Analysis
-
max time kernel
144s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29-11-2024 11:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe
-
Size
211KB
-
MD5
b1036e6beeadb6526d152575a7675045
-
SHA1
e43a6754535e12fb5af6af690d5cf44dbcb68a28
-
SHA256
f5f307d772203df45f9e57fff7583fb11d80021006f59544e89dbb00186953cc
-
SHA512
8e71bbad7433e02e88e8ef2fdd7bb6cf37cd1e6de644dade643971ba0805e1266f280ed7cf3e6115150681809b8fe8f60e68652c3f506b3e89e5ac6da7b5eccf
-
SSDEEP
3072:ef9EBCJiutMZF75lVLVskwUYCh+vLwMVtQbeDqHWV6lT246HXVFmqt5hWtYg:eeB2qV7wUr4Tw+tQiDCW692PFPrhkl
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2904 tasksv32.exe -
Executes dropped EXE 23 IoCs
pid Process 2892 tasksv32.exe 2904 tasksv32.exe 2452 tasksv32.exe 3052 tasksv32.exe 2508 tasksv32.exe 1476 tasksv32.exe 2152 tasksv32.exe 2092 tasksv32.exe 832 tasksv32.exe 2528 tasksv32.exe 1060 tasksv32.exe 956 tasksv32.exe 2144 tasksv32.exe 1436 tasksv32.exe 1716 tasksv32.exe 2208 tasksv32.exe 1692 tasksv32.exe 972 tasksv32.exe 2992 tasksv32.exe 864 tasksv32.exe 2860 tasksv32.exe 1168 tasksv32.exe 1636 tasksv32.exe -
Loads dropped DLL 23 IoCs
pid Process 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 2892 tasksv32.exe 2904 tasksv32.exe 2452 tasksv32.exe 3052 tasksv32.exe 2508 tasksv32.exe 1476 tasksv32.exe 2152 tasksv32.exe 2092 tasksv32.exe 832 tasksv32.exe 2528 tasksv32.exe 1060 tasksv32.exe 956 tasksv32.exe 2144 tasksv32.exe 1436 tasksv32.exe 1716 tasksv32.exe 2208 tasksv32.exe 1692 tasksv32.exe 972 tasksv32.exe 2992 tasksv32.exe 864 tasksv32.exe 2860 tasksv32.exe 1168 tasksv32.exe -
Maps connected drives based on registry 3 TTPs 24 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tasksv32.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe File created C:\Windows\SysWOW64\tasksv32.exe b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe File opened for modification C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File created C:\Windows\SysWOW64\tasksv32.exe tasksv32.exe File opened for modification C:\Windows\SysWOW64\ tasksv32.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 972 set thread context of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 2892 set thread context of 2904 2892 tasksv32.exe 32 PID 2452 set thread context of 3052 2452 tasksv32.exe 34 PID 2508 set thread context of 1476 2508 tasksv32.exe 36 PID 2152 set thread context of 2092 2152 tasksv32.exe 38 PID 832 set thread context of 2528 832 tasksv32.exe 40 PID 1060 set thread context of 956 1060 tasksv32.exe 42 PID 2144 set thread context of 1436 2144 tasksv32.exe 44 PID 1716 set thread context of 2208 1716 tasksv32.exe 46 PID 1692 set thread context of 972 1692 tasksv32.exe 48 PID 2992 set thread context of 864 2992 tasksv32.exe 50 PID 2860 set thread context of 1168 2860 tasksv32.exe 52 -
resource yara_rule behavioral1/memory/2348-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2348-19-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-32-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2904-36-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-48-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-49-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3052-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1476-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1476-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2092-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2092-88-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2528-98-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2528-99-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2528-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2528-106-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/956-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/956-123-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1436-134-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1436-141-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2208-152-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2208-158-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/972-169-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/972-176-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/864-188-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/864-193-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1168-209-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksv32.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 2904 tasksv32.exe 2904 tasksv32.exe 3052 tasksv32.exe 3052 tasksv32.exe 1476 tasksv32.exe 1476 tasksv32.exe 2092 tasksv32.exe 2092 tasksv32.exe 2528 tasksv32.exe 2528 tasksv32.exe 956 tasksv32.exe 956 tasksv32.exe 1436 tasksv32.exe 1436 tasksv32.exe 2208 tasksv32.exe 2208 tasksv32.exe 972 tasksv32.exe 972 tasksv32.exe 864 tasksv32.exe 864 tasksv32.exe 1168 tasksv32.exe 1168 tasksv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 972 wrote to memory of 2348 972 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 30 PID 2348 wrote to memory of 2892 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2892 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2892 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 31 PID 2348 wrote to memory of 2892 2348 b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe 31 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2892 wrote to memory of 2904 2892 tasksv32.exe 32 PID 2904 wrote to memory of 2452 2904 tasksv32.exe 33 PID 2904 wrote to memory of 2452 2904 tasksv32.exe 33 PID 2904 wrote to memory of 2452 2904 tasksv32.exe 33 PID 2904 wrote to memory of 2452 2904 tasksv32.exe 33 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 2452 wrote to memory of 3052 2452 tasksv32.exe 34 PID 3052 wrote to memory of 2508 3052 tasksv32.exe 35 PID 3052 wrote to memory of 2508 3052 tasksv32.exe 35 PID 3052 wrote to memory of 2508 3052 tasksv32.exe 35 PID 3052 wrote to memory of 2508 3052 tasksv32.exe 35 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 2508 wrote to memory of 1476 2508 tasksv32.exe 36 PID 1476 wrote to memory of 2152 1476 tasksv32.exe 37 PID 1476 wrote to memory of 2152 1476 tasksv32.exe 37 PID 1476 wrote to memory of 2152 1476 tasksv32.exe 37 PID 1476 wrote to memory of 2152 1476 tasksv32.exe 37 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2152 wrote to memory of 2092 2152 tasksv32.exe 38 PID 2092 wrote to memory of 832 2092 tasksv32.exe 39 PID 2092 wrote to memory of 832 2092 tasksv32.exe 39 PID 2092 wrote to memory of 832 2092 tasksv32.exe 39 PID 2092 wrote to memory of 832 2092 tasksv32.exe 39 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 832 wrote to memory of 2528 832 tasksv32.exe 40 PID 2528 wrote to memory of 1060 2528 tasksv32.exe 41 PID 2528 wrote to memory of 1060 2528 tasksv32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1036e6beeadb6526d152575a7675045_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Users\Admin\AppData\Local\Temp\B1036E~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Users\Admin\AppData\Local\Temp\B1036E~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:956 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1436 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2208 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:972 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:864 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1168 -
C:\Windows\SysWOW64\tasksv32.exe"C:\Windows\system32\tasksv32.exe" C:\Windows\SysWOW64\tasksv32.exe25⤵
- Executes dropped EXE
PID:1636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5b1036e6beeadb6526d152575a7675045
SHA1e43a6754535e12fb5af6af690d5cf44dbcb68a28
SHA256f5f307d772203df45f9e57fff7583fb11d80021006f59544e89dbb00186953cc
SHA5128e71bbad7433e02e88e8ef2fdd7bb6cf37cd1e6de644dade643971ba0805e1266f280ed7cf3e6115150681809b8fe8f60e68652c3f506b3e89e5ac6da7b5eccf