Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 01:26
General
-
Target
9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe
-
Size
199KB
-
MD5
9f0a556061374d6ddd189b0f487c3975
-
SHA1
bd97e50faa6eb660249cb4dbae2119c3d114b2d7
-
SHA256
f436765ff183c0e9f274db6a0bb1a366743987215d8a9a10bed877f8997690ea
-
SHA512
b7cdea247894b1bbd771a971dd7a5283107a58f109c173e42ee585a5e6cc24a278b0b33bfdd44a0582b757924ff98601c1c74a2753242200d7b9248ce91802c6
-
SSDEEP
3072:pI/TvP5e7E9XY92n2Az51uHuiSivnE4St1zqf0NlKx7k/dhm4t3hEV6:pI7vPBW9qbz5AHuRtb1+8Ngx7kPms3hB
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 47 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 47 IoCs
-
Adds Run key to start application 2 TTPs 47 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 24 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs .reg file with regedit 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9f0a556061374d6ddd189b0f487c3975_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 7123⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"5⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 7006⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 7008⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\system32\noruns.reg7⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"9⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 70410⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"11⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 70012⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"13⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 70814⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"14⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"15⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 70416⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"16⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"17⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 70018⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"18⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"19⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 70020⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"20⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"21⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 70422⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"22⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"23⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 70024⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"24⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"25⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 70426⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"26⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"27⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 70428⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"28⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"29⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 70830⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"30⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"31⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"32⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 70033⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"33⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"34⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 70435⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"34⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"35⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"35⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"36⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 70437⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"36⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"37⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"37⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"38⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 70039⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"38⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"39⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"39⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"40⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 70041⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"40⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"41⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"41⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"42⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 70043⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"42⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"43⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"43⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"44⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 70045⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"44⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"45⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"45⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"46⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 70047⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"46⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"47⤵
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"47⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"48⤵
- Enumerates connected drives
- Drops autorun.inf file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 70049⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 53648⤵
- Program crash
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\system32\noruns.reg2⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3080 -ip 30801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 19561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3260 -ip 32601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1416 -ip 14161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2320 -ip 23201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3068 -ip 30681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2228 -ip 22281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 388 -ip 3881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4412 -ip 44121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4220 -ip 42201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 232 -ip 2321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3588 -ip 35881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2396 -ip 23961⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1416 -ip 14161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3132 -ip 31321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3176 -ip 31761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1616 -ip 16161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1076 -ip 10761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3380 -ip 33801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4556 -ip 45561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1108 -ip 11081⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD59ccd924199157b6b550384bca46b9de2
SHA17e0af53e556d4c74aa2e7c222b09fd7ffbf1aabf
SHA2567212093aad9a87460e64b9f8be67d49ea23a6d0850c9d89f7912b30f9dab2bd0
SHA51246c2e78a7817f9870886b639c6765e2e6650aec2e9021598e895f615d17374b86498a4cd02ff0f7f769c87b12b1c75016c8e124884ad8d9b321ed852af6d9209
-
Filesize
2.6MB
MD5fe7cba261bb9900ea9ce893b9a9dfc94
SHA170064734e986cc150a53ebb46d5fe2304db560eb
SHA2565796b6dbf5fa787119b37c4de769640c180bc020c88227374b120322dc4b24fc
SHA5123e7eab88745ab6e6e24dc412cec084378eb2f97df57779f3045ddfdad22357d3a0d47bbb88135a48fe1e0926e84541d96b74e7604d687482b677ddfac9dbf4f1
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
199KB
MD59f0a556061374d6ddd189b0f487c3975
SHA1bd97e50faa6eb660249cb4dbae2119c3d114b2d7
SHA256f436765ff183c0e9f274db6a0bb1a366743987215d8a9a10bed877f8997690ea
SHA512b7cdea247894b1bbd771a971dd7a5283107a58f109c173e42ee585a5e6cc24a278b0b33bfdd44a0582b757924ff98601c1c74a2753242200d7b9248ce91802c6
-
Filesize
122B
MD5704f9f14e6c5b902de15f37bbb234bbc
SHA14e7bd14012b5fe1b07b9ed99a00565ed1d86348b
SHA25669c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4
SHA51202376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
151KB
MD5d2889fb1881b3b4d685ce6aa8b7a33f6
SHA1499984c6681968855edfd89956d2b8e074fcb433
SHA25609a38ebb9975c96d306f786a9da0de8934d79ea66ea025ff166076b55e86dd97
SHA5123936ae057539b96d46a21d7a8156fa9436d4c6064b91e6a01081c0232d89d99c5c4ed4d1a01df7b31965ce16b7ced282d19c3e7d7e3e41b8e9c15b2ba9e7d5b7
-
Filesize
151KB
MD591ced5dfa1aed88b0bb429183ba88f51
SHA1704fed90e6a589192dd112ef000129811a26d976
SHA2567f668f62e593bf996949312947fed01106099aefb65e706838a2ee87a5b5445d
SHA512238eb1dff3c30dd1f15d47f94c93e99685b6e4367f75411488bc4b2726c35048c8b46229d56b52cceb93dd2fd8475e77ac328f46841547d65fbb05617a76d67d
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB