Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 13:41
Behavioral task
behavioral1
Sample
80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe
Resource
win7-20220901-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe
-
Size
2.8MB
-
MD5
a8702c9c645f836412347dcfc7e19e78
-
SHA1
53eb6550644cd673d37bc09f916e4d0077876a55
-
SHA256
80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278
-
SHA512
cd64cd48c4d2c4051263c12ff9143b22a1a7042f17f71de2edfd7c18ce9f4ce585760af8f29393618594745733bbed7c7de844faf5156c8ba48afa2a47fe2832
-
SSDEEP
49152:3/MUg1hquhjmMlEdOcxYdn6b27zvXvs09PTXLuy:dKhJmMqdOcxYl77/s09bXq
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1700-58-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-59-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-60-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-62-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-64-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-66-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-68-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-70-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-72-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-76-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-84-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-90-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-88-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-86-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-92-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-94-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-100-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-98-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-96-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-82-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-80-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-78-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-74-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1700-101-0x0000000010000000-0x000000001003E000-memory.dmp upx -
resource yara_rule behavioral1/memory/1700-55-0x0000000000400000-0x0000000000705000-memory.dmp vmprotect behavioral1/memory/1700-57-0x0000000000400000-0x0000000000705000-memory.dmp vmprotect behavioral1/memory/1700-102-0x0000000000400000-0x0000000000705000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\MyIme.dll 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9301" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377489578" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "40" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "97" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "97" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "40" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "48" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "45" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "75" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "111" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "111" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "9301" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "40" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "48" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "100" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "9314" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "48" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "45" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9314" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "111" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "43" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "9301" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC380431-78F8-11ED-954F-D29BCC0F3FEF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "43" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "75" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "45" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "43" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "9314" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "89" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "75" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "89" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "100" 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1116 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 1116 iexplore.exe 1116 iexplore.exe 952 IEXPLORE.EXE 952 IEXPLORE.EXE 952 IEXPLORE.EXE 952 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1116 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 29 PID 1700 wrote to memory of 1116 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 29 PID 1700 wrote to memory of 1116 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 29 PID 1700 wrote to memory of 1116 1700 80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe 29 PID 1116 wrote to memory of 952 1116 iexplore.exe 30 PID 1116 wrote to memory of 952 1116 iexplore.exe 30 PID 1116 wrote to memory of 952 1116 iexplore.exe 30 PID 1116 wrote to memory of 952 1116 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe"C:\Users\Admin\AppData\Local\Temp\80b38385db72a1c70c0fce431dba1dd6d3a1e804c885ae469791278082a18278.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.8880.pw/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5829a356feee160db1891dc6dbb9baa30
SHA1aa3361719bca0b98391b7153a6823327bad52a0b
SHA256a5313b7719cdd8e8f2872b749f3219b34739e1652371022788ffdcae41871548
SHA512e084e79f9ce8b6dc55eab20cb29848d8a5496231c0a7dbdd52f8dee83422bc5082b93e539355634e956ff2159116a1ab7f8da7f16342de19fcbb606e3595a182
-
Filesize
608B
MD5d9fe3dc7f59913755641da6bbfa0abeb
SHA1d3e68379d76319ca81a9c0ad73d8170f5e7eb90d
SHA25611af98bea1772bf7ea55523d4ae56f89adff56699eef177ac75a73b895b91fe7
SHA512224eaaf18dc648a0b36baa9caebe27153680adb3b49fe70cc61b385b92d6be783318b4350ce1e7d5752992cffb5137bac87bba7a5deb35a8b986bcc662cce68d