Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
Resource
win10v2004-20220901-en
General
-
Target
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
-
Size
520KB
-
MD5
2e1b2aaeaef46f92436616cf7912f931
-
SHA1
db8e74884c960d1bc297a6ae15f1aa30d958e3ce
-
SHA256
6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
-
SHA512
0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
SSDEEP
12288:RWXClV2A9GguHZ3+IuuD+nij6XENkjHMmQR79DaU:RZIHh/sij6XENkyR79WU
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 552 appinit.exe 1656 appinit.exe -
resource yara_rule behavioral1/memory/1608-99-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1608-102-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1608-105-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1608-108-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1608-110-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1608-112-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1608-111-0x0000000001610000-0x0000000001720000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" appinit.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run appinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{9043-8547-9771-90}\\appinit.exe" appinit.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run appinit.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1828 set thread context of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 552 set thread context of 1656 552 appinit.exe 64 PID 1656 set thread context of 1608 1656 appinit.exe 66 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\{9043-8547-9771-90}\appinit.exe 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe File created C:\Windows\{9043-8547-9771-90}\appinit.exe 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe File opened for modification C:\Windows\{9043-8547-9771-90}\ 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe File opened for modification C:\Windows\{9043-8547-9771-90}\appinit.exe appinit.exe File opened for modification C:\Windows\{9043-8547-9771-90}\ appinit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1608 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 1608 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1828 wrote to memory of 1476 1828 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 28 PID 1476 wrote to memory of 1036 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 29 PID 1476 wrote to memory of 1036 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 29 PID 1476 wrote to memory of 1036 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 29 PID 1476 wrote to memory of 1036 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 29 PID 1476 wrote to memory of 700 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 30 PID 1476 wrote to memory of 700 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 30 PID 1476 wrote to memory of 700 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 30 PID 1476 wrote to memory of 700 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 30 PID 1476 wrote to memory of 1240 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 31 PID 1476 wrote to memory of 1240 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 31 PID 1476 wrote to memory of 1240 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 31 PID 1476 wrote to memory of 1240 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 31 PID 1476 wrote to memory of 1816 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 32 PID 1476 wrote to memory of 1816 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 32 PID 1476 wrote to memory of 1816 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 32 PID 1476 wrote to memory of 1816 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 32 PID 1476 wrote to memory of 1876 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 33 PID 1476 wrote to memory of 1876 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 33 PID 1476 wrote to memory of 1876 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 33 PID 1476 wrote to memory of 1876 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 33 PID 1476 wrote to memory of 668 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 34 PID 1476 wrote to memory of 668 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 34 PID 1476 wrote to memory of 668 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 34 PID 1476 wrote to memory of 668 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 34 PID 1476 wrote to memory of 1760 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 35 PID 1476 wrote to memory of 1760 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 35 PID 1476 wrote to memory of 1760 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 35 PID 1476 wrote to memory of 1760 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 35 PID 1476 wrote to memory of 1872 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 36 PID 1476 wrote to memory of 1872 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 36 PID 1476 wrote to memory of 1872 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 36 PID 1476 wrote to memory of 1872 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 36 PID 1476 wrote to memory of 1692 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 37 PID 1476 wrote to memory of 1692 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 37 PID 1476 wrote to memory of 1692 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 37 PID 1476 wrote to memory of 1692 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 37 PID 1476 wrote to memory of 340 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 38 PID 1476 wrote to memory of 340 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 38 PID 1476 wrote to memory of 340 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 38 PID 1476 wrote to memory of 340 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 38 PID 1476 wrote to memory of 1372 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 40 PID 1476 wrote to memory of 1372 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 40 PID 1476 wrote to memory of 1372 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 40 PID 1476 wrote to memory of 1372 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 40 PID 1476 wrote to memory of 796 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 39 PID 1476 wrote to memory of 796 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 39 PID 1476 wrote to memory of 796 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 39 PID 1476 wrote to memory of 796 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 39 PID 1476 wrote to memory of 1096 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 41 PID 1476 wrote to memory of 1096 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 41 PID 1476 wrote to memory of 1096 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 41 PID 1476 wrote to memory of 1096 1476 6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1036
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1240
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1876
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1760
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1692
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:340
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1096
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1016
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:868
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1820
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:612
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1672
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:824
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:524
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2024
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:300
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1548
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1860
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:988
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1540
-
-
C:\Windows\{9043-8547-9771-90}\appinit.exe"C:\Windows\{9043-8547-9771-90}\appinit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:552 -
C:\Windows\{9043-8547-9771-90}\appinit.exe"C:\Windows\{9043-8547-9771-90}\appinit.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:844
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD505b1ef8e038e2ad1d7a1cd38e3af1302
SHA17ac8d37378cd67bdd7a42d4e732a67086ca091a5
SHA25624d3a86d770068c5e3b2fed62815912faabd2ccf5a229b312406342d9318678b
SHA512ed63c082f2708e552f0dd3dc7fb874ab52f37d5793005c8aeb4eb1a4a1281dfe0212853551e7a4ad588f96b24d002ffae33b55cf24b5ace52b4112b4353fe063
-
Filesize
3KB
MD505b1ef8e038e2ad1d7a1cd38e3af1302
SHA17ac8d37378cd67bdd7a42d4e732a67086ca091a5
SHA25624d3a86d770068c5e3b2fed62815912faabd2ccf5a229b312406342d9318678b
SHA512ed63c082f2708e552f0dd3dc7fb874ab52f37d5793005c8aeb4eb1a4a1281dfe0212853551e7a4ad588f96b24d002ffae33b55cf24b5ace52b4112b4353fe063
-
Filesize
358KB
MD5ad69242f4bf9548496051bd95ac05e1e
SHA1913292f6b83adf41337fd50201ad341500abc8b0
SHA2562663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA51209bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1
-
Filesize
520KB
MD52e1b2aaeaef46f92436616cf7912f931
SHA1db8e74884c960d1bc297a6ae15f1aa30d958e3ce
SHA2566c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964
SHA5120290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1