 2596 Server.exe 48 PID 2596 wrote to memory of 1004 2596 Server.exe 48 PID 2596 wrote to memory of 1004 2596 Server.exe 48 PID 2596 wrote to memory of 1768 2596 Server.exe 49 PID 2596 wrote to memory of 1768 2596 Server.exe 49 PID 2596 wrote to memory of 1768 2596 Server.exe 49 PID 2596 wrote to memory of 1768 2596 Server.exe 49 -
System policy modification 1 TTPs 3 IoCs
Processes:
Flash.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Flash.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Flash.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Flash.exe -
outlook_win_path 1 IoCs
Processes:
Server.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\ProgramData\ZVgjyUVfojNc\vQidSyHIGLvpwan\4.14.38.7752\msnmsgr.exe"C:\ProgramData\ZVgjyUVfojNc\vQidSyHIGLvpwan\4.14.38.7752\msnmsgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\UttVdqSmRpHhIT\btczjtzvIYnuwG\3.10.28.5527\Server-UNIQUE.exe"C:\Users\Admin\AppData\Roaming\UttVdqSmRpHhIT\btczjtzvIYnuwG\3.10.28.5527\Server-UNIQUE.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\Documents\Adobe\Flash.exe"C:\Users\Admin\Documents\Adobe\Flash.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2836
-
-
-
C:\Users\Admin\AppData\Roaming\UttVdqSmRpHhIT\btczjtzvIYnuwG\3.10.28.5527\Server.exe"C:\Users\Admin\AppData\Roaming\UttVdqSmRpHhIT\btczjtzvIYnuwG\3.10.28.5527\Server.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2896
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2052
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2164
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1892
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2056
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderInfo /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1820
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1004
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1768
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6763⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
9Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\errorPageStrings[1]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
271KB
MD51509998b2d393d06ed8b5a9c030a7eaa
SHA133ea1459094553f8eb00a1e7ae3cd7b11ca5bf92
SHA2564d8dba29ee46718c9dfcaef8b91034e206e4a43074fd4244640e956d2adf2ac9
SHA5124bc6d26c1b091c54caa0ec53138bbbc631d55dae3c90ae7aa5da9f3ef7ecc8706fae826a01bcaacea31639229fd4b510080f8fd3cc6f6295a0f62a3b05e1c597
-
Filesize
2.4MB
MD5e0f967a6368335d5760a6bf12cae6c97
SHA1e247932bc6fb0a44269dbe19c988002293e5fbd8
SHA25605fac676893fb3a710c844c18c43ed7919c51ed89082f1cd59a2204f778f9ead
SHA512f3b3c25c2d881a21e4d49972cf01588dee48c99f949b15175c1f7bf1b658d2a5694740a7d33c464854ad206d17170d85aba32674ded168ed253d07536bde2548
-
Filesize
354KB
MD5c5589cd80095e8b4b94b2f07b4b964f4
SHA1a0fc4779e2ccd83424a5bf91f65bf3ffaf3cc4b0
SHA256e70537a0143fcc58dab732ffd40c653d8dd78e443be2d11fa07161938185ab96
SHA512d5e2cf6b68f5979d2076b77011dd56160cba57b47bcc74b7f57085938075da48313bca458d200faf4026198ac58bb6cfc187f57be9770b5fdd8bc138b2628525