Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:35
Static task
static1
Behavioral task
behavioral1
Sample
aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll
Resource
win7-20220812-en
General
-
Target
aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll
-
Size
156KB
-
MD5
be04cb75888afe3e1076f03ea7437d81
-
SHA1
69048dd422408cdb8537f6dbd0cdee6a90f70e93
-
SHA256
aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa
-
SHA512
e31eaf8e958d153e7c2c3ee1f4962a908ac6256fd217a440fb58f1522d09f53b056606aef43f5621be5a34298b7d519069c9ae65e15c98ff27c17df310a98dab
-
SSDEEP
3072:3vY2M8wRBjnPWMowyrR1PFOH4jI/PGYMFMQ1iK9LhBttAXOeIZQoXT3V:TiPWMowyrDC4jI/PGr1i+hBRqo
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" xemuntcv.exe -
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" xemuntcv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xemuntcv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" xemuntcv.exe -
Executes dropped EXE 3 IoCs
pid Process 4920 oJfxHI1K 3780 xemuntcv.exe 4384 xemuntcv.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation oJfxHI1K Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation xemuntcv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xemuntcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xemuntcv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xemuntcv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3304 4720 WerFault.exe 83 1924 5012 WerFault.exe 91 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376430107" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4167452153" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4266670954" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999394" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999394" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999395" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{222BCE38-6F56-11ED-AECB-4A8324823CC0} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999394" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4167452153" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "21861835" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE -
Modifies registry class 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6998C883-C3A2-4F14-B622-CE7D7C72BA94} regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\FilterData = 020000000000200001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\CLSID = "{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\CLSID = "{6998C883-C3A2-4F14-B622-CE7D7C72BA94}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\ = "Canopus OHCI DV SD Output" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6998C883-C3A2-4F14-B622-CE7D7C72BA94} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\ = "Canopus OHCI MPEG TS Output" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\FriendlyName = "Canopus OHCI DV SD Output" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6998C883-C3A2-4F14-B622-CE7D7C72BA94}\FriendlyName = "Canopus OHCI MPEG TS Output" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A} regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{0A1AE1D0-1C0C-4106-9CFE-7A6119DC577A}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006961767300001000800000aa00389b7100000000000000000000000000000000 regsvr32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeSecurityPrivilege 4920 oJfxHI1K Token: SeDebugPrivilege 4920 oJfxHI1K Token: SeSecurityPrivilege 3780 xemuntcv.exe Token: SeSecurityPrivilege 4384 xemuntcv.exe Token: SeLoadDriverPrivilege 4384 xemuntcv.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1784 IEXPLORE.EXE 1784 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1784 IEXPLORE.EXE 1784 IEXPLORE.EXE 4280 IEXPLORE.EXE 4280 IEXPLORE.EXE 1784 IEXPLORE.EXE 1784 IEXPLORE.EXE 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4840 4772 regsvr32.exe 81 PID 4772 wrote to memory of 4840 4772 regsvr32.exe 81 PID 4772 wrote to memory of 4840 4772 regsvr32.exe 81 PID 4840 wrote to memory of 4920 4840 regsvr32.exe 82 PID 4840 wrote to memory of 4920 4840 regsvr32.exe 82 PID 4840 wrote to memory of 4920 4840 regsvr32.exe 82 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4720 4920 oJfxHI1K 83 PID 4920 wrote to memory of 4844 4920 oJfxHI1K 86 PID 4920 wrote to memory of 4844 4920 oJfxHI1K 86 PID 4920 wrote to memory of 4844 4920 oJfxHI1K 86 PID 4844 wrote to memory of 1784 4844 iexplore.exe 87 PID 4844 wrote to memory of 1784 4844 iexplore.exe 87 PID 1784 wrote to memory of 4280 1784 IEXPLORE.EXE 90 PID 1784 wrote to memory of 4280 1784 IEXPLORE.EXE 90 PID 1784 wrote to memory of 4280 1784 IEXPLORE.EXE 90 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 5012 4920 oJfxHI1K 91 PID 4920 wrote to memory of 3476 4920 oJfxHI1K 94 PID 4920 wrote to memory of 3476 4920 oJfxHI1K 94 PID 4920 wrote to memory of 3476 4920 oJfxHI1K 94 PID 3476 wrote to memory of 3092 3476 iexplore.exe 95 PID 3476 wrote to memory of 3092 3476 iexplore.exe 95 PID 1784 wrote to memory of 2776 1784 IEXPLORE.EXE 96 PID 1784 wrote to memory of 2776 1784 IEXPLORE.EXE 96 PID 1784 wrote to memory of 2776 1784 IEXPLORE.EXE 96 PID 4920 wrote to memory of 3780 4920 oJfxHI1K 100 PID 4920 wrote to memory of 3780 4920 oJfxHI1K 100 PID 4920 wrote to memory of 3780 4920 oJfxHI1K 100 PID 3780 wrote to memory of 4944 3780 xemuntcv.exe 101 PID 3780 wrote to memory of 4944 3780 xemuntcv.exe 101 PID 3780 wrote to memory of 4944 3780 xemuntcv.exe 101 PID 4944 wrote to memory of 4384 4944 cmd.exe 103 PID 4944 wrote to memory of 4384 4944 cmd.exe 103 PID 4944 wrote to memory of 4384 4944 cmd.exe 103 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xemuntcv.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\oJfxHI1K"oJfxHI1K"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 2085⤵
- Program crash
PID:3304
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4280
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:82948 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:5012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 2085⤵
- Program crash
PID:1924
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
PID:3092
-
-
-
C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe"C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe" elevate4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe"" admin5⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe"C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe" admin6⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4384
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4720 -ip 47201⤵PID:4208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5012 -ip 50121⤵PID:4028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5dedb504b3469b24ec0df79c68f5772e2
SHA1177a8b1045b456316ca32d90aba942bf34774c64
SHA256e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0
SHA512101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD50717b0681d2359f3f14d6a420ab9c3f3
SHA156dd502a9a09ce2da4329219b577e76359166bd0
SHA2565fe63252140a37bbdff8e3868d763985a616470cd0a8bb2faa3e4496338c6dd2
SHA512cb62ee113d70732aa600996575c922790177f912d8dc45a6066354d8ed578d0d3cda493e2eafebfed6768b4f14b7ea11ab320662ce6c0b877ff5bbb72c236b80
-
Filesize
99KB
MD52f5964aefc23c144312263bcde6f4c29
SHA17235402d08be134c24289c202b21437cfdee6a44
SHA2569c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831
SHA512afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869
-
Filesize
99KB
MD52f5964aefc23c144312263bcde6f4c29
SHA17235402d08be134c24289c202b21437cfdee6a44
SHA2569c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831
SHA512afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869
-
Filesize
99KB
MD52f5964aefc23c144312263bcde6f4c29
SHA17235402d08be134c24289c202b21437cfdee6a44
SHA2569c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831
SHA512afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869
-
Filesize
99KB
MD52f5964aefc23c144312263bcde6f4c29
SHA17235402d08be134c24289c202b21437cfdee6a44
SHA2569c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831
SHA512afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869