Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 21:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe
-
Size
1.4MB
-
MD5
07c23df001df7e506492963e3da1f05d
-
SHA1
cfc0f3f9ae3573338eab8a6c21fc03d0e5ccf072
-
SHA256
82521bc29ba647a7ce9b04dd2ddfd8e5a4e6aea8f1cea324d5061725e620e9a1
-
SHA512
17e05336fc8f51713830f0012a9a008b94c2e4296ee9f31ac9d3e543fbbef1ae23097ffbe35f04c9414b2592352e3e61ebd7a3c316692d6ba1dddcd6aed6ffe2
-
SSDEEP
24576:Ug25Nb0iuknMq8iDthEVaPqLnu+ws7GkyIpf1xlC1EKErHZH4NmXlRLuS63ZyKnT:dJjMXEVUcuMqOf17C1EPrHZXLQpGaN
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\Setup.exe" Stage1.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2160 1.exe 936 2.exe 2196 Stage2.exe 2396 Stage1.exe -
Loads dropped DLL 5 IoCs
pid Process 2160 1.exe 936 2.exe 936 2.exe 936 2.exe 936 2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Windupdt\\Setup.exe" Stage1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Windupdt\\Setup.exe" notepad.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2160-10-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe behavioral1/memory/2160-138-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe behavioral1/memory/2160-139-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe behavioral1/memory/2160-280-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 2928 2396 Stage1.exe 37 -
resource yara_rule behavioral1/files/0x00080000000120fd-7.dat upx behavioral1/memory/2160-10-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/files/0x0006000000018766-16.dat upx behavioral1/memory/2160-138-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2160-139-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2160-280-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/936-285-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/files/0x00070000000186ca-284.dat upx behavioral1/files/0x000500000001a4cf-291.dat upx behavioral1/memory/2196-299-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2196-303-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/files/0x000500000001a4d1-304.dat upx behavioral1/memory/2396-310-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/936-307-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/2928-357-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/2928-360-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/2928-361-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/2928-372-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral1/memory/936-371-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2396-359-0x0000000013140000-0x000000001320B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Paysan_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Consistant.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Cuivre.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Seigle.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\plus1.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Fer.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Pecheur_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Avoine.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Champs.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Consistant.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_FloconsAvoine.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Craft_End2.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\BitBot FJ.exe 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Amakna.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Cuivre.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_On.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Ble.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Orge.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Invite_Group.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Pecheur_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Avoine.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Kobalt.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost2.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Bank_Access.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Craft_End.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\plus1.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Argent.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Graph_x0.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Graph_x2.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Seigle.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Orge.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_CBT_Cbar.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Orge.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Orge.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Pecheur_On.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Malt.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Argent.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Avoine.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\BitBot FJ.ico 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Paysan_Off.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Complet.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Kobalt.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Bucheron_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost2.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Invite_Group_Close.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Etain.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Jlvl.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_Off.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Cereales.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Etain.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Craft_End2.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Malt.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Paysan_On.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Paysan_On.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Lin.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Ble.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Champs.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Avoine.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Amakna.Bbot 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stage2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stage1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Stage1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Stage1.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2160 1.exe 2928 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2396 Stage1.exe Token: SeSecurityPrivilege 2396 Stage1.exe Token: SeTakeOwnershipPrivilege 2396 Stage1.exe Token: SeLoadDriverPrivilege 2396 Stage1.exe Token: SeSystemProfilePrivilege 2396 Stage1.exe Token: SeSystemtimePrivilege 2396 Stage1.exe Token: SeProfSingleProcessPrivilege 2396 Stage1.exe Token: SeIncBasePriorityPrivilege 2396 Stage1.exe Token: SeCreatePagefilePrivilege 2396 Stage1.exe Token: SeBackupPrivilege 2396 Stage1.exe Token: SeRestorePrivilege 2396 Stage1.exe Token: SeShutdownPrivilege 2396 Stage1.exe Token: SeDebugPrivilege 2396 Stage1.exe Token: SeSystemEnvironmentPrivilege 2396 Stage1.exe Token: SeChangeNotifyPrivilege 2396 Stage1.exe Token: SeRemoteShutdownPrivilege 2396 Stage1.exe Token: SeUndockPrivilege 2396 Stage1.exe Token: SeManageVolumePrivilege 2396 Stage1.exe Token: SeImpersonatePrivilege 2396 Stage1.exe Token: SeCreateGlobalPrivilege 2396 Stage1.exe Token: 33 2396 Stage1.exe Token: 34 2396 Stage1.exe Token: 35 2396 Stage1.exe Token: SeIncreaseQuotaPrivilege 2928 explorer.exe Token: SeSecurityPrivilege 2928 explorer.exe Token: SeTakeOwnershipPrivilege 2928 explorer.exe Token: SeLoadDriverPrivilege 2928 explorer.exe Token: SeSystemProfilePrivilege 2928 explorer.exe Token: SeSystemtimePrivilege 2928 explorer.exe Token: SeProfSingleProcessPrivilege 2928 explorer.exe Token: SeIncBasePriorityPrivilege 2928 explorer.exe Token: SeCreatePagefilePrivilege 2928 explorer.exe Token: SeBackupPrivilege 2928 explorer.exe Token: SeRestorePrivilege 2928 explorer.exe Token: SeShutdownPrivilege 2928 explorer.exe Token: SeDebugPrivilege 2928 explorer.exe Token: SeSystemEnvironmentPrivilege 2928 explorer.exe Token: SeChangeNotifyPrivilege 2928 explorer.exe Token: SeRemoteShutdownPrivilege 2928 explorer.exe Token: SeUndockPrivilege 2928 explorer.exe Token: SeManageVolumePrivilege 2928 explorer.exe Token: SeImpersonatePrivilege 2928 explorer.exe Token: SeCreateGlobalPrivilege 2928 explorer.exe Token: 33 2928 explorer.exe Token: 34 2928 explorer.exe Token: 35 2928 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2928 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2160 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 30 PID 2380 wrote to memory of 2160 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 30 PID 2380 wrote to memory of 2160 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 30 PID 2380 wrote to memory of 2160 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 30 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 2380 wrote to memory of 936 2380 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 32 PID 936 wrote to memory of 2196 936 2.exe 33 PID 936 wrote to memory of 2196 936 2.exe 33 PID 936 wrote to memory of 2196 936 2.exe 33 PID 936 wrote to memory of 2196 936 2.exe 33 PID 936 wrote to memory of 2396 936 2.exe 35 PID 936 wrote to memory of 2396 936 2.exe 35 PID 936 wrote to memory of 2396 936 2.exe 35 PID 936 wrote to memory of 2396 936 2.exe 35 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 1592 2396 Stage1.exe 36 PID 2396 wrote to memory of 2928 2396 Stage1.exe 37 PID 2396 wrote to memory of 2928 2396 Stage1.exe 37 PID 2396 wrote to memory of 2928 2396 Stage1.exe 37 PID 2396 wrote to memory of 2928 2396 Stage1.exe 37 PID 2396 wrote to memory of 2928 2396 Stage1.exe 37 PID 2396 wrote to memory of 2928 2396 Stage1.exe 37 PID 936 wrote to memory of 2808 936 2.exe 38 PID 936 wrote to memory of 2808 936 2.exe 38 PID 936 wrote to memory of 2808 936 2.exe 38 PID 936 wrote to memory of 2808 936 2.exe 38 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40 PID 2928 wrote to memory of 2652 2928 explorer.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\Stage2.exe"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\Stage1.exe"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Windows security bypass
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
561KB
MD580312477c330b77d4e9a4937e4e26f5c
SHA1e0ec277f7f496f5726b1edc1a51b10c1d04ae982
SHA256cf02bf81c50c2a77a44d01ed91ec85575fd79f6e23df79ea2487bd3b939ee3ba
SHA51207ed5e7d8a41cfae0855db8d4a9ab4223dadbd73d98ee1cd4c4aa81b8e302e98b679d00c992b9b200a4cce5570e02aea81700336ae7f44b835a9b0310eaf2a40
-
Filesize
1.0MB
MD5bc1afcaeb1b45f7ccd31e5bde24939d3
SHA1cc980868659717038216c5978d8b40841e7a0ec3
SHA256c66e002c3d8d9cbc35cdb6d535fe40399b7b9da1f1ea1ef5834ec76d2a948a7e
SHA51257c9a2b5711f21c29163fc7e5ac282f4f10bfa7636976e4dce1f262ab9a3c437c03a050b6ccf90782f9602a852b79397d4c7dafedbaebf444d778b18d6271220
-
Filesize
401KB
MD5f8c5926a9bf359b28192e55aa40ff18a
SHA18997a6da2c8b45dc64b0349c3681c0d97593c3b3
SHA256b45e7fd9c942c759d38387e181123395f8a7bab0f2fd5a5d28c59b6e98f95775
SHA5121bf56ea91ddb62501391b58bea6ad4113d49645493f0f54c298e662284093ba234c0c734167adc9f66b5bbcb75b670961b71fe2e9434bde23cd7e258512280e4
-
Filesize
174B
MD594d62832943fa8f282367ca15255a25b
SHA13ccbcde23a806b376cea982be7959f26c8c7785e
SHA2561f638f58006bdb99d8c02d55f19d72a90bd35a50b6cfe55055ec9a0ea400ac2c
SHA512c3d901d178051c87b74c7e75c74667f54b66290e76dc1b74cfb2b5646d6b65fa5edeea5569eb75aa1e246c56dd626b212fa9064c7fe538ca10b9100dc295df78
-
Filesize
274KB
MD57ef9436de5200165b69e84ad33b0bc19
SHA1513263ce9f3e59bc845b4de1fda64a74791d6bc6
SHA25652c27b43586d97e005a9a361853909ca3f3783f991043225e166eead45a77d0a
SHA512bf059c9f017f50c43905f8f310dba2948d07202d3366cdc908c62d94f63ff777813eec8c641241675ebe8bfefee17da9790f4203fcec7ce59a3df9c0f67b2704
-
Filesize
354KB
MD5f8f015c0b26b447e95e2e2560972d741
SHA19f7e22363a0629eeb6501f2634cf99dd56033552
SHA256c35acae057c64277d9376c1138c61d255d367cbe288ec38817c6a3ede358c422
SHA512e9890491a5eeac5bd3e31cd2105aa5f23b3a59ad0cf583f3c8c5538e1851d6296be049620b94133fd53c348a77d2e42a26dfadbc2abdc440e69c8ffd32e572e7