Analysis
-
max time kernel
94s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:27
Static task
static1
Behavioral task
behavioral1
Sample
ffadc11a2b182468167202112a12ef4e_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
ffadc11a2b182468167202112a12ef4e_JaffaCakes118.dll
-
Size
120KB
-
MD5
ffadc11a2b182468167202112a12ef4e
-
SHA1
6a078c811bef0126ba504cf345fef0c9de311753
-
SHA256
d7e49d0c45349b6a63192ee904ba95e7924fbbba5fea53c79eb87adadd5153e6
-
SHA512
81338d1fb028b46470eaa29a7bdab746f35595c9da786673144b62234eace8a371a962ca16a3816ddb89e652b2564b3eca279ce55ab44ee13391000bb6be8998
-
SSDEEP
1536:cbtcFcpC17M21Wa/UzRQq9oj6ategLsFN1tO/FKTZopLQJA:cbtcFcpC+2ka/S6uUdzQFvw9KTWpLQJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e2bf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e2bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e2bf.exe -
Executes dropped EXE 3 IoCs
pid Process 4100 e57bedb.exe 3888 e57c302.exe 4292 e57e2bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e2bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e2bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bedb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e2bf.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57bedb.exe File opened (read-only) \??\M: e57bedb.exe File opened (read-only) \??\G: e57e2bf.exe File opened (read-only) \??\J: e57bedb.exe File opened (read-only) \??\K: e57bedb.exe File opened (read-only) \??\L: e57bedb.exe File opened (read-only) \??\N: e57bedb.exe File opened (read-only) \??\O: e57bedb.exe File opened (read-only) \??\E: e57bedb.exe File opened (read-only) \??\H: e57bedb.exe File opened (read-only) \??\I: e57bedb.exe File opened (read-only) \??\E: e57e2bf.exe File opened (read-only) \??\H: e57e2bf.exe -
resource yara_rule behavioral2/memory/4100-7-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-26-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-32-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-34-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-50-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-62-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-65-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-68-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-69-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-72-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-74-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-75-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4100-77-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4292-102-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4292-146-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57bedb.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57bedb.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57bedb.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57bf68 e57bedb.exe File opened for modification C:\Windows\SYSTEM.INI e57bedb.exe File created C:\Windows\e58124b e57e2bf.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c302.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e2bf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4100 e57bedb.exe 4100 e57bedb.exe 4100 e57bedb.exe 4100 e57bedb.exe 4292 e57e2bf.exe 4292 e57e2bf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe Token: SeDebugPrivilege 4100 e57bedb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 548 2024 rundll32.exe 84 PID 2024 wrote to memory of 548 2024 rundll32.exe 84 PID 2024 wrote to memory of 548 2024 rundll32.exe 84 PID 548 wrote to memory of 4100 548 rundll32.exe 85 PID 548 wrote to memory of 4100 548 rundll32.exe 85 PID 548 wrote to memory of 4100 548 rundll32.exe 85 PID 4100 wrote to memory of 776 4100 e57bedb.exe 8 PID 4100 wrote to memory of 784 4100 e57bedb.exe 9 PID 4100 wrote to memory of 376 4100 e57bedb.exe 13 PID 4100 wrote to memory of 3028 4100 e57bedb.exe 50 PID 4100 wrote to memory of 2856 4100 e57bedb.exe 51 PID 4100 wrote to memory of 2836 4100 e57bedb.exe 53 PID 4100 wrote to memory of 3444 4100 e57bedb.exe 56 PID 4100 wrote to memory of 3556 4100 e57bedb.exe 57 PID 4100 wrote to memory of 3760 4100 e57bedb.exe 58 PID 4100 wrote to memory of 3848 4100 e57bedb.exe 59 PID 4100 wrote to memory of 3960 4100 e57bedb.exe 60 PID 4100 wrote to memory of 4068 4100 e57bedb.exe 61 PID 4100 wrote to memory of 4124 4100 e57bedb.exe 62 PID 4100 wrote to memory of 4660 4100 e57bedb.exe 64 PID 4100 wrote to memory of 4556 4100 e57bedb.exe 74 PID 4100 wrote to memory of 3872 4100 e57bedb.exe 77 PID 4100 wrote to memory of 1576 4100 e57bedb.exe 82 PID 4100 wrote to memory of 2024 4100 e57bedb.exe 83 PID 4100 wrote to memory of 548 4100 e57bedb.exe 84 PID 4100 wrote to memory of 548 4100 e57bedb.exe 84 PID 548 wrote to memory of 3888 548 rundll32.exe 86 PID 548 wrote to memory of 3888 548 rundll32.exe 86 PID 548 wrote to memory of 3888 548 rundll32.exe 86 PID 548 wrote to memory of 4292 548 rundll32.exe 89 PID 548 wrote to memory of 4292 548 rundll32.exe 89 PID 548 wrote to memory of 4292 548 rundll32.exe 89 PID 4100 wrote to memory of 776 4100 e57bedb.exe 8 PID 4100 wrote to memory of 784 4100 e57bedb.exe 9 PID 4100 wrote to memory of 376 4100 e57bedb.exe 13 PID 4100 wrote to memory of 3028 4100 e57bedb.exe 50 PID 4100 wrote to memory of 2856 4100 e57bedb.exe 51 PID 4100 wrote to memory of 2836 4100 e57bedb.exe 53 PID 4100 wrote to memory of 3444 4100 e57bedb.exe 56 PID 4100 wrote to memory of 3556 4100 e57bedb.exe 57 PID 4100 wrote to memory of 3760 4100 e57bedb.exe 58 PID 4100 wrote to memory of 3848 4100 e57bedb.exe 59 PID 4100 wrote to memory of 3960 4100 e57bedb.exe 60 PID 4100 wrote to memory of 4068 4100 e57bedb.exe 61 PID 4100 wrote to memory of 4124 4100 e57bedb.exe 62 PID 4100 wrote to memory of 4660 4100 e57bedb.exe 64 PID 4100 wrote to memory of 4556 4100 e57bedb.exe 74 PID 4100 wrote to memory of 3872 4100 e57bedb.exe 77 PID 4100 wrote to memory of 1576 4100 e57bedb.exe 82 PID 4100 wrote to memory of 3888 4100 e57bedb.exe 86 PID 4100 wrote to memory of 3888 4100 e57bedb.exe 86 PID 4100 wrote to memory of 4292 4100 e57bedb.exe 89 PID 4100 wrote to memory of 4292 4100 e57bedb.exe 89 PID 4292 wrote to memory of 776 4292 e57e2bf.exe 8 PID 4292 wrote to memory of 784 4292 e57e2bf.exe 9 PID 4292 wrote to memory of 376 4292 e57e2bf.exe 13 PID 4292 wrote to memory of 3028 4292 e57e2bf.exe 50 PID 4292 wrote to memory of 2856 4292 e57e2bf.exe 51 PID 4292 wrote to memory of 2836 4292 e57e2bf.exe 53 PID 4292 wrote to memory of 3444 4292 e57e2bf.exe 56 PID 4292 wrote to memory of 3556 4292 e57e2bf.exe 57 PID 4292 wrote to memory of 3760 4292 e57e2bf.exe 58 PID 4292 wrote to memory of 3848 4292 e57e2bf.exe 59 PID 4292 wrote to memory of 3960 4292 e57e2bf.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bedb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e2bf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffadc11a2b182468167202112a12ef4e_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffadc11a2b182468167202112a12ef4e_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\e57bedb.exeC:\Users\Admin\AppData\Local\Temp\e57bedb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\e57c302.exeC:\Users\Admin\AppData\Local\Temp\e57c302.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Users\Admin\AppData\Local\Temp\e57e2bf.exeC:\Users\Admin\AppData\Local\Temp\e57e2bf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4292
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4556
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1576
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54f6bff8cdf04dedc443ce4fd99ee67ca
SHA1897e3fd4dc89c51e8c368f96596c8d8447155591
SHA256b0905b6afb128324de74bfde348eec7fd1f20a94055b9a7a785aea5d198a4790
SHA512c2833b0b7b7b13f47a06c516c7eadd560663ff877ff9785a62878781803a92579febd51db987bd811fa4dfd3abae36a10f91b9858f39a62042f75c394ac5b2dd
-
Filesize
257B
MD501b2102e22bbbace9c22eb8b4dfe5098
SHA10b87f297cbfae7594fcf5a1868c241c0e6d4a7b7
SHA256a7fce98387d134e73723c4a5985fa2cd455c1ad57b4263a6f8d3e771b7383189
SHA512368cca28fa80903115522cbfda65ec37b6f4301b0a967b9cd49364f3b516fc5525ff8fb67e1974bd65ffd06caa9324b25bbecffde60ef6538368bd2c19263d16