Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe
-
Size
371KB
-
MD5
d0c9cde6f5ad0af2666aebad26e363b9
-
SHA1
799aa6bc3aa8bc4b97bd8360a2ff21db3c54c834
-
SHA256
e709fbb8d14c11e567d5b6e82f9378a8eb9358fb5499f277acec2ac713932891
-
SHA512
8a2558dc0c43cf5248d262aee5bb3f69a99670191f373e49d0f290130f67b0dc1dfeed4d2a01db963526102e875340ec12568f1b6ac291efa2157a6f8bd714b2
-
SSDEEP
6144:LVZdkKATJe4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRsTo:L9bXgr8VMQDT52WXKq9fj5/AZjo
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Program Files\\Sys32\\windupdt\\svchîst.exe" server.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchîst.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 2 IoCs
pid Process 3464 server.exe 2104 svchîst.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchîst = "C:\\Program Files\\Sys32\\windupdt\\svchîst.exe" server.exe -
resource yara_rule behavioral2/files/0x000c000000023b2e-4.dat upx behavioral2/memory/3464-9-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-54-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/3464-56-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-57-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-58-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-59-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-69-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-72-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-73-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-74-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-85-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-86-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-87-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-88-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-89-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-90-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-91-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/2104-92-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Sys32\windupdt\svchîst.exe server.exe File opened for modification C:\Program Files\Sys32\windupdt\ server.exe File created C:\Program Files\Sys32\windupdt\svchîst.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchîst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchîst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchîst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchîst.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchîst.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchîst.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3365592511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F43ADC36-B458-11EF-B9D5-5EA348B38F9D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3365436713" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000da30d775f609565d74a6281fbf7a08d7b8ee1ea6a2fda46246c1d5c0936eb4f2000000000e8000000002000020000000ffa52080e8ca07dca84ea17bc564cd4dea71db74ef73b1728b502cced1eefb132000000020f4bab9e2b19b29a33027feec45d15f5d9a64788c6f0878d88384ab088456d140000000a1cc1b852a3641e850810e5d5876f4ad331ea517585bd28de9d506d9ba6eb4127116f4ffa0edb16e6adec36ae89e370440fa093571d9e80eeca0bf97ba0b18ba iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440312936" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3367623992" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007c1bc96548db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148133" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005e20c96548db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148133" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148133" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000dc12301fe4f06ac850dc992d28aa1bd0ca1352a2267f5a6e324d86ba7b6244bb000000000e8000000002000020000000814be79dd5e0ebfed29ce62eed56cccd06cc0b76d1b0acee9c198d49be2eea3420000000ae4441021551539efa6c8d8792891e476e49e3526a2858c3db87da663bcb39534000000016cb3b7775190a633b50dfeb6468baf08a6582de3dcc1ee9979524d0813aadcdd2ee31fcc695a96c015d2ee07eceb3e7b5b86fa10ae8675fdaa0c06b2722cdb3 iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2104 svchîst.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3464 server.exe Token: SeSecurityPrivilege 3464 server.exe Token: SeTakeOwnershipPrivilege 3464 server.exe Token: SeLoadDriverPrivilege 3464 server.exe Token: SeSystemProfilePrivilege 3464 server.exe Token: SeSystemtimePrivilege 3464 server.exe Token: SeProfSingleProcessPrivilege 3464 server.exe Token: SeIncBasePriorityPrivilege 3464 server.exe Token: SeCreatePagefilePrivilege 3464 server.exe Token: SeBackupPrivilege 3464 server.exe Token: SeRestorePrivilege 3464 server.exe Token: SeShutdownPrivilege 3464 server.exe Token: SeDebugPrivilege 3464 server.exe Token: SeSystemEnvironmentPrivilege 3464 server.exe Token: SeChangeNotifyPrivilege 3464 server.exe Token: SeRemoteShutdownPrivilege 3464 server.exe Token: SeUndockPrivilege 3464 server.exe Token: SeManageVolumePrivilege 3464 server.exe Token: SeImpersonatePrivilege 3464 server.exe Token: SeCreateGlobalPrivilege 3464 server.exe Token: 33 3464 server.exe Token: 34 3464 server.exe Token: 35 3464 server.exe Token: 36 3464 server.exe Token: SeIncreaseQuotaPrivilege 2104 svchîst.exe Token: SeSecurityPrivilege 2104 svchîst.exe Token: SeTakeOwnershipPrivilege 2104 svchîst.exe Token: SeLoadDriverPrivilege 2104 svchîst.exe Token: SeSystemProfilePrivilege 2104 svchîst.exe Token: SeSystemtimePrivilege 2104 svchîst.exe Token: SeProfSingleProcessPrivilege 2104 svchîst.exe Token: SeIncBasePriorityPrivilege 2104 svchîst.exe Token: SeCreatePagefilePrivilege 2104 svchîst.exe Token: SeBackupPrivilege 2104 svchîst.exe Token: SeRestorePrivilege 2104 svchîst.exe Token: SeShutdownPrivilege 2104 svchîst.exe Token: SeDebugPrivilege 2104 svchîst.exe Token: SeSystemEnvironmentPrivilege 2104 svchîst.exe Token: SeChangeNotifyPrivilege 2104 svchîst.exe Token: SeRemoteShutdownPrivilege 2104 svchîst.exe Token: SeUndockPrivilege 2104 svchîst.exe Token: SeManageVolumePrivilege 2104 svchîst.exe Token: SeImpersonatePrivilege 2104 svchîst.exe Token: SeCreateGlobalPrivilege 2104 svchîst.exe Token: 33 2104 svchîst.exe Token: 34 2104 svchîst.exe Token: 35 2104 svchîst.exe Token: 36 2104 svchîst.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1132 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1132 iexplore.exe 1132 iexplore.exe 4048 IEXPLORE.EXE 4048 IEXPLORE.EXE 2104 svchîst.exe 4048 IEXPLORE.EXE 4048 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1048 wrote to memory of 3464 1048 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 82 PID 1048 wrote to memory of 3464 1048 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 82 PID 1048 wrote to memory of 3464 1048 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 82 PID 1048 wrote to memory of 1132 1048 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 83 PID 1048 wrote to memory of 1132 1048 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 83 PID 3464 wrote to memory of 4636 3464 server.exe 84 PID 3464 wrote to memory of 4636 3464 server.exe 84 PID 3464 wrote to memory of 4636 3464 server.exe 84 PID 1132 wrote to memory of 4048 1132 iexplore.exe 85 PID 1132 wrote to memory of 4048 1132 iexplore.exe 85 PID 1132 wrote to memory of 4048 1132 iexplore.exe 85 PID 3464 wrote to memory of 2104 3464 server.exe 86 PID 3464 wrote to memory of 2104 3464 server.exe 86 PID 3464 wrote to memory of 2104 3464 server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:4636
-
-
C:\Program Files\Sys32\windupdt\svchîst.exe"C:\Program Files\Sys32\windupdt\svchîst.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3a59a0f61dbd.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4048
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5043565b7c83bfd884eb1fde2e7ccdcc5
SHA11a3239dfa9752084ed7465130943c5d912df308d
SHA25680a1700dd6e600a6b8fa4a0f2a118778c903d2966690103d7e582407fb447126
SHA5121c987485aed7cbe03747cb28f035f799c78b48781991da89a09462e190b2aff3ec1eae0ba0c8a6be9cedde19387b4ed95394ca9d01dac24632aa48f8a3e22257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD558eff8a90ac04eafb6cd7328ebac5980
SHA1ab3a4e91abe1018dcc02d13d8b89ff072fba9c35
SHA256e4375ccb05a05a4ee3aedf66b8e7b3531dcba9afa76bdb0455d7959516b9e415
SHA5120f1096163ab33fd833617080862eb3919c77dd36f31d0398cb1a4f3ff0d9c305506512ea0c75ecb66c23b499dd20c652139c3743e099e3c88bb2c4542518cc54
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
3KB
MD580488340cdb819016bf9dc201c8827b6
SHA130937d432220406714d58a11872d8b6bd81046da
SHA25674d5b991020a9003ef108e34192afac1d66b5d42a6f4653777508073edb26ad4
SHA5127e299ce63eb83111e8987c9111dbb29ce8cab61fafb74d811ef1353367036db156d354ba7cf2e8ab6e923d74929812cddc74a93dc6863a304a1fb01bab77beac
-
Filesize
320KB
MD552a9e1572e9e1ab39e923b120e99a56e
SHA1cc65aedab9a85fea2951ee8710a71df5efde1360
SHA25676cee4187d7d27fbafce5515fe488c055861c226d0670e5097713d8343ebf86d
SHA5127c29c3d99c112b1779adb133764e45de8b8afbedb6dbefe5eabb15a3f392e7953f44c945f1782003d74b2d891c173e585eed9ef0f560a3ec1d703e155774257b