Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 10:28
Static task
static1
Behavioral task
behavioral1
Sample
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
-
Size
7.7MB
-
MD5
19c9bec1f75d5ca7edb86310660a6c7b
-
SHA1
2ff805f3f29ea16e0dad096de62c7ce87ca9357a
-
SHA256
1ded4c387a4292edcf04a920c5e129a74dc246f2cf2785561b708dacb554cf96
-
SHA512
dd944946244d1b90bae729dc714cf0fe579d28983eace8341f0910bd71590f35c7a76a8b2528fea0050fd96d2b0503b7f7082e12a29e2608b185d956cb52c72b
-
SSDEEP
196608:U3GEEoPZJSRkkcj8aNGLtQhGEEoPZJSRkkcj8aNGLtQM:U3GEdPuktIiGEdPuktIz
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 15 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\CCleaner.exe modiloader_stage2 behavioral1/memory/2664-24-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1632-43-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-158-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-243-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-248-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-253-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-258-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-263-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-268-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-273-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-278-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-283-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-288-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2632-293-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 5 IoCs
Processes:
CCleaner.exemstwain32.execcsetup236.exeCCleaner.execcsetup236.exepid process 2664 CCleaner.exe 2632 mstwain32.exe 2592 ccsetup236.exe 1632 CCleaner.exe 620 ccsetup236.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe -
Loads dropped DLL 13 IoCs
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exeCCleaner.execcsetup236.execcsetup236.exepid process 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2664 CCleaner.exe 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2592 ccsetup236.exe 2592 ccsetup236.exe 620 ccsetup236.exe 620 ccsetup236.exe 2592 ccsetup236.exe 620 ccsetup236.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
CCleaner.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CCleaner.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
CCleaner.exemstwain32.exedescription ioc process File opened for modification C:\Windows\mstwain32.exe CCleaner.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe File created C:\Windows\mstwain32.exe CCleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\ccsetup236.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\ccsetup236.exe nsis_installer_2 -
Modifies registry key 1 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2520 reg.exe 2560 reg.exe 2020 reg.exe 2084 reg.exe 1884 reg.exe 328 reg.exe 836 reg.exe 2688 reg.exe 1364 reg.exe 2736 reg.exe 532 reg.exe 2488 reg.exe 1540 reg.exe 1372 reg.exe 2548 reg.exe 2528 reg.exe 2240 reg.exe 1412 reg.exe 2480 reg.exe 1076 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ccsetup236.exepid process 620 ccsetup236.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
CCleaner.exemstwain32.execcsetup236.exe19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.execcsetup236.exedescription pid process Token: SeDebugPrivilege 2664 CCleaner.exe Token: SeDebugPrivilege 2632 mstwain32.exe Token: SeDebugPrivilege 2632 mstwain32.exe Token: SeDebugPrivilege 2592 ccsetup236.exe Token: SeDebugPrivilege 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe Token: SeDebugPrivilege 620 ccsetup236.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exemstwain32.exepid process 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 2632 mstwain32.exe 2632 mstwain32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exeCCleaner.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2468 wrote to memory of 2664 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 2468 wrote to memory of 2664 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 2468 wrote to memory of 2664 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 2468 wrote to memory of 2664 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 2468 wrote to memory of 2740 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2740 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2740 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2740 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2776 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2776 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2776 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2776 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2672 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2672 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2672 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2672 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2800 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2800 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2800 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2800 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2644 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2644 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2644 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 2644 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2664 wrote to memory of 2632 2664 CCleaner.exe mstwain32.exe PID 2664 wrote to memory of 2632 2664 CCleaner.exe mstwain32.exe PID 2664 wrote to memory of 2632 2664 CCleaner.exe mstwain32.exe PID 2664 wrote to memory of 2632 2664 CCleaner.exe mstwain32.exe PID 2776 wrote to memory of 2528 2776 cmd.exe reg.exe PID 2776 wrote to memory of 2528 2776 cmd.exe reg.exe PID 2776 wrote to memory of 2528 2776 cmd.exe reg.exe PID 2776 wrote to memory of 2528 2776 cmd.exe reg.exe PID 2672 wrote to memory of 2688 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2688 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2688 2672 cmd.exe reg.exe PID 2672 wrote to memory of 2688 2672 cmd.exe reg.exe PID 2740 wrote to memory of 2520 2740 cmd.exe reg.exe PID 2740 wrote to memory of 2520 2740 cmd.exe reg.exe PID 2740 wrote to memory of 2520 2740 cmd.exe reg.exe PID 2740 wrote to memory of 2520 2740 cmd.exe reg.exe PID 2644 wrote to memory of 2548 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2548 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2548 2644 cmd.exe reg.exe PID 2644 wrote to memory of 2548 2644 cmd.exe reg.exe PID 2800 wrote to memory of 2560 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2560 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2560 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2560 2800 cmd.exe reg.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 2592 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 2468 wrote to memory of 1708 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 1708 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 1708 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 1708 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 3036 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 3036 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 3036 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 3036 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2468 wrote to memory of 1696 2468 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsd167F.tmp\ioSpecial.iniFilesize
696B
MD5caafe35106e3e19f3d8f7af875dad9b3
SHA113de20fea009bae91a32df12e7247e97e41b63fd
SHA25622aaf55c86029c107fa13f3539bccc987828e8530cd20c375db80f9642d40086
SHA5126795e993f973cb1a484293f687a49a6ad9a1f7eede615567e4443901f4f2a2e704ce3d7c698891c4e098b5bb872f63ecb54de03ebda727ee356e01e1cc03c63d
-
C:\Users\Admin\AppData\Local\Temp\nst194D.tmp\ioSpecial.iniFilesize
696B
MD54b3775087ec310b8b2c2a9c001e2a0d6
SHA190470cdb23764ccef2511e41a6bb297bfaba1770
SHA2560331dfb69ce2f6521a792b291dac97907488acbfc3b447d52946a1309d236dc3
SHA512ee9f3346dacc4d77a0b1046a726b1ffd69647f8cf667503ee06f888a92651abedc923592d2cb547a136e1b35d8df78e9e284dc1471bd62375bb90092afe09977
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5192c8da340572eae08f8510d90c822ed
SHA1c621836688d9a6f7fe7837f6ccac3d06fd77da8a
SHA256ea1f8f26287ae62e732b2bd2d591e0779dbac144a2096ce159402dc6b8f088d0
SHA51266f942b601dd4fe8a6a80a161e4b6927145a06eba4b3edb37ef541ee19d3a076bb19870ff5f74d2727d054d97fed4773bfb85951d7d69fecba5f64d34afa2fd2
-
\Users\Admin\AppData\Local\Temp\CCleaner.exeFilesize
270KB
MD516e11c0d0af86560a376b1b3ef69afe2
SHA1567d4be42eb29b28b62e8cf6255c3459d25f2e3c
SHA2563ff60728b28ee54d13a91e52d71c73211e3e67800635e4dd21196f60fab78cf3
SHA5127b4b396d5fdc4bc2d632bfb56587736ee0e0782f20a0be588fd1a680a87e4cd28c65f92b54040e574799973756a96937d37b5ce39a36ef7a7b0588990bc7a335
-
\Users\Admin\AppData\Local\Temp\ccsetup236.exeFilesize
3.3MB
MD5832fdaa7e21a755ad2016493fe2b1ae0
SHA16dd7b298899d1d40d9d5f0e89c40a40f69ac90c9
SHA2568ceafddab004733568fff7cf34572d41a866421fe3e6f8f7864fe0270cc115ad
SHA512bfc1867fa2a4bb2800f0bd461666335a290c6780205eb6d1d6f721f6ca1045e3e826a84f3814f0a580a90ca063787b3dad0f19ea893d3ea41c71d61f66a4f1b5
-
\Users\Admin\AppData\Local\Temp\nsd167F.tmp\InstallOptions.dllFilesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
\Users\Admin\AppData\Local\Temp\nsd167F.tmp\LangDLL.dllFilesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
\Users\Admin\AppData\Local\Temp\nsd167F.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
memory/620-162-0x0000000000240000-0x000000000024E000-memory.dmpFilesize
56KB
-
memory/620-67-0x0000000000240000-0x000000000024E000-memory.dmpFilesize
56KB
-
memory/1632-43-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2468-57-0x0000000004540000-0x000000000454E000-memory.dmpFilesize
56KB
-
memory/2468-59-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/2468-52-0x0000000004540000-0x000000000454E000-memory.dmpFilesize
56KB
-
memory/2468-0-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/2468-58-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/2468-2-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/2592-161-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2592-45-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2632-32-0x0000000000490000-0x000000000049E000-memory.dmpFilesize
56KB
-
memory/2632-253-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-159-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB
-
memory/2632-160-0x0000000000490000-0x000000000049E000-memory.dmpFilesize
56KB
-
memory/2632-158-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-243-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-248-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-293-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-258-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-263-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-268-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-273-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-278-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-283-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-288-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2664-24-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB