Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 23:11
Behavioral task
behavioral1
Sample
baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
29 signatures
150 seconds
General
-
Target
baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe
-
Size
200KB
-
MD5
baa2c795c2072c9b1b8c7a96c98c62d3
-
SHA1
641df1acbf84c469f3303178725609af2dff3bfb
-
SHA256
ed82187baa1260c87264ebdaaa6f32eb7494921079e134eb62b98ea80ab5e51b
-
SHA512
b00eaac49685c3f1a83b868d3a9ac45d0a5115394c1f963a4b17eb888cf2e74891d5891b4b7883e68745d2b1768733e456ce9994ada5bea880651fbeb26d9d3d
-
SSDEEP
3072:hzQxqdO8nnaXcEEGZJGO2KiCGFaJty7bEO+064P319opUEQrc59fYzbYgX59gYF2:2sdpnnucEHc31jEQuQzbHX52Y
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Live-Picture-St.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Live-Picture-St.exe -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/372-24-0x0000000000400000-0x0000000000439000-memory.dmp modiloader_stage2 -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" Live-Picture-St.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2228 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 5008 Live-Picture-St.exe -
Executes dropped EXE 3 IoCs
pid Process 2708 windoos.exe 5008 Live-Picture-St.exe 3168 windoos.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Live-Picture-St.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Live-Picture-St.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Live-Picture-St.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Live-Picture-St.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2708 set thread context of 3168 2708 windoos.exe 84 -
resource yara_rule behavioral2/files/0x000a000000023c4e-4.dat upx behavioral2/memory/2708-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/5008-33-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-27-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/2708-54-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/5008-35-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-57-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-66-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-86-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-88-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-93-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-97-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx behavioral2/memory/5008-114-0x0000000002AC0000-0x0000000003AF2000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe Live-Picture-St.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe Live-Picture-St.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI Live-Picture-St.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4212 3168 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windoos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Live-Picture-St.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Live-Picture-St.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Live-Picture-St.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync Live-Picture-St.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Live-Picture-St.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe Token: SeDebugPrivilege 5008 Live-Picture-St.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2708 windoos.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe 5008 Live-Picture-St.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 2708 372 baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe 82 PID 372 wrote to memory of 2708 372 baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe 82 PID 372 wrote to memory of 2708 372 baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe 82 PID 372 wrote to memory of 5008 372 baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe 83 PID 372 wrote to memory of 5008 372 baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe 83 PID 372 wrote to memory of 5008 372 baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe 83 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 2708 wrote to memory of 3168 2708 windoos.exe 84 PID 5008 wrote to memory of 2228 5008 Live-Picture-St.exe 86 PID 5008 wrote to memory of 2228 5008 Live-Picture-St.exe 86 PID 5008 wrote to memory of 2228 5008 Live-Picture-St.exe 86 PID 5008 wrote to memory of 780 5008 Live-Picture-St.exe 8 PID 5008 wrote to memory of 788 5008 Live-Picture-St.exe 9 PID 5008 wrote to memory of 60 5008 Live-Picture-St.exe 13 PID 5008 wrote to memory of 2644 5008 Live-Picture-St.exe 44 PID 5008 wrote to memory of 2680 5008 Live-Picture-St.exe 45 PID 5008 wrote to memory of 2792 5008 Live-Picture-St.exe 47 PID 5008 wrote to memory of 3452 5008 Live-Picture-St.exe 56 PID 5008 wrote to memory of 3588 5008 Live-Picture-St.exe 57 PID 5008 wrote to memory of 3780 5008 Live-Picture-St.exe 58 PID 5008 wrote to memory of 3876 5008 Live-Picture-St.exe 59 PID 5008 wrote to memory of 3940 5008 Live-Picture-St.exe 60 PID 5008 wrote to memory of 4020 5008 Live-Picture-St.exe 61 PID 5008 wrote to memory of 2960 5008 Live-Picture-St.exe 62 PID 5008 wrote to memory of 4396 5008 Live-Picture-St.exe 75 PID 5008 wrote to memory of 1624 5008 Live-Picture-St.exe 76 PID 5008 wrote to memory of 2708 5008 Live-Picture-St.exe 82 PID 5008 wrote to memory of 2708 5008 Live-Picture-St.exe 82 PID 5008 wrote to memory of 3168 5008 Live-Picture-St.exe 84 PID 5008 wrote to memory of 2228 5008 Live-Picture-St.exe 86 PID 5008 wrote to memory of 2228 5008 Live-Picture-St.exe 86 PID 5008 wrote to memory of 780 5008 Live-Picture-St.exe 8 PID 5008 wrote to memory of 788 5008 Live-Picture-St.exe 9 PID 5008 wrote to memory of 60 5008 Live-Picture-St.exe 13 PID 5008 wrote to memory of 2644 5008 Live-Picture-St.exe 44 PID 5008 wrote to memory of 2680 5008 Live-Picture-St.exe 45 PID 5008 wrote to memory of 2792 5008 Live-Picture-St.exe 47 PID 5008 wrote to memory of 3452 5008 Live-Picture-St.exe 56 PID 5008 wrote to memory of 3588 5008 Live-Picture-St.exe 57 PID 5008 wrote to memory of 3780 5008 Live-Picture-St.exe 58 PID 5008 wrote to memory of 3876 5008 Live-Picture-St.exe 59 PID 5008 wrote to memory of 3940 5008 Live-Picture-St.exe 60 PID 5008 wrote to memory of 4020 5008 Live-Picture-St.exe 61 PID 5008 wrote to memory of 2960 5008 Live-Picture-St.exe 62 PID 5008 wrote to memory of 4396 5008 Live-Picture-St.exe 75 PID 5008 wrote to memory of 1624 5008 Live-Picture-St.exe 76 PID 5008 wrote to memory of 780 5008 Live-Picture-St.exe 8 PID 5008 wrote to memory of 788 5008 Live-Picture-St.exe 9 PID 5008 wrote to memory of 60 5008 Live-Picture-St.exe 13 PID 5008 wrote to memory of 2644 5008 Live-Picture-St.exe 44 PID 5008 wrote to memory of 2680 5008 Live-Picture-St.exe 45 PID 5008 wrote to memory of 2792 5008 Live-Picture-St.exe 47 PID 5008 wrote to memory of 3452 5008 Live-Picture-St.exe 56 PID 5008 wrote to memory of 3588 5008 Live-Picture-St.exe 57 PID 5008 wrote to memory of 3780 5008 Live-Picture-St.exe 58 PID 5008 wrote to memory of 3876 5008 Live-Picture-St.exe 59 PID 5008 wrote to memory of 3940 5008 Live-Picture-St.exe 60 PID 5008 wrote to memory of 4020 5008 Live-Picture-St.exe 61 PID 5008 wrote to memory of 2960 5008 Live-Picture-St.exe 62 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Live-Picture-St.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2792
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\baa2c795c2072c9b1b8c7a96c98c62d3_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\windoos.exe"C:\Users\Admin\AppData\Local\Temp\windoos.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\windoos.exeC:\Users\Admin\AppData\Local\Temp\windoos.exe4⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1925⤵
- Program crash
PID:4212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Live-Picture-St.exe"C:\Users\Admin\AppData\Local\Temp\Live-Picture-St.exe"3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5008 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
- System Location Discovery: System Language Discovery
PID:968
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2960
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3168 -ip 31681⤵PID:4908
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5fc810055859a96c9da8220477c5f1af1
SHA1eb1eaceae664bc6a27374d04c85a10c7d4740014
SHA2567bd8156051e44a6a38862f3e46e8c5d600d94ac94b652d820d8fd55de9d21efe
SHA5121c62509d304015e07717f4991a4b749d17f23698822043427dd768d50dce1411dca3bfeb4494511791abfd9cb60a6334b46cfb4773dc55edad8adb49c77ab61f
-
Filesize
28KB
MD567a91d0dbd67f95bc14784a8a2e080b5
SHA1691f5dd5dd0eb1011856af7078f13ebf81cd1443
SHA2562e9effcae960bb8543269b1c49b911bc35091bb40b955ee46e4543a4f2d156f6
SHA512302123a0201f7703cd2fa63c23e9fce03bfbda4d06317f8565f36bf1c3d907b261f8b768b2e15e591a5ca5b225ba14472987041e160f214e3226257eecfb1a03
-
Filesize
157B
MD52fa00b864e4ddbdef90440c9477aa0ac
SHA17070abe4c64ba1df0b5216ed4ca8c55578513d3a
SHA25647f935db4822479bed09f5f8585eb2ff9c6058541bff7bf1f34038859e67cbd7
SHA51253569971397fc4b47ff3d868d78ebc990e24070a8548ca7f95bdeb622447d3d99155089d03403d9a09d93e8c454d6d92e83ac816ceecdccdef5f61392518b550