Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 09:53
Behavioral task
behavioral1
Sample
28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe
Resource
win7-20220901-en
General
-
Target
28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe
-
Size
284KB
-
MD5
5a65551bb6acd9bebef5fd29b66f2517
-
SHA1
65f9d087ca56cba040c1382d12ca737bc56e415e
-
SHA256
28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63
-
SHA512
ae60f63d2a987c93ff6d62f64a81328e22c5007d7d1420d8b2764dca7667f900204bf21d33b788894ee0a748a854dfd850e15e59c4a9522c02f665bc45ca378f
-
SSDEEP
6144:Wk4qmw8ajuQOfmXk5r1315vmpM0Iedfo8xHMLF:p9lOfm05pWa0FoPL
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
asoolive.bounceme.net:2000
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Executes dropped EXE 1 IoCs
pid Process 3472 windows.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0GM82C1X-112A-M0IC-E813-DG0082UHD6L3} 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0GM82C1X-112A-M0IC-E813-DG0082UHD6L3}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart" 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0GM82C1X-112A-M0IC-E813-DG0082UHD6L3} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0GM82C1X-112A-M0IC-E813-DG0082UHD6L3}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe" explorer.exe -
resource yara_rule behavioral2/memory/2100-132-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2100-134-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/2100-139-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1032-142-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/files/0x0006000000022e12-144.dat upx behavioral2/memory/1032-145-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2100-147-0x00000000009F0000-0x0000000000A52000-memory.dmp upx behavioral2/memory/2100-152-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/2100-156-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4236-155-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4236-157-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/files/0x0006000000022e12-159.dat upx behavioral2/memory/1032-160-0x0000000031B70000-0x0000000031B7D000-memory.dmp upx behavioral2/memory/3472-162-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3472-161-0x0000000031B80000-0x0000000031B8D000-memory.dmp upx behavioral2/memory/3760-163-0x0000000031BB0000-0x0000000031BBD000-memory.dmp upx behavioral2/memory/3480-164-0x0000000031BD0000-0x0000000031BDD000-memory.dmp upx behavioral2/memory/3472-165-0x0000000031B80000-0x0000000031B8D000-memory.dmp upx behavioral2/memory/3760-166-0x0000000031BB0000-0x0000000031BBD000-memory.dmp upx behavioral2/memory/3480-167-0x0000000031BD0000-0x0000000031BDD000-memory.dmp upx behavioral2/memory/3480-168-0x0000000031BD0000-0x0000000031BDD000-memory.dmp upx behavioral2/memory/4236-169-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/1032-170-0x0000000031B70000-0x0000000031B7D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\microsoft\ 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe File created \??\c:\windows\SysWOW64\microsoft\windows.exe 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3760 3472 WerFault.exe 82 3480 3760 WerFault.exe 85 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 3480 WerFault.exe 3480 WerFault.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe Token: SeDebugPrivilege 4236 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51 PID 2100 wrote to memory of 2720 2100 28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe 51
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:664
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:580
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:776
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1072
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2020
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2148
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2584
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2512
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2212
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:4500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2008
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:5052
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4388
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3496
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3344
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3252
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe"C:\Users\Admin\AppData\Local\Temp\28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe"C:\Users\Admin\AppData\Local\Temp\28f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63.exe"3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\windows\SysWOW64\microsoft\windows.exe"C:\windows\system32\microsoft\windows.exe"4⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 5645⤵
- Program crash
PID:3760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 5486⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3480
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:784
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:3604
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:2604
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3472 -ip 34722⤵PID:608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3760 -ip 37602⤵PID:4932
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 9bad42b99ef45c069614d1cfb0a594c7 O2j7d2EEAk6ipKEoLlimvA.0.1.0.0.01⤵PID:1824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:928
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3452
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5b4baebc554ab1d0b70a2706f0c78c835
SHA1194ee76d686eb8ba4286567549064ed6d852abb6
SHA2564e15d7fc89e8f68137c6c0111f6381fc167b95dc1ae09d6a4f034f167b7a7c5e
SHA512af5f5e90480e0bfa71b5170125e3a28a7836acd96a732fff518b1ea8ad7598ed6148efc7f4ef6e1bbe28456604ccc0b6e853c0bcf083564adace663665830d59
-
Filesize
284KB
MD55a65551bb6acd9bebef5fd29b66f2517
SHA165f9d087ca56cba040c1382d12ca737bc56e415e
SHA25628f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63
SHA512ae60f63d2a987c93ff6d62f64a81328e22c5007d7d1420d8b2764dca7667f900204bf21d33b788894ee0a748a854dfd850e15e59c4a9522c02f665bc45ca378f
-
Filesize
284KB
MD55a65551bb6acd9bebef5fd29b66f2517
SHA165f9d087ca56cba040c1382d12ca737bc56e415e
SHA25628f5d3d43b455da6828851e1f8df41efaa80aef33ed4e69852c9205909831b63
SHA512ae60f63d2a987c93ff6d62f64a81328e22c5007d7d1420d8b2764dca7667f900204bf21d33b788894ee0a748a854dfd850e15e59c4a9522c02f665bc45ca378f