Analysis
-
max time kernel
28s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2025 13:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
General
-
Target
JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe
-
Size
119KB
-
MD5
9fddb8bc333a44584ae07fed838c4e8c
-
SHA1
73e685e7b967d929dfe4fb6800d7ee7ca27227d3
-
SHA256
f78b9d9ff45cf181605153ba6e4da30a4f68a567948c734f3905bb4ca2f9bf92
-
SHA512
505e3e3db13d0116b5472f9d390aa4c826fd06016f2d2b11ed5d28386ececffb1e878a71dc7234d236b3557f48eab52c30ec41c5347679db7666578df36bbed7
-
SSDEEP
3072:1jhlbyDImJFAI0jSurj+vEh8BIs7QbXXHHW:1t99Fj+vEhFrXHHW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
UAC bypass 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" IEXPLORE.EXE -
Deletes itself 1 IoCs
pid Process 2820 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 Au_.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
resource yara_rule behavioral2/memory/672-1-0x0000000002360000-0x0000000003390000-memory.dmp upx behavioral2/memory/672-7-0x0000000002360000-0x0000000003390000-memory.dmp upx behavioral2/memory/672-3-0x0000000002360000-0x0000000003390000-memory.dmp upx behavioral2/memory/2820-42-0x0000000005B40000-0x0000000006B70000-memory.dmp upx behavioral2/memory/2820-45-0x0000000005B40000-0x0000000006B70000-memory.dmp upx behavioral2/memory/2820-51-0x0000000005B40000-0x0000000006B70000-memory.dmp upx behavioral2/memory/2820-56-0x0000000005B40000-0x0000000006B70000-memory.dmp upx behavioral2/memory/2820-58-0x0000000005B40000-0x0000000006B70000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023c97-32.dat nsis_installer_1 behavioral2/files/0x0007000000023c98-36.dat nsis_installer_1 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F4879A5B-E3C1-11EF-8277-5EBAAA289AA3} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 2820 Au_.exe 2820 Au_.exe 2836 IEXPLORE.EXE 2836 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Token: SeDebugPrivilege 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 392 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 392 IEXPLORE.EXE 392 IEXPLORE.EXE 2836 IEXPLORE.EXE 2836 IEXPLORE.EXE 2836 IEXPLORE.EXE 2836 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 672 wrote to memory of 792 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 9 PID 672 wrote to memory of 796 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 10 PID 672 wrote to memory of 388 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 13 PID 672 wrote to memory of 2904 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 50 PID 672 wrote to memory of 2984 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 52 PID 672 wrote to memory of 808 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 53 PID 672 wrote to memory of 3452 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 56 PID 672 wrote to memory of 3568 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 57 PID 672 wrote to memory of 3736 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 58 PID 672 wrote to memory of 3828 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 59 PID 672 wrote to memory of 3908 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 60 PID 672 wrote to memory of 4016 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 61 PID 672 wrote to memory of 3860 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 62 PID 672 wrote to memory of 4036 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 75 PID 672 wrote to memory of 4996 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 76 PID 672 wrote to memory of 3904 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 80 PID 672 wrote to memory of 1256 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 81 PID 672 wrote to memory of 2820 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 83 PID 672 wrote to memory of 2820 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 83 PID 672 wrote to memory of 2820 672 JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe 83 PID 2820 wrote to memory of 2252 2820 Au_.exe 87 PID 2820 wrote to memory of 2252 2820 Au_.exe 87 PID 2820 wrote to memory of 2252 2820 Au_.exe 87 PID 2820 wrote to memory of 3176 2820 Au_.exe 88 PID 2820 wrote to memory of 3176 2820 Au_.exe 88 PID 2820 wrote to memory of 3176 2820 Au_.exe 88 PID 3176 wrote to memory of 392 3176 iexplore.exe 89 PID 3176 wrote to memory of 392 3176 iexplore.exe 89 PID 392 wrote to memory of 2836 392 IEXPLORE.EXE 90 PID 392 wrote to memory of 2836 392 IEXPLORE.EXE 90 PID 392 wrote to memory of 2836 392 IEXPLORE.EXE 90 PID 2820 wrote to memory of 792 2820 Au_.exe 9 PID 2820 wrote to memory of 796 2820 Au_.exe 10 PID 2820 wrote to memory of 388 2820 Au_.exe 13 PID 2820 wrote to memory of 2904 2820 Au_.exe 50 PID 2820 wrote to memory of 2984 2820 Au_.exe 52 PID 2820 wrote to memory of 808 2820 Au_.exe 53 PID 2820 wrote to memory of 3452 2820 Au_.exe 56 PID 2820 wrote to memory of 3568 2820 Au_.exe 57 PID 2820 wrote to memory of 3736 2820 Au_.exe 58 PID 2820 wrote to memory of 3828 2820 Au_.exe 59 PID 2820 wrote to memory of 3908 2820 Au_.exe 60 PID 2820 wrote to memory of 4016 2820 Au_.exe 61 PID 2820 wrote to memory of 3860 2820 Au_.exe 62 PID 2820 wrote to memory of 4036 2820 Au_.exe 75 PID 2820 wrote to memory of 4996 2820 Au_.exe 76 PID 2820 wrote to memory of 1256 2820 Au_.exe 81 PID 2820 wrote to memory of 3976 2820 Au_.exe 85 PID 2820 wrote to memory of 4796 2820 Au_.exe 86 PID 2820 wrote to memory of 392 2820 Au_.exe 89 PID 2820 wrote to memory of 2836 2820 Au_.exe 90 PID 2820 wrote to memory of 2836 2820 Au_.exe 90 PID 2836 wrote to memory of 792 2836 IEXPLORE.EXE 9 PID 2836 wrote to memory of 796 2836 IEXPLORE.EXE 10 PID 2836 wrote to memory of 388 2836 IEXPLORE.EXE 13 PID 2836 wrote to memory of 2904 2836 IEXPLORE.EXE 50 PID 2836 wrote to memory of 2984 2836 IEXPLORE.EXE 52 PID 2836 wrote to memory of 808 2836 IEXPLORE.EXE 53 PID 2836 wrote to memory of 3452 2836 IEXPLORE.EXE 56 PID 2836 wrote to memory of 3568 2836 IEXPLORE.EXE 57 PID 2836 wrote to memory of 3736 2836 IEXPLORE.EXE 58 PID 2836 wrote to memory of 3828 2836 IEXPLORE.EXE 59 PID 2836 wrote to memory of 3908 2836 IEXPLORE.EXE 60 PID 2836 wrote to memory of 4016 2836 IEXPLORE.EXE 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2984
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:808
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fddb8bc333a44584ae07fed838c4e8c.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:672 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2820 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe "C:\Users\Admin\AppData\Local\Temp\deskbar.dll" /s /u4⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://deskbar.searchkut.com/uninstall.php4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://deskbar.searchkut.com/uninstall.php5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:17410 /prefetch:26⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4996
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3904
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1256
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
47KB
MD596876e09a9531576c9e5af5a8331f221
SHA137850a902a607fa79f364c145df19e085790411d
SHA25676b122b51d4c8776ea1f1e06a04cd9fe4f0529fd025168e0b4baf1fa38f80a81
SHA512ebe307bcac83b61d50fced7db1c07586f6c466dc4cc774623ef0e177ed62c40b25e78fec1ba521e9b0dc66f4784837159cb9b117eb04d59c8f96e1d8bbe10e84
-
Filesize
119KB
MD59fddb8bc333a44584ae07fed838c4e8c
SHA173e685e7b967d929dfe4fb6800d7ee7ca27227d3
SHA256f78b9d9ff45cf181605153ba6e4da30a4f68a567948c734f3905bb4ca2f9bf92
SHA512505e3e3db13d0116b5472f9d390aa4c826fd06016f2d2b11ed5d28386ececffb1e878a71dc7234d236b3557f48eab52c30ec41c5347679db7666578df36bbed7
-
Filesize
258B
MD5b53e2a4d1747ff206b213ccb6cb98c31
SHA104bf0047278834915ffada71d59bd856caf46df9
SHA2564042bd5fb6e8050caeddbf3fd0a80202a41d91460b983745e7373db9783c6472
SHA512fd628817ff08f432a8dbbecea16d149dda42b232fa82427f0bd1d0f7aee7aa24c60d52fafb1635d27ee4b708c2247e8a55433b66c7a6d74fd9b3db6183741840