metasploit | e3bd5002521558fd23676379b46b6e0526befd56474c2b989d74e6ac150e0784

Analysis

max time kernel
147s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe
Size

107KB
MD5

feb88dc5b2bd9fa79aa8ce51a2077e8e
SHA1

b1382abc4efeecba978b39af05728ec2357e5deb
SHA256

e3bd5002521558fd23676379b46b6e0526befd56474c2b989d74e6ac150e0784
SHA512

f62d1629d3e12675bbb3c47e22d4a22a67c73230679ae7ad8b2ddcf51bc6d3fa7375d7999dd279ab4053d2b074a263f02327afba7360cca220d7ce3830aea448
SSDEEP

3072:zZ5iA33ue5BYdpCfaymPI7o7GJGPVu76Zj9Knv88X0m:zZgA33uiB6pz6aQUO6Zov88X/

Score

10^/10

metasploit backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
2180	mswin.exe
2900	mswin.exe
4416	mswin.exe
4884	mswin.exe
4888	mswin.exe
4936	mswin.exe
3336	mswin.exe
1484	mswin.exe
3024	mswin.exe
1784	mswin.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswin.exe	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File opened for modification	C:\Windows\SysWOW64\mswin.exe	mswin.exe
File created	C:\Windows\SysWOW64\mswin.exe	mswin.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/764-0-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-115.dat	upx
behavioral2/memory/764-228-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/2180-229-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/2900-342-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/4416-455-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/4884-568-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/4888-681-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/4936-794-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/3336-907-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/1484-1020-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/3024-1133-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral2/memory/1784-1246-0x0000000000400000-0x0000000000493000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 11 IoCs

pid	Process
428	regedit.exe
3340	regedit.exe
1904	regedit.exe
1964	regedit.exe
3460	regedit.exe
2596	regedit.exe
3660	regedit.exe
2716	regedit.exe
5032	regedit.exe
4612	regedit.exe
4580	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4944	764	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe	82
PID 764 wrote to memory of 4944	764	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe	82
PID 764 wrote to memory of 4944	764	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe	82
PID 4944 wrote to memory of 5032	4944	cmd.exe	83
PID 4944 wrote to memory of 5032	4944	cmd.exe	83
PID 4944 wrote to memory of 5032	4944	cmd.exe	83
PID 764 wrote to memory of 2180	764	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe	84
PID 764 wrote to memory of 2180	764	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe	84
PID 764 wrote to memory of 2180	764	feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe	84
PID 2180 wrote to memory of 5028	2180	mswin.exe	85
PID 2180 wrote to memory of 5028	2180	mswin.exe	85
PID 2180 wrote to memory of 5028	2180	mswin.exe	85
PID 5028 wrote to memory of 1964	5028	cmd.exe	86
PID 5028 wrote to memory of 1964	5028	cmd.exe	86
PID 5028 wrote to memory of 1964	5028	cmd.exe	86
PID 2180 wrote to memory of 2900	2180	mswin.exe	94
PID 2180 wrote to memory of 2900	2180	mswin.exe	94
PID 2180 wrote to memory of 2900	2180	mswin.exe	94
PID 2900 wrote to memory of 456	2900	mswin.exe	95
PID 2900 wrote to memory of 456	2900	mswin.exe	95
PID 2900 wrote to memory of 456	2900	mswin.exe	95
PID 456 wrote to memory of 3460	456	cmd.exe	96
PID 456 wrote to memory of 3460	456	cmd.exe	96
PID 456 wrote to memory of 3460	456	cmd.exe	96
PID 2900 wrote to memory of 4416	2900	mswin.exe	98
PID 2900 wrote to memory of 4416	2900	mswin.exe	98
PID 2900 wrote to memory of 4416	2900	mswin.exe	98
PID 4416 wrote to memory of 4156	4416	mswin.exe	99
PID 4416 wrote to memory of 4156	4416	mswin.exe	99
PID 4416 wrote to memory of 4156	4416	mswin.exe	99
PID 4156 wrote to memory of 4612	4156	cmd.exe	100
PID 4156 wrote to memory of 4612	4156	cmd.exe	100
PID 4156 wrote to memory of 4612	4156	cmd.exe	100
PID 4416 wrote to memory of 4884	4416	mswin.exe	102
PID 4416 wrote to memory of 4884	4416	mswin.exe	102
PID 4416 wrote to memory of 4884	4416	mswin.exe	102
PID 4884 wrote to memory of 4208	4884	mswin.exe	103
PID 4884 wrote to memory of 4208	4884	mswin.exe	103
PID 4884 wrote to memory of 4208	4884	mswin.exe	103
PID 4208 wrote to memory of 2596	4208	cmd.exe	104
PID 4208 wrote to memory of 2596	4208	cmd.exe	104
PID 4208 wrote to memory of 2596	4208	cmd.exe	104
PID 4884 wrote to memory of 4888	4884	mswin.exe	105
PID 4884 wrote to memory of 4888	4884	mswin.exe	105
PID 4884 wrote to memory of 4888	4884	mswin.exe	105
PID 4888 wrote to memory of 3660	4888	mswin.exe	106
PID 4888 wrote to memory of 3660	4888	mswin.exe	106
PID 4888 wrote to memory of 3660	4888	mswin.exe	106
PID 3660 wrote to memory of 4580	3660	cmd.exe	107
PID 3660 wrote to memory of 4580	3660	cmd.exe	107
PID 3660 wrote to memory of 4580	3660	cmd.exe	107
PID 4888 wrote to memory of 4936	4888	mswin.exe	108
PID 4888 wrote to memory of 4936	4888	mswin.exe	108
PID 4888 wrote to memory of 4936	4888	mswin.exe	108
PID 4936 wrote to memory of 2168	4936	mswin.exe	109
PID 4936 wrote to memory of 2168	4936	mswin.exe	109
PID 4936 wrote to memory of 2168	4936	mswin.exe	109
PID 2168 wrote to memory of 428	2168	cmd.exe	110
PID 2168 wrote to memory of 428	2168	cmd.exe	110
PID 2168 wrote to memory of 428	2168	cmd.exe	110
PID 4936 wrote to memory of 3336	4936	mswin.exe	111
PID 4936 wrote to memory of 3336	4936	mswin.exe	111
PID 4936 wrote to memory of 3336	4936	mswin.exe	111
PID 3336 wrote to memory of 1184	3336	mswin.exe	112

C:\Users\Admin\AppData\Local\Temp\feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:5032
- C:\Windows\SysWOW64\mswin.exe
  C:\Windows\system32\mswin.exe 1168 "C:\Users\Admin\AppData\Local\Temp\feb88dc5b2bd9fa79aa8ce51a2077e8e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1964
- - C:\Windows\SysWOW64\mswin.exe
    C:\Windows\system32\mswin.exe 1164 "C:\Windows\SysWOW64\mswin.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3460
  - - C:\Windows\SysWOW64\mswin.exe
      C:\Windows\system32\mswin.exe 1128 "C:\Windows\SysWOW64\mswin.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4612
    - - C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1144 "C:\Windows\SysWOW64\mswin.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2596
      - C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1140 "C:\Windows\SysWOW64\mswin.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4580
        
        C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1148 "C:\Windows\SysWOW64\mswin.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:428
        
        C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1160 "C:\Windows\SysWOW64\mswin.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3340
        
        C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1152 "C:\Windows\SysWOW64\mswin.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1904
        
        C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1156 "C:\Windows\SysWOW64\mswin.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3660
        
        C:\Windows\SysWOW64\mswin.exe
        
        C:\Windows\system32\mswin.exe 1172 "C:\Windows\SysWOW64\mswin.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
206B

MD5
2d9f1ff716273d19e3f0d10a3cd8736f

SHA1
b4ca02834dd3f3489c5088d2157279d2be90f5ff

SHA256
9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623

SHA512
1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5855edf3afa67e11de78af0389880d18

SHA1
c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f

SHA256
c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa

SHA512
5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2299014e9ce921b7045e958d39d83e74

SHA1
26ed64f84417eb05d1d9d48441342ca1363084da

SHA256
ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

SHA512
0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
6b0182442d6e09100c34904ae6d8ee0c

SHA1
6255e65587505629521ea048a4e40cc48b512f2c

SHA256
cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4

SHA512
64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
942B

MD5
4cee92ad10b11dbf325a40c64ff7d745

SHA1
b395313d0e979fede2261f8cc558fcebfefcae33

SHA256
eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1

SHA512
3f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ad9e5e67282bb74482c05e3bf2eb188b

SHA1
10b02442ea4b1151a2334645c3e290a82ecfad1f

SHA256
7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f

SHA512
b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
501effddf60a974e98b67dc8921aa7e8

SHA1
734dfe4b508dbc1527ec92e91821a1251aec5b2e

SHA256
672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

SHA512
28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Windows\SysWOW64\mswin.exe

Filesize
107KB

MD5
feb88dc5b2bd9fa79aa8ce51a2077e8e

SHA1
b1382abc4efeecba978b39af05728ec2357e5deb

SHA256
e3bd5002521558fd23676379b46b6e0526befd56474c2b989d74e6ac150e0784

SHA512
f62d1629d3e12675bbb3c47e22d4a22a67c73230679ae7ad8b2ddcf51bc6d3fa7375d7999dd279ab4053d2b074a263f02327afba7360cca220d7ce3830aea448

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/764-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/764-228-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1484-1020-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1784-1246-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2180-229-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2900-342-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3024-1133-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3336-907-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4416-455-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4884-568-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4888-681-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4936-794-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads