Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe
Resource
win10v2004-20220812-en
General
-
Target
712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe
-
Size
45KB
-
MD5
065403bcd78f5ef01ae779a88cd50eb7
-
SHA1
447f03c372852d16856e22410e56d2b1a2d0dd5d
-
SHA256
712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734
-
SHA512
9095d612418f75d7253cc9aadda4412a2137832a4095be1eaeafb5fea05eb94ac8a2c86495c3cd1700c411fe545192f8db953b92720704e904c6e6c9e942f175
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXa:EOxyeFo6NPCAosxYyXdF5oy3VoKa
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CTFMON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe -
Executes dropped EXE 15 IoCs
pid Process 4940 SVCHOST.EXE 1220 SVCHOST.EXE 4776 SPOOLSV.EXE 4312 SVCHOST.EXE 3328 SPOOLSV.EXE 1644 CTFMON.EXE 2336 SVCHOST.EXE 3228 SPOOLSV.EXE 4400 CTFMON.EXE 3780 CTFMON.EXE 2596 SPOOLSV.EXE 4832 CTFMON.EXE 3748 SVCHOST.EXE 4880 SPOOLSV.EXE 4964 CTFMON.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\G: CTFMON.EXE File opened (read-only) \??\N: CTFMON.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\U: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\N: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\F: CTFMON.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\U: CTFMON.EXE File opened (read-only) \??\M: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\P: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\X: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\O: CTFMON.EXE File opened (read-only) \??\S: CTFMON.EXE File opened (read-only) \??\Y: CTFMON.EXE File opened (read-only) \??\K: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\Z: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\K: CTFMON.EXE File opened (read-only) \??\R: CTFMON.EXE File opened (read-only) \??\J: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\W: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\F: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\I: CTFMON.EXE File opened (read-only) \??\G: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\F: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\Y: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\Q: CTFMON.EXE File opened (read-only) \??\V: CTFMON.EXE File opened (read-only) \??\X: CTFMON.EXE File opened (read-only) \??\Z: CTFMON.EXE File opened (read-only) \??\I: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\R: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\V: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\F: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\H: CTFMON.EXE File opened (read-only) \??\W: CTFMON.EXE File opened (read-only) \??\O: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\T: 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\E: CTFMON.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 29 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" CTFMON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" CTFMON.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ CTFMON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\*\TileInfo = "prop:Type;Size" CTFMON.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3588 WINWORD.EXE 3588 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 1644 CTFMON.EXE 1644 CTFMON.EXE 4776 SPOOLSV.EXE 4776 SPOOLSV.EXE 4940 SVCHOST.EXE 4940 SVCHOST.EXE 4940 SVCHOST.EXE 4940 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 4940 SVCHOST.EXE 1220 SVCHOST.EXE 4776 SPOOLSV.EXE 4312 SVCHOST.EXE 3328 SPOOLSV.EXE 1644 CTFMON.EXE 2336 SVCHOST.EXE 3228 SPOOLSV.EXE 4400 CTFMON.EXE 3780 CTFMON.EXE 2596 SPOOLSV.EXE 4832 CTFMON.EXE 3748 SVCHOST.EXE 4880 SPOOLSV.EXE 4964 CTFMON.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE 3588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4940 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 79 PID 5076 wrote to memory of 4940 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 79 PID 5076 wrote to memory of 4940 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 79 PID 4940 wrote to memory of 1220 4940 SVCHOST.EXE 80 PID 4940 wrote to memory of 1220 4940 SVCHOST.EXE 80 PID 4940 wrote to memory of 1220 4940 SVCHOST.EXE 80 PID 4940 wrote to memory of 4776 4940 SVCHOST.EXE 81 PID 4940 wrote to memory of 4776 4940 SVCHOST.EXE 81 PID 4940 wrote to memory of 4776 4940 SVCHOST.EXE 81 PID 4776 wrote to memory of 4312 4776 SPOOLSV.EXE 82 PID 4776 wrote to memory of 4312 4776 SPOOLSV.EXE 82 PID 4776 wrote to memory of 4312 4776 SPOOLSV.EXE 82 PID 4776 wrote to memory of 3328 4776 SPOOLSV.EXE 83 PID 4776 wrote to memory of 3328 4776 SPOOLSV.EXE 83 PID 4776 wrote to memory of 3328 4776 SPOOLSV.EXE 83 PID 4776 wrote to memory of 1644 4776 SPOOLSV.EXE 84 PID 4776 wrote to memory of 1644 4776 SPOOLSV.EXE 84 PID 4776 wrote to memory of 1644 4776 SPOOLSV.EXE 84 PID 1644 wrote to memory of 2336 1644 CTFMON.EXE 85 PID 1644 wrote to memory of 2336 1644 CTFMON.EXE 85 PID 1644 wrote to memory of 2336 1644 CTFMON.EXE 85 PID 1644 wrote to memory of 3228 1644 CTFMON.EXE 86 PID 1644 wrote to memory of 3228 1644 CTFMON.EXE 86 PID 1644 wrote to memory of 3228 1644 CTFMON.EXE 86 PID 1644 wrote to memory of 4400 1644 CTFMON.EXE 87 PID 1644 wrote to memory of 4400 1644 CTFMON.EXE 87 PID 1644 wrote to memory of 4400 1644 CTFMON.EXE 87 PID 4940 wrote to memory of 3780 4940 SVCHOST.EXE 88 PID 4940 wrote to memory of 3780 4940 SVCHOST.EXE 88 PID 4940 wrote to memory of 3780 4940 SVCHOST.EXE 88 PID 5076 wrote to memory of 2596 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 89 PID 5076 wrote to memory of 2596 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 89 PID 5076 wrote to memory of 2596 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 89 PID 5076 wrote to memory of 4832 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 90 PID 5076 wrote to memory of 4832 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 90 PID 5076 wrote to memory of 4832 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 90 PID 5076 wrote to memory of 3748 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 91 PID 5076 wrote to memory of 3748 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 91 PID 5076 wrote to memory of 3748 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 91 PID 5076 wrote to memory of 4880 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 92 PID 5076 wrote to memory of 4880 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 92 PID 5076 wrote to memory of 4880 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 92 PID 5076 wrote to memory of 4964 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 93 PID 5076 wrote to memory of 4964 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 93 PID 5076 wrote to memory of 4964 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 93 PID 4940 wrote to memory of 4224 4940 SVCHOST.EXE 94 PID 4940 wrote to memory of 4224 4940 SVCHOST.EXE 94 PID 4940 wrote to memory of 4224 4940 SVCHOST.EXE 94 PID 4224 wrote to memory of 4812 4224 userinit.exe 95 PID 4224 wrote to memory of 4812 4224 userinit.exe 95 PID 4224 wrote to memory of 4812 4224 userinit.exe 95 PID 5076 wrote to memory of 3588 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 99 PID 5076 wrote to memory of 3588 5076 712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe"C:\Users\Admin\AppData\Local\Temp\712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4312
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3328
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵PID:4812
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4832
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4964
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\712d0774e1582309427ad83b79e74fd1fe04360e2c4711dd82c0ae52a4be9734.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3588
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD5d2276d098faf924760bc6f6386fb3110
SHA1553e6b7e2de1f25c3f5483b3ffd012267ca9000a
SHA256078eeba490b828ce25ab16c8a52a5c1359ccbec749042de8453c348d2a5d7f0d
SHA51247dade5d86f0654f5608b6fdea599e248df13babdbc85291df19291e6aa5dcd572f4c01df7c4bc81357bb3e742419e5cf0786393462658245d9cb78e49ac627b
-
Filesize
45KB
MD56eee27c4cf4c2c313c23e1931697904c
SHA14bfe4ce686008346b845ec9fecc2dd6f0f8fafe1
SHA2563b0bafa5c85bdd4c0ee582f3a1d73206c714956fde4495d0c080eadf4e7d166b
SHA51290699a1b76b81e7f102fa7de18770d70861c82fa6f68d1c1903bc510847bcfd37cb79b8e93acc1f4a7c748522402ee38211c66cc0bcb595912280650d74c3096
-
Filesize
45KB
MD54f010b86e41e1ce4b8a1d7d26bac7ced
SHA1e62ddc3a065b60859bd3fb20a243f2deff39bec1
SHA256db331d2fe1018f5b527dd45a7e2f5ea6907320b4b4b6c92d0aea440794b427a9
SHA5122c202a0598aaa870d323388fbe46ad110f1eefa2c7e73094c7fe4dce37d46ab48549beb645ac2d429929252c5f25f6b709d07b2b80bc9593bcb3d081dd76014d