Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 05:26
Behavioral task
behavioral1
Sample
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
Resource
win7-20220812-en
General
-
Target
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
-
Size
926KB
-
MD5
79ada15c4f8a7fbd9d272672712e5373
-
SHA1
4cb9fe1d91d6777b2a3b1bdc0ec7ff801e175dc2
-
SHA256
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643
-
SHA512
f76457132767904b1070f152ec8e7d97ef8db9de7eac5291c344d89faee75f0eaffcee9eb587dec640067690c0391ffc2182ec4693e8fab0af5807b6ac92e884
-
SSDEEP
24576:PoV6rg3tqKfO3bmhXysm8a+XYw0OCo/tAMQoKNWfQ:PoMrIHCbsmeowsMM0Q
Malware Config
Extracted
cybergate
2.6
testew
viperboy.no-ip.info:2000
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\server.exe\"" 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe -
Adds policy Run key to start application 2 TTPs 16 IoCs
Processes:
server.exeserver.exeserver.exeserver.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe -
Executes dropped EXE 6 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeserver.exeserver.exepid process 1212 server.exe 1220 server.exe 1816 server.exe 1676 server.exe 1696 server.exe 1664 server.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
server.exeserver.exeserver.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\SysWOW64\\install\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} server.exe -
Processes:
resource yara_rule behavioral1/memory/1212-63-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1212-69-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1212-75-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1212-84-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1220-89-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1220-92-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1816-120-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/340-125-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/340-138-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1604-139-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/340-140-0x0000000024010000-0x0000000024072000-memory.dmp upx -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe -
Loads dropped DLL 7 IoCs
Processes:
server.exeexplorer.exepid process 1220 server.exe 1220 server.exe 1220 server.exe 1220 server.exe 1220 server.exe 1220 server.exe 340 explorer.exe -
Processes:
resource yara_rule behavioral1/memory/916-55-0x0000000000400000-0x00000000005B6000-memory.dmp themida behavioral1/memory/916-103-0x0000000000400000-0x00000000005B6000-memory.dmp themida -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
server.exeserver.exeserver.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\install\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\install\\server.exe" server.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini explorer.exe -
Drops file in System32 directory 8 IoCs
Processes:
server.exeserver.exeexplorer.exeserver.exedescription ioc process File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe File created C:\Windows\SysWOW64\install\server.exe server.exe File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe File created C:\Windows\SysWOW64\install\server.exe server.exe File opened for modification C:\Windows\SysWOW64\install\server.exe explorer.exe File opened for modification C:\Windows\SysWOW64\install\ explorer.exe File created C:\Windows\SysWOW64\install\server.exe server.exe File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exepid process 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe -
Drops file in Windows directory 1 IoCs
Processes:
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exedescription ioc process File created C:\Windows\server.exe 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1700 916 WerFault.exe 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe 864 1604 WerFault.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exeserver.exeserver.exeserver.exeserver.exepid process 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe 1212 server.exe 1816 server.exe 1676 server.exe 1696 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 340 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 340 explorer.exe Token: SeDebugPrivilege 340 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
server.exeexplorer.exepid process 1212 server.exe 340 explorer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
explorer.exepid process 340 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exeserver.exedescription pid process target process PID 916 wrote to memory of 1212 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe server.exe PID 916 wrote to memory of 1212 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe server.exe PID 916 wrote to memory of 1212 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe server.exe PID 916 wrote to memory of 1212 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe server.exe PID 916 wrote to memory of 1700 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe WerFault.exe PID 916 wrote to memory of 1700 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe WerFault.exe PID 916 wrote to memory of 1700 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe WerFault.exe PID 916 wrote to memory of 1700 916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe WerFault.exe PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE PID 1212 wrote to memory of 1396 1212 server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe"C:\Users\Admin\AppData\Local\Temp\0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe"2⤵
- Modifies WinLogon for persistence
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\server.exe"C:\Windows\server.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\server.exe"C:\Windows\server.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\SysWOW64\install\server.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 5247⤵
- Program crash
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 4763⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5573fc8040765ff469e14a074db9cbece
SHA1944bcc4e95c093dc2236f6f494595b0d7421c400
SHA256b669d151a9045d630dfee87281a031929e1f91eb38dccf8ea5eb00db46affa53
SHA512699e47546f403c6e871b710282eadf64cb2afa27cb4b4e239dacb93a377ebc50ee0d6d9f2e6672b896bd530418e82cadb42776440711b26642e5a6925c36117d
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5573fc8040765ff469e14a074db9cbece
SHA1944bcc4e95c093dc2236f6f494595b0d7421c400
SHA256b669d151a9045d630dfee87281a031929e1f91eb38dccf8ea5eb00db46affa53
SHA512699e47546f403c6e871b710282eadf64cb2afa27cb4b4e239dacb93a377ebc50ee0d6d9f2e6672b896bd530418e82cadb42776440711b26642e5a6925c36117d
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD54f590291e3a402495a024a5e8645f14a
SHA180cef1204734d24684688979f047a046265e07cb
SHA256cd8468bbfe621e148aebdbaf44baf733bef06be4da934b8e73f45c95ac0c7836
SHA5126d150a06547bdc4294c6fa3dc2410358af40c3b8d0d0c815fc27a3b2cadebe9e5d5d875d882b8bf74350780e70a073034e111d61aa7a2fc9589807627a43f690
-
C:\Users\Admin\AppData\Roaming\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
C:\Windows\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
\Windows\SysWOW64\install\server.exeFilesize
290KB
MD5382204a8c0cb746514b2f6d3d818a392
SHA114478b7045ee8acc0c3252f3192b5ea260512c1b
SHA256bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8
SHA512c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e
-
memory/340-106-0x0000000000000000-mapping.dmp
-
memory/340-140-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/340-138-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/340-125-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/340-110-0x0000000074771000-0x0000000074773000-memory.dmpFilesize
8KB
-
memory/864-133-0x0000000000000000-mapping.dmp
-
memory/916-103-0x0000000000400000-0x00000000005B6000-memory.dmpFilesize
1.7MB
-
memory/916-104-0x0000000004270000-0x0000000004280000-memory.dmpFilesize
64KB
-
memory/916-56-0x0000000004270000-0x0000000004280000-memory.dmpFilesize
64KB
-
memory/916-55-0x0000000000400000-0x00000000005B6000-memory.dmpFilesize
1.7MB
-
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1212-63-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1212-75-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1212-69-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/1212-57-0x0000000000000000-mapping.dmp
-
memory/1212-84-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/1220-81-0x0000000000000000-mapping.dmp
-
memory/1220-92-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/1220-89-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/1396-66-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1604-115-0x0000000000000000-mapping.dmp
-
memory/1604-139-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1664-135-0x0000000000000000-mapping.dmp
-
memory/1676-100-0x0000000000000000-mapping.dmp
-
memory/1696-113-0x0000000000000000-mapping.dmp
-
memory/1700-60-0x0000000000000000-mapping.dmp
-
memory/1816-120-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1816-95-0x0000000000000000-mapping.dmp