Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Resource
win10v2004-20220812-en
General
-
Target
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
-
Size
20KB
-
MD5
593fafd60704f67f9d6f4be8f8a52c10
-
SHA1
69d215cb189028a48dda7aaa4afb32c4ad881eb0
-
SHA256
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261
-
SHA512
614583bba4618b6bfce19070618979df3f6860a404b6c4d5bbe6753f555c049e0d00410572403ee04911daa5048ccdb33a3f5693904861471e4bc4d36c80258f
-
SSDEEP
192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBLp:1M3PnQoHDCpHf4I4Qwdc0G5KDJJp
Malware Config
Signatures
-
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe -
Executes dropped EXE 4 IoCs
pid Process 1200 winlogon.exe 988 AE 0124 BE.exe 1476 winlogon.exe 1460 winlogon.exe -
Loads dropped DLL 7 IoCs
pid Process 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 1200 winlogon.exe 1200 winlogon.exe 988 AE 0124 BE.exe 988 AE 0124 BE.exe 1460 winlogon.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 27 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Globalization\ELS\Transliteration\devanagari-to-latin.nlt AE 0124 BE.exe File opened for modification C:\Windows\Cursors\beam_r.cur AE 0124 BE.exe File opened for modification C:\Windows\ehome\McxTask.exe AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.resources\2.0.0.0_ja_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_es_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.resources\2.0.0.0_it_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Fonts\ssef874.fon AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_fr_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\154860df057d588035a8c66a65ea31e7 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire573b08f5# AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\DeviceCenter\es-ES AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.6.0.Microsoft.Ink.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll AE 0124 BE.exe File opened for modification C:\Windows\ehome\ehvid.exe AE 0124 BE.exe File opened for modification C:\Windows\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony.psd AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Security.resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.Security.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\4e9468fdc6937145e65c6434787e2fa5 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_ja_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.resources\8.0.0.0_es_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\f68563fb25af65c25de37130ebcd576c\System.Xml.Linq.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\bb69e031fd35b02403c7c22ea5c8e4d4\System.Data.Linq.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\98a4068512ff6a2566204bc1e759b0be\System.Data.OracleClient.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.v9.0 AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1 AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp4.jpg AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\1e1a1bd97e618bc4934ee967bea27ae8\UIAutomationTypes.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsForm0b574481#\501c549eee2d5c10d2ba0f46aba60f47\WindowsFormsIntegration.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\ro-RO_BitLockerToGo.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\Cursors\wait_r.cur AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\de-DE AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\6.1.0.0_it_31bf3856ad364e35\SecurityAuditPoliciesSnapIn.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\221fa10bd3cb407e43b7476af5039090\System.ComponentModel.DataAnnotations.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Power\en-US\Power_Troubleshooter.psd1 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Printer\es-ES\DiagPackage.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\fr-FR\DiagPackage.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\a415a146afc72f13f691f69a11ab5609\Microsoft.Vsa.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_1_Web.xml AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.Linq.resources\3.5.0.0_it_b77a5c561934e089\System.Data.Linq.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\AERO\TS_Transparency.ps1 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\System.Web.Abstractions.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\9a939c85c518e958f158f5d5d75af50e\PresentationFramework-SystemCore.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\17ab5131ab854c98847ad70236435924 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\84ebf4aede3a599b943b3320ca704911 AE 0124 BE.exe File opened for modification C:\Windows\Fonts\majalla.ttf AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\da42912f997fae780054f0c3a6b47fea\Microsoft.GroupPolicy.Reporting.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\140714964f3afbcea38cb33d548c5d3c AE 0124 BE.exe File opened for modification C:\Windows\Fonts\georgiai.ttf AE 0124 BE.exe File opened for modification C:\Windows\Boot\EFI\zh-HK\bootmgr.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\Fonts\85s1256.fon AE 0124 BE.exe File opened for modification C:\Windows\diagnostics AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\System.Data.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Fonts\BAUHS93.TTF AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\53628485c538b7d0bde021e842825dc9 AE 0124 BE.exe File opened for modification C:\Windows\Fonts\angsau.ttf AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core AE 0124 BE.exe File opened for modification C:\Windows\es-ES\twain_32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\56a7faf970109dc1dc6b76f643d93c5f AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Search\fr-FR AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371640830" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D104011-43C7-11ED-BD9E-FAB5137186BE} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000bc7c2ab9510c2b97072ddc290ad512114cfd1ea98d3fb7ce4f94fdf2440e3a15000000000e8000000002000020000000c7510f370aa3cd15b7ce9e301b83b77953937d79b9ff6fd40df61339745477809000000091b6f5e81af73727245c0c0bb9c53b42e5e35c002ca647ae841bf3b9af9816a5dfad5072164e48d49f9db3f332eb1ce18d254d4a5484d0c976119f48e49bc7d7cbbb0bd63ae9d179017aec4ec56e92957186ed3f95d7f8ef9a765f2d2989509fb5b9b15aa299b872d8a9976f894cf30df2c3f1b6cfae9b74c187aae2da6240afb912d62cf3b81190be540a057a4e8aaa40000000c199b9c297b903a7065997cd5df0166dd70269a7f5fdfa0f5e9cc31f8fd76a8789c02cc4bd1185872c8408b8dc4aa11c765973f85b87f8185c1c71f80c754d58 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000e86cc1f515ec12469e2260d9cf01a0a5cd7d87c8510b3f7ea033829e9f850e20000000000e8000000002000020000000dfccda374f6859b6a00549a8ed1f8268c09e4c45e3bd862cdc559caa00df97172000000047c036fd6505049e36006a432dd9d274310f97100bf6c703d4635a9aa624e953400000000c2b35ebc0c337fc35caaea623159c4dc0a7889f8cb975c9d0c24b250eadd7079d5e27cfce06ace9e74a181a940354655b643ab05a671da343faf9d74d37e1a7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05cea23d4d7d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1076 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 1076 iexplore.exe 1076 iexplore.exe 1464 IEXPLORE.EXE 1464 IEXPLORE.EXE 1200 winlogon.exe 988 AE 0124 BE.exe 1464 IEXPLORE.EXE 1464 IEXPLORE.EXE 1460 winlogon.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1076 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 27 PID 1104 wrote to memory of 1076 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 27 PID 1104 wrote to memory of 1076 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 27 PID 1104 wrote to memory of 1076 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 27 PID 1076 wrote to memory of 1464 1076 iexplore.exe 29 PID 1076 wrote to memory of 1464 1076 iexplore.exe 29 PID 1076 wrote to memory of 1464 1076 iexplore.exe 29 PID 1076 wrote to memory of 1464 1076 iexplore.exe 29 PID 1104 wrote to memory of 1200 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 30 PID 1104 wrote to memory of 1200 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 30 PID 1104 wrote to memory of 1200 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 30 PID 1104 wrote to memory of 1200 1104 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 30 PID 1200 wrote to memory of 988 1200 winlogon.exe 31 PID 1200 wrote to memory of 988 1200 winlogon.exe 31 PID 1200 wrote to memory of 988 1200 winlogon.exe 31 PID 1200 wrote to memory of 988 1200 winlogon.exe 31 PID 1200 wrote to memory of 1476 1200 winlogon.exe 33 PID 1200 wrote to memory of 1476 1200 winlogon.exe 33 PID 1200 wrote to memory of 1476 1200 winlogon.exe 33 PID 1200 wrote to memory of 1476 1200 winlogon.exe 33 PID 988 wrote to memory of 1460 988 AE 0124 BE.exe 32 PID 988 wrote to memory of 1460 988 AE 0124 BE.exe 32 PID 988 wrote to memory of 1460 988 AE 0124 BE.exe 32 PID 988 wrote to memory of 1460 988 AE 0124 BE.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1460
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Executes dropped EXE
PID:1476
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
596B
MD53268bca31f4b7018386b8305467b8896
SHA17ba5368471f8b2af27443fb5005dadc90f9e385c
SHA256313d875b67989f8ffe7c335775b473c4f14b5a2d280dfbad295afa7dc8d0a4bb
SHA512d9bec1460722748928ec13b56b9ee68540b0c3eeecbebb6898818a642780fc50227e04c0f5fe93fa938b903f08b261d0209514bf5816134e178429127c61d973
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
20KB
MD57a79fc528f652f2c45bb660c26426f88
SHA16dcf77cd96bec0d8dbe8a9a78d18640952acc884
SHA256d2a8b042dd1bf75f647668a56f34e6c8047e67cdb9bb092f9b40ca8dd8227320
SHA512bb5f4e7a42f7cdc26d3111b7fe5dbf7c52d3bc8c3e03c5136d077ef0022264d920200fe576546a4da292747b209e16ddb7441f0c5da134c0644403b06d2a4289
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9