Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
Resource
win10v2004-20241007-en
General
-
Target
ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
-
Size
532KB
-
MD5
ceb305646f9a8229ff55bf26432eb527
-
SHA1
247ff878939c7ca96db9715afc03e5032c143909
-
SHA256
e9eee1a0652b7aeb0e816ad27e45d791d5d2e576d7f57833f0de46bc1c651a0e
-
SHA512
c7bd25a68c8344b2315ab3bcd7ba6741cdd93cad3a63274c6a65f727ed5ea5e11bae10db1e88b9e3687cc08736488c3d47375a11514dd5e541cb26e048fab4d3
-
SSDEEP
6144:QES4fnuEgmu4ZVKgCV7PKgJSbMw2D7PIDAtVsEHoALjYKmFe3l/H9m7u:QErfng6VKgCV7PKQUSD7w2CvKmelk
Malware Config
Extracted
formbook
3.9
le
ilicak2.net
altinchap.com
junenng-zh.com
forourcountryus.com
windrez.com
xlogicsolutions.com
laboratorydetaillingcar.com
vaynhanhmaritimebank.com
starshipvi.com
fpstemplate.com
individualacountmanager.com
soapquinns.com
bestcra.com
masu.ltd
lkxfdb.info
newhydeparkdentalservices.com
borjahospital.com
0856.ink
siemenscustomercare.com
woaichaye.com
freemirae.com
ruanjianplus.com
alscout.com
larimari.com
zeichentabelle.com
fact-law.com
amhzpx.com
hoatuoiphuongan.com
heroes.university
trimax-us.com
arabic.today
lovepoppy.com
kamagraseti.com
estudioemme.net
kemantang.net
perth.ltd
monsterpostcards.com
chante18.com
idf-mfg.net
parentingsocial.com
housegardens.fish
ferrariofop.info
pethealthmattersmedia04.net
villadesglycines.com
keygens.site
quniform.info
theageofthepredator.com
baldoblog.com
womenbeautyhouse.com
xn--designmbelsale-1pb.com
sigfinancialllc.com
hurricaneirma.lawyer
bitraces.com
tjkaiyang.com
sellsnowboots.com
netfirstplatinumvideo.com
les3drapeaux.com
25falcon.com
globetrotisourdance.com
forevershan.com
buscandoutopia.com
colleenleonardo.com
tanpasampah.com
faming.ink
solabentvx.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2064-18-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2064-34-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\_BDXTX9 = "C:\\Program Files (x86)\\Jafil\\configllr.exe" cmmon32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2872 set thread context of 2064 2872 MSIAE.tmp 34 PID 2064 set thread context of 1212 2064 MSIAE.tmp 20 PID 2588 set thread context of 1212 2588 cmmon32.exe 20 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Jafil\configllr.exe cmmon32.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f77ff94.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIAE.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f77ff97.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\f77ff97.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f77ff94.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2872 MSIAE.tmp 2064 MSIAE.tmp -
Loads dropped DLL 1 IoCs
pid Process 2872 MSIAE.tmp -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2548 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIAE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1832 msiexec.exe 1832 msiexec.exe 2064 MSIAE.tmp 2064 MSIAE.tmp 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe 2588 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2064 MSIAE.tmp 2064 MSIAE.tmp 2064 MSIAE.tmp 2588 cmmon32.exe 2588 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2548 msiexec.exe Token: SeIncreaseQuotaPrivilege 2548 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeSecurityPrivilege 1832 msiexec.exe Token: SeCreateTokenPrivilege 2548 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2548 msiexec.exe Token: SeLockMemoryPrivilege 2548 msiexec.exe Token: SeIncreaseQuotaPrivilege 2548 msiexec.exe Token: SeMachineAccountPrivilege 2548 msiexec.exe Token: SeTcbPrivilege 2548 msiexec.exe Token: SeSecurityPrivilege 2548 msiexec.exe Token: SeTakeOwnershipPrivilege 2548 msiexec.exe Token: SeLoadDriverPrivilege 2548 msiexec.exe Token: SeSystemProfilePrivilege 2548 msiexec.exe Token: SeSystemtimePrivilege 2548 msiexec.exe Token: SeProfSingleProcessPrivilege 2548 msiexec.exe Token: SeIncBasePriorityPrivilege 2548 msiexec.exe Token: SeCreatePagefilePrivilege 2548 msiexec.exe Token: SeCreatePermanentPrivilege 2548 msiexec.exe Token: SeBackupPrivilege 2548 msiexec.exe Token: SeRestorePrivilege 2548 msiexec.exe Token: SeShutdownPrivilege 2548 msiexec.exe Token: SeDebugPrivilege 2548 msiexec.exe Token: SeAuditPrivilege 2548 msiexec.exe Token: SeSystemEnvironmentPrivilege 2548 msiexec.exe Token: SeChangeNotifyPrivilege 2548 msiexec.exe Token: SeRemoteShutdownPrivilege 2548 msiexec.exe Token: SeUndockPrivilege 2548 msiexec.exe Token: SeSyncAgentPrivilege 2548 msiexec.exe Token: SeEnableDelegationPrivilege 2548 msiexec.exe Token: SeManageVolumePrivilege 2548 msiexec.exe Token: SeImpersonatePrivilege 2548 msiexec.exe Token: SeCreateGlobalPrivilege 2548 msiexec.exe Token: SeBackupPrivilege 2712 vssvc.exe Token: SeRestorePrivilege 2712 vssvc.exe Token: SeAuditPrivilege 2712 vssvc.exe Token: SeBackupPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 2660 DrvInst.exe Token: SeLoadDriverPrivilege 2660 DrvInst.exe Token: SeLoadDriverPrivilege 2660 DrvInst.exe Token: SeLoadDriverPrivilege 2660 DrvInst.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeDebugPrivilege 2064 MSIAE.tmp Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 2588 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2548 msiexec.exe 2548 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2872 MSIAE.tmp -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2872 1832 msiexec.exe 33 PID 1832 wrote to memory of 2872 1832 msiexec.exe 33 PID 1832 wrote to memory of 2872 1832 msiexec.exe 33 PID 1832 wrote to memory of 2872 1832 msiexec.exe 33 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 2872 wrote to memory of 2064 2872 MSIAE.tmp 34 PID 1212 wrote to memory of 2588 1212 Explorer.EXE 35 PID 1212 wrote to memory of 2588 1212 Explorer.EXE 35 PID 1212 wrote to memory of 2588 1212 Explorer.EXE 35 PID 1212 wrote to memory of 2588 1212 Explorer.EXE 35 PID 2588 wrote to memory of 2920 2588 cmmon32.exe 36 PID 2588 wrote to memory of 2920 2588 cmmon32.exe 36 PID 2588 wrote to memory of 2920 2588 cmmon32.exe 36 PID 2588 wrote to memory of 2920 2588 cmmon32.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2548
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSIAE.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\Installer\MSIAE.tmp"C:\Windows\Installer\MSIAE.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Installer\MSIAE.tmp"C:\Windows\Installer\MSIAE.tmp"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "0000000000000578"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD58de71d40f796a926091711e1c87880bd
SHA1f9a2146b3a59bf4dab5c7df273c36dfb191e36d9
SHA256db32bc0ab8d41a96eee7ad995001692aaed7bf58315f5492f6ae5e6943af301f
SHA512dcd089a1b02c8bb91bf68d24d7bcd4e0d6e9e541e1556dfb2e9084d1f0f8dff5f8e28327e5a0c6141c4c2cdcdd49b9f149791eb54a83d3e9ac584a63630029ad
-
Filesize
81KB
MD5b936675dccd23fb2a8da803929f361a1
SHA1341de6758454d9ab5d6a737d44c88643c4cc95db
SHA2567e3e4d12039833c537ee022e08209c69ccb4d48244063176b2512ce7b9a004e2
SHA512fdc640c8adf4d33401e27fab6edb46ad4ad1c302c501f1ac026871244593fd7da6ead7a6e560e69d893a377567396fee682dbcd6d2c1b398034fb208e846195a
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
Filesize
508KB
MD562feb8bc6bd67f1199dc35696bb84e17
SHA1ab8a6abd103d3a430d5f8e91e74feead5da02ece
SHA2567591e80ee7d1f219d8472cc16d504a5df94a336d510b714f10a4ae79531d5368
SHA5123ffd066cef30ca363a5e47277411379e41753dd5a6cd30c1f1a7019ebaa7b35ebe52b358750dfb114d21777c5c7b3d2b251b989cce17b4046aa22b0162047141