Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 03:25
Static task
static1
Behavioral task
behavioral1
Sample
785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
Resource
win10v2004-20220901-en
General
-
Target
785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
-
Size
89KB
-
MD5
59570179859c1eb4286b100aaf25cd74
-
SHA1
5a87f58be1d93e2c440d80e2a3415b0f143a9d33
-
SHA256
785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920
-
SHA512
f3dae0c5b9cfbef900908c69613e5c5e9b772ef0f3cfdbcd6ed6ea8dceab94635d7bcd09d6ec028f61531ba268a419dded5010a53740be4b62a0aade93c1c88f
-
SSDEEP
1536:7keK40T/mx7y9v7Z/Z2V/GSAFRfBh7VoKI:AD40Dmx7y9DZ/Z2hGVaKI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE -
Executes dropped EXE 15 IoCs
pid Process 3496 SVCHOST.EXE 4052 SVCHOST.EXE 1292 SPOOLSV.EXE 1144 SVCHOST.EXE 3660 SPOOLSV.EXE 3492 CTFMON.EXE 3724 SVCHOST.EXE 4772 SPOOLSV.EXE 3768 CTFMON.EXE 3456 CTFMON.EXE 5040 SPOOLSV.EXE 4876 CTFMON.EXE 1972 SVCHOST.EXE 1880 SPOOLSV.EXE 4808 CTFMON.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\O: CTFMON.EXE File opened (read-only) \??\Z: CTFMON.EXE File opened (read-only) \??\E: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\T: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\W: CTFMON.EXE File opened (read-only) \??\F: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\L: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\F: CTFMON.EXE File opened (read-only) \??\M: CTFMON.EXE File opened (read-only) \??\P: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\F: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\X: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\T: CTFMON.EXE File opened (read-only) \??\Y: CTFMON.EXE File opened (read-only) \??\U: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\Z: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\R: CTFMON.EXE File opened (read-only) \??\H: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\G: CTFMON.EXE File opened (read-only) \??\G: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\I: CTFMON.EXE File opened (read-only) \??\P: CTFMON.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\J: CTFMON.EXE File opened (read-only) \??\J: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\K: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\N: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\O: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\L: CTFMON.EXE File opened (read-only) \??\Q: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\V: 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\U: CTFMON.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\E: CTFMON.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\TileInfo = "prop:Type;Size" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\QuickTip = "prop:Type;Size" 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\InfoTip = "prop:Type;Write;Size" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\*\QuickTip = "prop:Type;Size" CTFMON.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3952 WINWORD.EXE 3952 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 1292 SPOOLSV.EXE 1292 SPOOLSV.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 3492 CTFMON.EXE 3496 SVCHOST.EXE 3496 SVCHOST.EXE 3496 SVCHOST.EXE 3496 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 3496 SVCHOST.EXE 4052 SVCHOST.EXE 1292 SPOOLSV.EXE 1144 SVCHOST.EXE 3660 SPOOLSV.EXE 3492 CTFMON.EXE 3724 SVCHOST.EXE 4772 SPOOLSV.EXE 3768 CTFMON.EXE 3456 CTFMON.EXE 5040 SPOOLSV.EXE 4876 CTFMON.EXE 1972 SVCHOST.EXE 1880 SPOOLSV.EXE 4808 CTFMON.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 4092 wrote to memory of 3496 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 84 PID 4092 wrote to memory of 3496 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 84 PID 4092 wrote to memory of 3496 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 84 PID 3496 wrote to memory of 4052 3496 SVCHOST.EXE 85 PID 3496 wrote to memory of 4052 3496 SVCHOST.EXE 85 PID 3496 wrote to memory of 4052 3496 SVCHOST.EXE 85 PID 3496 wrote to memory of 1292 3496 SVCHOST.EXE 86 PID 3496 wrote to memory of 1292 3496 SVCHOST.EXE 86 PID 3496 wrote to memory of 1292 3496 SVCHOST.EXE 86 PID 1292 wrote to memory of 1144 1292 SPOOLSV.EXE 87 PID 1292 wrote to memory of 1144 1292 SPOOLSV.EXE 87 PID 1292 wrote to memory of 1144 1292 SPOOLSV.EXE 87 PID 1292 wrote to memory of 3660 1292 SPOOLSV.EXE 88 PID 1292 wrote to memory of 3660 1292 SPOOLSV.EXE 88 PID 1292 wrote to memory of 3660 1292 SPOOLSV.EXE 88 PID 1292 wrote to memory of 3492 1292 SPOOLSV.EXE 89 PID 1292 wrote to memory of 3492 1292 SPOOLSV.EXE 89 PID 1292 wrote to memory of 3492 1292 SPOOLSV.EXE 89 PID 3492 wrote to memory of 3724 3492 CTFMON.EXE 90 PID 3492 wrote to memory of 3724 3492 CTFMON.EXE 90 PID 3492 wrote to memory of 3724 3492 CTFMON.EXE 90 PID 3492 wrote to memory of 4772 3492 CTFMON.EXE 91 PID 3492 wrote to memory of 4772 3492 CTFMON.EXE 91 PID 3492 wrote to memory of 4772 3492 CTFMON.EXE 91 PID 3492 wrote to memory of 3768 3492 CTFMON.EXE 92 PID 3492 wrote to memory of 3768 3492 CTFMON.EXE 92 PID 3492 wrote to memory of 3768 3492 CTFMON.EXE 92 PID 3496 wrote to memory of 3456 3496 SVCHOST.EXE 95 PID 3496 wrote to memory of 3456 3496 SVCHOST.EXE 95 PID 3496 wrote to memory of 3456 3496 SVCHOST.EXE 95 PID 4092 wrote to memory of 5040 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 96 PID 4092 wrote to memory of 5040 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 96 PID 4092 wrote to memory of 5040 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 96 PID 3496 wrote to memory of 1804 3496 SVCHOST.EXE 97 PID 3496 wrote to memory of 1804 3496 SVCHOST.EXE 97 PID 3496 wrote to memory of 1804 3496 SVCHOST.EXE 97 PID 4092 wrote to memory of 4876 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 98 PID 4092 wrote to memory of 4876 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 98 PID 4092 wrote to memory of 4876 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 98 PID 1804 wrote to memory of 1516 1804 userinit.exe 99 PID 1804 wrote to memory of 1516 1804 userinit.exe 99 PID 1804 wrote to memory of 1516 1804 userinit.exe 99 PID 4092 wrote to memory of 1972 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 101 PID 4092 wrote to memory of 1972 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 101 PID 4092 wrote to memory of 1972 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 101 PID 4092 wrote to memory of 1880 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 103 PID 4092 wrote to memory of 1880 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 103 PID 4092 wrote to memory of 1880 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 103 PID 4092 wrote to memory of 4808 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 104 PID 4092 wrote to memory of 4808 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 104 PID 4092 wrote to memory of 4808 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 104 PID 4092 wrote to memory of 3952 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 107 PID 4092 wrote to memory of 3952 4092 785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe"C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4052
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3660
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3724
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4772
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3768
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3456
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵PID:1516
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4808
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3952
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6