Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-03-2022 05:12
Static task
static1
Behavioral task
behavioral1
Sample
SHITYOURSELF.exe
Resource
win7-20220311-en
General
-
Target
SHITYOURSELF.exe
-
Size
121KB
-
MD5
c497c71621630045eb8d0673ae817d70
-
SHA1
74c6e0b93f8c6d5d5634bf32a47a6c4968fefc01
-
SHA256
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
-
SHA512
73a8f54b95ccdfaa5f2e42dca771687612e514de87904840f4eac5fc87f0262051e614c0b0f4d576fe99f58b421dc106f45fe3bea011e0eb8bdc2d99e92f6463
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
SHITYOURSELF.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List SHITYOURSELF.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile SHITYOURSELF.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications SHITYOURSELF.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SHITYOURSELF.exe:*:enabled:@shell32.dll,-1" SHITYOURSELF.exe -
Executes dropped EXE 2 IoCs
Processes:
SHITYOURSELFSrv.exeDesktopLayer.exepid process 312 SHITYOURSELFSrv.exe 900 DesktopLayer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/312-133-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/900-136-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
SHITYOURSELFSrv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px2B92.tmp SHITYOURSELFSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe SHITYOURSELFSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe SHITYOURSELFSrv.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947170" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350183318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947170" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "556953267" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "567109643" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947170" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "556953267" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4CB832B4-A355-11EC-B9A4-4E256AF39849} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SHITYOURSELF.exeDesktopLayer.exepid process 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 900 DesktopLayer.exe 900 DesktopLayer.exe 900 DesktopLayer.exe 900 DesktopLayer.exe 900 DesktopLayer.exe 900 DesktopLayer.exe 900 DesktopLayer.exe 900 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1176 iexplore.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
SHITYOURSELF.exepid process 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe 608 SHITYOURSELF.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SHITYOURSELF.exedescription pid process Token: SeDebugPrivilege 608 SHITYOURSELF.exe Token: SeTakeOwnershipPrivilege 608 SHITYOURSELF.exe Token: SeRestorePrivilege 608 SHITYOURSELF.exe Token: SeBackupPrivilege 608 SHITYOURSELF.exe Token: SeChangeNotifyPrivilege 608 SHITYOURSELF.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1176 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1176 iexplore.exe 1176 iexplore.exe 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SHITYOURSELF.exeSHITYOURSELFSrv.exeDesktopLayer.exedescription pid process target process PID 608 wrote to memory of 312 608 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 608 wrote to memory of 312 608 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 608 wrote to memory of 312 608 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 312 wrote to memory of 900 312 SHITYOURSELFSrv.exe DesktopLayer.exe PID 312 wrote to memory of 900 312 SHITYOURSELFSrv.exe DesktopLayer.exe PID 312 wrote to memory of 900 312 SHITYOURSELFSrv.exe DesktopLayer.exe PID 608 wrote to memory of 588 608 SHITYOURSELF.exe winlogon.exe PID 608 wrote to memory of 588 608 SHITYOURSELF.exe winlogon.exe PID 608 wrote to memory of 588 608 SHITYOURSELF.exe winlogon.exe PID 608 wrote to memory of 588 608 SHITYOURSELF.exe winlogon.exe PID 608 wrote to memory of 588 608 SHITYOURSELF.exe winlogon.exe PID 608 wrote to memory of 588 608 SHITYOURSELF.exe winlogon.exe PID 608 wrote to memory of 648 608 SHITYOURSELF.exe lsass.exe PID 608 wrote to memory of 648 608 SHITYOURSELF.exe lsass.exe PID 608 wrote to memory of 648 608 SHITYOURSELF.exe lsass.exe PID 608 wrote to memory of 648 608 SHITYOURSELF.exe lsass.exe PID 608 wrote to memory of 648 608 SHITYOURSELF.exe lsass.exe PID 608 wrote to memory of 648 608 SHITYOURSELF.exe lsass.exe PID 608 wrote to memory of 756 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 756 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 756 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 756 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 756 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 756 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 764 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 764 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 764 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 764 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 764 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 764 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 772 608 SHITYOURSELF.exe fontdrvhost.exe PID 900 wrote to memory of 1176 900 DesktopLayer.exe iexplore.exe PID 900 wrote to memory of 1176 900 DesktopLayer.exe iexplore.exe PID 608 wrote to memory of 772 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 772 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 772 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 772 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 772 608 SHITYOURSELF.exe fontdrvhost.exe PID 608 wrote to memory of 880 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 880 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 880 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 880 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 880 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 880 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 932 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 932 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 932 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 932 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 932 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 932 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 1000 608 SHITYOURSELF.exe dwm.exe PID 608 wrote to memory of 1000 608 SHITYOURSELF.exe dwm.exe PID 608 wrote to memory of 1000 608 SHITYOURSELF.exe dwm.exe PID 608 wrote to memory of 1000 608 SHITYOURSELF.exe dwm.exe PID 608 wrote to memory of 1000 608 SHITYOURSELF.exe dwm.exe PID 608 wrote to memory of 1000 608 SHITYOURSELF.exe dwm.exe PID 608 wrote to memory of 388 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 388 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 388 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 388 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 388 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 388 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 672 608 SHITYOURSELF.exe svchost.exe PID 608 wrote to memory of 672 608 SHITYOURSELF.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeC:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
5fb0292bc5c1b9a106bee20bc97ee940
SHA1c49f2a151155e4b79db5bfdac9d1bec670fa0fab
SHA2564a7ba3c987b937f6f596ec90947270cb7008a854ca70380de2b7506f14b08756
SHA5123c2112133b2a3f0664bb4570ab6a3a056b64e99292365485e539da1f2360c8883680b5886b9216888a56081fdd6c8243f24ebbc98f5a26ca54fac5d30f32577e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
153ac6bf0e1648446e0502546164cad5
SHA15c02d9882b16689d7f6ef2c666d60c6bd2e7d41a
SHA2568da3f0676e71da733d8d776404ad767074393d82c8eaf42119e3076aa2690298
SHA5129e6a30a35eba99082b2132ba553a1dc2fa8e4491cbac4ab690ef7ed8a881b9d48977e64523beed26c30a691afe8e2673fad0ea7c12ae24df00f3cf060dafbbfd
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
memory/312-133-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/608-139-0x0000000077890000-0x0000000077A33000-memory.dmpFilesize
1.6MB
-
memory/608-138-0x0000000077890000-0x0000000077A33000-memory.dmpFilesize
1.6MB
-
memory/608-140-0x0000000077890000-0x0000000077A33000-memory.dmpFilesize
1.6MB
-
memory/608-141-0x0000000077890000-0x0000000077A33000-memory.dmpFilesize
1.6MB
-
memory/608-142-0x0000000077890000-0x0000000077A33000-memory.dmpFilesize
1.6MB
-
memory/900-137-0x0000000077890000-0x0000000077A33000-memory.dmpFilesize
1.6MB
-
memory/900-136-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/900-135-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB