Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
Resource
win10v2004-20221111-en
General
-
Target
91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe
-
Size
294KB
-
MD5
2e9953436b0a50e6790b4aca52ccdcbc
-
SHA1
cd204cc097daa5145f500d0658949c2fc000f7f5
-
SHA256
91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2
-
SHA512
558c6e8a1a8b729803709d42992adaed69629a0d3d5ddd0a120563c406a43b2f0633e19587383db61d72bc1395a06f966550f5b19c9dfc945ec738c27ff09101
-
SSDEEP
6144:cii/AdpkpF7yz3CydFEkDaAB5b43PQWOn3jEbF6pOO5N1A1KNP:CATkFa3nd+6aa1koW23QYpOq5
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\effecbaudio = "rundll32.exe \"geedec.dll\",s" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\gebbabaudio = "rundll32.exe \"geedec.dll\",s" rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\geedec.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ms.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLPROXY.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnOL.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IMCONTACT.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_mr.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS000C.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sr.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSLaunch.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpAsDesc.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCDDSUI.DLL 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe Token: SeDebugPrivilege 892 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 784 wrote to memory of 892 784 91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe 26 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 416 892 rundll32.exe 21 PID 892 wrote to memory of 1232 892 rundll32.exe 11 PID 892 wrote to memory of 1312 892 rundll32.exe 10 PID 892 wrote to memory of 784 892 rundll32.exe 17 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9 PID 892 wrote to memory of 1360 892 rundll32.exe 9
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe"C:\Users\Admin\AppData\Local\Temp\91ec0eae5667a6dc0f3c414d59f161a61f39e15257f01930a23f46a1ed0b22f2.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\geedec.dll",s3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1312
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1232
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD542c7ecb13220f1f8ab2ce8edd78379bc
SHA1e27888ba34504f85590f2f44df2ff199ece7fdc4
SHA256776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf
SHA5123bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984
-
Filesize
294KB
MD542c7ecb13220f1f8ab2ce8edd78379bc
SHA1e27888ba34504f85590f2f44df2ff199ece7fdc4
SHA256776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf
SHA5123bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984
-
Filesize
294KB
MD542c7ecb13220f1f8ab2ce8edd78379bc
SHA1e27888ba34504f85590f2f44df2ff199ece7fdc4
SHA256776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf
SHA5123bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984
-
Filesize
294KB
MD542c7ecb13220f1f8ab2ce8edd78379bc
SHA1e27888ba34504f85590f2f44df2ff199ece7fdc4
SHA256776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf
SHA5123bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984
-
Filesize
294KB
MD542c7ecb13220f1f8ab2ce8edd78379bc
SHA1e27888ba34504f85590f2f44df2ff199ece7fdc4
SHA256776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf
SHA5123bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984
-
Filesize
294KB
MD542c7ecb13220f1f8ab2ce8edd78379bc
SHA1e27888ba34504f85590f2f44df2ff199ece7fdc4
SHA256776b12213650b1daac6722c53f1e1b750ac821a708147a71ec1862021e7647cf
SHA5123bdf1962247fab37d4266f4ddf5f71b2f374e1212f6b66acf543774d8bfc9a41b6913cdaf2ebc886bb8f405722fb4d01b8670fe378fe1f9713a945ec1963d984