Analysis
-
max time kernel
51s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
WinSCP-5.21.5-Setup.exe
Resource
win10v2004-20220901-en
General
-
Target
WinSCP-5.21.5-Setup.exe
-
Size
10.9MB
-
MD5
20c5329d7fde522338f037a7fe8a84eb
-
SHA1
c55a60799cfa24c1aeffcd2ca609776722e84f1b
-
SHA256
e141e9a1a0094095d5e26077311418a01dac429e68d3ff07a734385eb0172bea
-
SHA512
58813bb051bd66c29e3384dcf7ec7ca91f2e25506f28ca16e9620a7144bea1140d91dddb1131c6befc17e976e4992d0cce1528f90d536fe827ada1be44f7f1a5
-
SSDEEP
196608:HCImpQVrv0m6lhmBMlvOxwnIBSnCITfLb8MAFGrCaPiqXpAo83jVolDN/+z+:qQRScMlv7YSnC8fLbUGr0UAH3+AK
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
WinSCP-5.21.5-Setup.tmpWinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exepid process 2156 WinSCP-5.21.5-Setup.tmp 4632 WinSCP.exe 4136 WinSCP.exe 3688 WinSCP.exe 2112 WinSCP.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ = "C:\\Program Files (x86)\\WinSCP\\DragExt64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WinSCP.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WinSCP.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WinSCP.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WinSCP.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 560 regsvr32.exe 1732 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WinSCP.exedescription ioc process File opened (read-only) \??\E: WinSCP.exe File opened (read-only) \??\F: WinSCP.exe File opened (read-only) \??\L: WinSCP.exe File opened (read-only) \??\N: WinSCP.exe File opened (read-only) \??\Y: WinSCP.exe File opened (read-only) \??\H: WinSCP.exe File opened (read-only) \??\M: WinSCP.exe File opened (read-only) \??\Q: WinSCP.exe File opened (read-only) \??\U: WinSCP.exe File opened (read-only) \??\K: WinSCP.exe File opened (read-only) \??\O: WinSCP.exe File opened (read-only) \??\P: WinSCP.exe File opened (read-only) \??\V: WinSCP.exe File opened (read-only) \??\T: WinSCP.exe File opened (read-only) \??\A: WinSCP.exe File opened (read-only) \??\B: WinSCP.exe File opened (read-only) \??\G: WinSCP.exe File opened (read-only) \??\I: WinSCP.exe File opened (read-only) \??\J: WinSCP.exe File opened (read-only) \??\R: WinSCP.exe File opened (read-only) \??\S: WinSCP.exe File opened (read-only) \??\W: WinSCP.exe File opened (read-only) \??\X: WinSCP.exe File opened (read-only) \??\Z: WinSCP.exe -
Drops file in Program Files directory 61 IoCs
Processes:
WinSCP-5.21.5-Setup.tmpdescription ioc process File created C:\Program Files (x86)\WinSCP\Translations\is-NCSB0.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-PA3T6.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-0QQNU.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-ER5TU.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-N6MGP.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-1CPIC.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-1FB47.tmp WinSCP-5.21.5-Setup.tmp File opened for modification C:\Program Files (x86)\WinSCP\unins000.dat WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-GTHC8.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-8LCO8.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-D9TP6.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-34G4Q.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\PuTTY\is-PVIMG.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-F5KUF.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-J4I8E.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-PIM5T.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-66ORB.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-PSQQ6.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-S4OMQ.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-BTN4Q.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-8LO0Q.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-BU3QM.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\PuTTY\is-SBK0K.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-JAA5C.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-HAR0G.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-U82Q7.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-CUP75.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\PuTTY\is-E6BIS.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-IVT4O.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-HK3MB.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-8NGEN.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-HIH2B.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-8DV91.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\PuTTY\is-VR406.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-1HG80.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-AK64F.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\unins000.msg WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-HD4PK.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-785LQ.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-3SGFG.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-Q9IT3.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-TCKRT.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-79HC4.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-COGGR.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-VRKPA.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-C4RF0.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\unins000.dat WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-2B83D.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-035ND.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-JO812.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-HU3HM.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-9K2EQ.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-I56R0.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-6VT69.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Extensions\is-BMENJ.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-S9R60.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-1VIC4.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-515V7.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\Translations\is-B6AF2.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-SDSKM.tmp WinSCP-5.21.5-Setup.tmp File created C:\Program Files (x86)\WinSCP\is-MDG2E.tmp WinSCP-5.21.5-Setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2648 1212 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
WinSCP.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\EditFlags = "2" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftps\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\BrowserFlags = "8" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open\command WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\"" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\davs\ = "URL: davs Protocol" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ssh\ = "URL: ssh Protocol" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\shell WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\URL Protocol WinSCP.exe Key created \REGISTRY\MACHINE\Software\Classes\winscp-HTTP WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dav\URL Protocol WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\EditFlags = "2" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\BrowserFlags = "8" WinSCP.exe Key created \REGISTRY\MACHINE\Software\Classes\sftp WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scp\ = "URL: scp Protocol" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\davs\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\"" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\BrowserFlags = "8" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\ = "WinSCP Shell Extension" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\WinSCPCopyHook\ = "{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dav\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Key created \REGISTRY\MACHINE\Software\Classes\winscp-DAVS WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell\open WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\ = "URL: winscp-FTPS Protocol" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\shell\open\command WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftps\ = "URL: ftps Protocol" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\BrowserFlags = "8" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\DefaultIcon WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\"" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\URL Protocol WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\ssh\EditFlags = "2" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dav\DefaultIcon WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\shell\open WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\ftps\BrowserFlags = "8" WinSCP.exe Key created \REGISTRY\MACHINE\Software\Classes\ssh WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\davs\shell\open WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\ = "URL: winscp-SCP Protocol" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\dav\EditFlags = "2" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\"" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\davs\BrowserFlags = "8" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\s3\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0" WinSCP.exe Key created \REGISTRY\MACHINE\Software\Classes\winscp-SFTP WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\"" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open\command WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dav\ = "URL: dav Protocol" WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\ = "URL: winscp-SSH Protocol" WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\BrowserFlags = "8" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\shell\open WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\shell\open\command WinSCP.exe Key created \REGISTRY\MACHINE\Software\Classes\WinSCP.Url WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\s3\DefaultIcon WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon WinSCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\s3\EditFlags = "2" WinSCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\shell WinSCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\"" WinSCP.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exepid process 4632 WinSCP.exe 4632 WinSCP.exe 4136 WinSCP.exe 4136 WinSCP.exe 3688 WinSCP.exe 3688 WinSCP.exe 3688 WinSCP.exe 3688 WinSCP.exe 2112 WinSCP.exe 2112 WinSCP.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WinSCP.exepid process 2112 WinSCP.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WinSCP-5.21.5-Setup.tmpWinSCP.exepid process 2156 WinSCP-5.21.5-Setup.tmp 2112 WinSCP.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
WinSCP.exepid process 2112 WinSCP.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exepid process 4632 WinSCP.exe 4136 WinSCP.exe 3688 WinSCP.exe 2112 WinSCP.exe 2112 WinSCP.exe 2112 WinSCP.exe 2112 WinSCP.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WinSCP-5.21.5-Setup.exeWinSCP-5.21.5-Setup.tmpregsvr32.exedescription pid process target process PID 3232 wrote to memory of 2156 3232 WinSCP-5.21.5-Setup.exe WinSCP-5.21.5-Setup.tmp PID 3232 wrote to memory of 2156 3232 WinSCP-5.21.5-Setup.exe WinSCP-5.21.5-Setup.tmp PID 3232 wrote to memory of 2156 3232 WinSCP-5.21.5-Setup.exe WinSCP-5.21.5-Setup.tmp PID 2156 wrote to memory of 560 2156 WinSCP-5.21.5-Setup.tmp regsvr32.exe PID 2156 wrote to memory of 560 2156 WinSCP-5.21.5-Setup.tmp regsvr32.exe PID 2156 wrote to memory of 560 2156 WinSCP-5.21.5-Setup.tmp regsvr32.exe PID 560 wrote to memory of 1732 560 regsvr32.exe regsvr32.exe PID 560 wrote to memory of 1732 560 regsvr32.exe regsvr32.exe PID 2156 wrote to memory of 4632 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 4632 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 4632 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 4136 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 4136 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 4136 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 3688 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 3688 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 3688 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 2112 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 2112 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe PID 2156 wrote to memory of 2112 2156 WinSCP-5.21.5-Setup.tmp WinSCP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.5-Setup.exe"C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.5-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmp" /SL5="$701C4,10341138,864768,C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.5-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\WinSCP\DragExt64.dll"4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,InstallationsLaunch+,3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 1212 -ip 12121⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1212 -s 24641⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WinSCP\DragExt64.dllFilesize
479KB
MD580f2947c0cda8c84892dbf7f692b3fd4
SHA1698c2c2bbdcdb83697871570d7a9ff38acb63021
SHA25672126bb16fc8e9456fa8145105390b1cb474c6ef0e27ba5b93024651d4f36069
SHA51250de448e0ed723df810a108c35cf2b81ba04c0d697b38f029d9e77a7a39c398a4bf519bfd5bd23e2b4159f9ad70b80cf99961206f7255939083399b0943bb2ed
-
C:\Program Files (x86)\WinSCP\DragExt64.dllFilesize
479KB
MD580f2947c0cda8c84892dbf7f692b3fd4
SHA1698c2c2bbdcdb83697871570d7a9ff38acb63021
SHA25672126bb16fc8e9456fa8145105390b1cb474c6ef0e27ba5b93024651d4f36069
SHA51250de448e0ed723df810a108c35cf2b81ba04c0d697b38f029d9e77a7a39c398a4bf519bfd5bd23e2b4159f9ad70b80cf99961206f7255939083399b0943bb2ed
-
C:\Program Files (x86)\WinSCP\DragExt64.dllFilesize
479KB
MD580f2947c0cda8c84892dbf7f692b3fd4
SHA1698c2c2bbdcdb83697871570d7a9ff38acb63021
SHA25672126bb16fc8e9456fa8145105390b1cb474c6ef0e27ba5b93024651d4f36069
SHA51250de448e0ed723df810a108c35cf2b81ba04c0d697b38f029d9e77a7a39c398a4bf519bfd5bd23e2b4159f9ad70b80cf99961206f7255939083399b0943bb2ed
-
C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1Filesize
6KB
MD5b16082ceeb34da39af1d52adc88be7db
SHA1b7719fec4c89fe09904ae5fecf96aa364914e57e
SHA256beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356
SHA512bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5
-
C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1Filesize
3KB
MD5d75a4e965a960b31088645b8156beda3
SHA122b3a54999cdd4954d25349a9dab86bea372416d
SHA2565251f44a90b99c53ec9562f404d4ea3c2af260dd1b8ebbbce32891b6e6462d25
SHA512519aee18c832c5de13cc051e562f344d50cf7843a5c74cdbadfffd81e422d7fe26bc0d686074375535f41c00c3310592c0f3ad252331b84f3d312366b4f55c1b
-
C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1Filesize
2KB
MD55658e87d86c7e1f4a375e65075c73f27
SHA11928b74fa34e139051bf8a8414a45ca84e6dc070
SHA25671e5fb801d2132f44cda67c65fba980347b891b138a43d2e8ded6a1825a9a510
SHA512b564a2588727762a34cedb5d0b39df6477da95784bfa1dd4b97f3603c3bff0261e10409c7caad10ca364dfe76e3236c839e61213c230d4e8b4864fdcb1f0a061
-
C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1Filesize
3KB
MD57b02c62423d08d7c340a530f85261534
SHA1f57fc70cac8655e1ac75abfcd83d623f83778b89
SHA256737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf
SHA5121cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663
-
C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1Filesize
5KB
MD56f10dd9ca31373018e319ba80abb5532
SHA11325eab389ec9961120e0cd569b37f566a764fe7
SHA25679c87ff4a8cd2a2613a22f1e0dd4c3708b652e42fc92200b50e6d4adf91e561d
SHA5128f272cf4de55bd6e3d563ae5c87df035b3684c008bf64152bca1480f411413ff0999dd14dc802fcc72372313d19aff8159ccd4be48528c54963c59deba49c726
-
C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1Filesize
3KB
MD5d26c1a56f63d3682da6e676b606894af
SHA1e18ed1d358dc0026ecf64f49cc5f7b4c687523c3
SHA2566b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c
SHA512dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07
-
C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1Filesize
10KB
MD5680bbba778a319ba57ccc5c5c9f50c03
SHA112705a80f1be125f12a5c6e8511deccdba8bbec6
SHA256e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019
SHA51294983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b
-
C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1Filesize
2KB
MD5e4eb33335b663fc23aa03ab6ef80cb8d
SHA10db1095d82e27ef352d96a8f36ac022f035ce90d
SHA256dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534
SHA5124f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b
-
C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1Filesize
5KB
MD53963399fcb03e28453f38d93755795a0
SHA1384abd9957a9ac16805c36a44bc49de9bf757644
SHA256a62d0af7080942304a27883fb986d3a3f2fa9fcefc73108a1142f968649cc872
SHA5125944a51ac0bc1e6cb8e041853b2720e2790f6b0f3a69ede16eba499645b62f703fd4145ef7107ef4b64b818bc44349e3af71c0e9d8586693dacde2042c527051
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5098925a3ca282680221cd87ca383f23c
SHA18d404eacc0d38d81632b65ccbf4ce79a0d11901e
SHA256df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b
SHA51250403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5098925a3ca282680221cd87ca383f23c
SHA18d404eacc0d38d81632b65ccbf4ce79a0d11901e
SHA256df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b
SHA51250403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5098925a3ca282680221cd87ca383f23c
SHA18d404eacc0d38d81632b65ccbf4ce79a0d11901e
SHA256df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b
SHA51250403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5098925a3ca282680221cd87ca383f23c
SHA18d404eacc0d38d81632b65ccbf4ce79a0d11901e
SHA256df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b
SHA51250403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3
-
C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmpFilesize
3.1MB
MD55199871088e5624536897ecad757f028
SHA1b9ae6f0b61bffd4452829d1a62040c3fc4dc2f8c
SHA2564014533c0d92ed68b93a5b5e4285ebb560e8893a08a99d3437b911448c68d9a2
SHA51212a15c2f1419b41a63958159aea012ab194143daffcfce4efb096867a055729ddec259d43d98e72d617ea2e4d77885298455d80ff208c9e20161ef11a001c4d9
-
C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmpFilesize
3.1MB
MD55199871088e5624536897ecad757f028
SHA1b9ae6f0b61bffd4452829d1a62040c3fc4dc2f8c
SHA2564014533c0d92ed68b93a5b5e4285ebb560e8893a08a99d3437b911448c68d9a2
SHA51212a15c2f1419b41a63958159aea012ab194143daffcfce4efb096867a055729ddec259d43d98e72d617ea2e4d77885298455d80ff208c9e20161ef11a001c4d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-msFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-msFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-msFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
memory/560-139-0x0000000000000000-mapping.dmp
-
memory/1732-142-0x0000000000000000-mapping.dmp
-
memory/2112-166-0x0000000000D20000-0x00000000027A9000-memory.dmpFilesize
26.5MB
-
memory/2112-164-0x0000000000000000-mapping.dmp
-
memory/2156-135-0x0000000000000000-mapping.dmp
-
memory/3232-137-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/3232-134-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/3232-167-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/3232-132-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/3688-162-0x0000000000D20000-0x00000000027A9000-memory.dmpFilesize
26.5MB
-
memory/3688-160-0x0000000000000000-mapping.dmp
-
memory/4136-158-0x0000000000D20000-0x00000000027A9000-memory.dmpFilesize
26.5MB
-
memory/4136-156-0x0000000000000000-mapping.dmp
-
memory/4632-146-0x0000000000D20000-0x00000000027A9000-memory.dmpFilesize
26.5MB
-
memory/4632-144-0x0000000000000000-mapping.dmp