Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03/10/2023, 06:26
Behavioral task
behavioral1
Sample
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe
Resource
win7-20230831-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe
-
Size
2.9MB
-
MD5
a1e8853219afd1191f1d832e4a304ec2
-
SHA1
cc0769fd386f865c9c0a81c4c2c8dcd90309bdc7
-
SHA256
cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d
-
SHA512
ebe1836029f8a4c49294f2e05fcc050d5895ef0a356d65006337abea89fc7d91d1a24f9ab2bb4ad3b4f716b892a36f8dccafe2575ca8f5b95fc2a2271c480544
-
SSDEEP
49152:WTGkQf5QZuTtS0rQMYOQ+q8CEETG4QiTGHQ79KFeMD:WKkcWsM0r1QnbK4XKHg0Feq
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\a3Hrir.sys wermgr.exe -
Deletes itself 1 IoCs
pid Process 2332 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2440 95414f17 2768 wermgr.exe -
Loads dropped DLL 1 IoCs
pid Process 1256 Explorer.EXE -
resource yara_rule behavioral1/memory/2216-0-0x0000000001380000-0x0000000001409000-memory.dmp upx behavioral1/files/0x000b00000001201c-2.dat upx behavioral1/memory/2440-3-0x0000000000840000-0x00000000008C9000-memory.dmp upx behavioral1/memory/2216-39-0x0000000001380000-0x0000000001409000-memory.dmp upx behavioral1/memory/2440-44-0x0000000000840000-0x00000000008C9000-memory.dmp upx behavioral1/memory/2216-49-0x0000000001380000-0x0000000001409000-memory.dmp upx behavioral1/memory/2440-79-0x0000000000840000-0x00000000008C9000-memory.dmp upx behavioral1/memory/2440-96-0x0000000000840000-0x00000000008C9000-memory.dmp upx behavioral1/files/0x000b00000001201c-110.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A 95414f17 File created C:\Windows\Syswow64\95414f17 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 95414f17 File created C:\Windows\system32\ \Windows\System32\51BqKp.sys wermgr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E 95414f17 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A 95414f17 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\29c610 95414f17 File created C:\Windows\cY1Xur3.sys wermgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 1304 timeout.exe 536 timeout.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com wermgr.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\New Windows\Allow wermgr.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-31-25-8e-30-ca 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 95414f17 Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{480C2241-73C4-436B-AB29-41F9120F7BE1}\82-31-25-8e-30-ca 95414f17 Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-31-25-8e-30-ca\WpadDecisionTime = 3063728ec2f5d901 95414f17 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs 95414f17 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-31-25-8e-30-ca\WpadDecisionReason = "1" 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates 95414f17 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 95414f17 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 95414f17 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{480C2241-73C4-436B-AB29-41F9120F7BE1} 95414f17 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{480C2241-73C4-436B-AB29-41F9120F7BE1}\WpadDecisionReason = "1" 95414f17 Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{480C2241-73C4-436B-AB29-41F9120F7BE1}\WpadDecisionTime = 3063728ec2f5d901 95414f17 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{480C2241-73C4-436B-AB29-41F9120F7BE1}\WpadDecision = "0" 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 95414f17 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{480C2241-73C4-436B-AB29-41F9120F7BE1}\WpadNetworkName = "Network 2" 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs 95414f17 Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 95414f17 Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 95414f17 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 95414f17 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 95414f17 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates 95414f17 -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 95414f17 Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wermgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wermgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 wermgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde wermgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wermgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 95414f17 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 95414f17 2440 95414f17 2440 95414f17 2440 95414f17 2440 95414f17 2440 95414f17 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 2440 95414f17 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1256 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe Token: SeTcbPrivilege 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe Token: SeDebugPrivilege 2440 95414f17 Token: SeTcbPrivilege 2440 95414f17 Token: SeDebugPrivilege 2440 95414f17 Token: SeDebugPrivilege 1256 Explorer.EXE Token: SeDebugPrivilege 1256 Explorer.EXE Token: SeIncBasePriorityPrivilege 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe Token: SeDebugPrivilege 2440 95414f17 Token: SeDebugPrivilege 2768 wermgr.exe Token: SeDebugPrivilege 2768 wermgr.exe Token: SeDebugPrivilege 2768 wermgr.exe Token: SeIncBasePriorityPrivilege 2440 95414f17 Token: SeDebugPrivilege 2768 wermgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe 2768 wermgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 wermgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 1256 2440 95414f17 22 PID 2440 wrote to memory of 1256 2440 95414f17 22 PID 2440 wrote to memory of 1256 2440 95414f17 22 PID 2440 wrote to memory of 1256 2440 95414f17 22 PID 2440 wrote to memory of 1256 2440 95414f17 22 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 1256 wrote to memory of 2768 1256 Explorer.EXE 30 PID 2440 wrote to memory of 424 2440 95414f17 3 PID 2440 wrote to memory of 424 2440 95414f17 3 PID 2440 wrote to memory of 424 2440 95414f17 3 PID 2440 wrote to memory of 424 2440 95414f17 3 PID 2440 wrote to memory of 424 2440 95414f17 3 PID 2216 wrote to memory of 2332 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 32 PID 2216 wrote to memory of 2332 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 32 PID 2216 wrote to memory of 2332 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 32 PID 2216 wrote to memory of 2332 2216 cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe 32 PID 2332 wrote to memory of 1304 2332 cmd.exe 34 PID 2332 wrote to memory of 1304 2332 cmd.exe 34 PID 2332 wrote to memory of 1304 2332 cmd.exe 34 PID 2332 wrote to memory of 1304 2332 cmd.exe 34 PID 2440 wrote to memory of 2832 2440 95414f17 36 PID 2440 wrote to memory of 2832 2440 95414f17 36 PID 2440 wrote to memory of 2832 2440 95414f17 36 PID 2440 wrote to memory of 2832 2440 95414f17 36 PID 2832 wrote to memory of 536 2832 cmd.exe 38 PID 2832 wrote to memory of 536 2832 cmd.exe 38 PID 2832 wrote to memory of 536 2832 cmd.exe 38 PID 2832 wrote to memory of 536 2832 cmd.exe 38 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22 PID 2768 wrote to memory of 1256 2768 wermgr.exe 22
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe"C:\Users\Admin\AppData\Local\Temp\cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\cf0f3550fc8e22e1754eda45c883125f34159b26ddafb8649fd4d7876a82328d.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1304
-
-
-
-
C:\ProgramData\Microsoft\wermgr.exe"C:\ProgramData\Microsoft\wermgr.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768
-
-
C:\Windows\Syswow64\95414f17C:\Windows\Syswow64\95414f171⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\95414f17"2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD541df7355a5a907e2c1d7804ec028965d
SHA1453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA51259c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
2.9MB
MD572884f4306987883eabd632666811f35
SHA11c341e06c2217e7ebae5ee77494653013f9a27fa
SHA25617c1e99240eabe71fa54ea701b7d561df06314ea5976aa40433bc9b7ba015f3c
SHA51217a9ce1ffa0fc8007b065d897ef15f9fae326850abefd61de00474150da9f69a17c977c3a2cd34ba11fc0252793e4a41507582a635c0f716c2c20f9e472e88ef
-
Filesize
2.9MB
MD572884f4306987883eabd632666811f35
SHA11c341e06c2217e7ebae5ee77494653013f9a27fa
SHA25617c1e99240eabe71fa54ea701b7d561df06314ea5976aa40433bc9b7ba015f3c
SHA51217a9ce1ffa0fc8007b065d897ef15f9fae326850abefd61de00474150da9f69a17c977c3a2cd34ba11fc0252793e4a41507582a635c0f716c2c20f9e472e88ef
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
49KB
MD541df7355a5a907e2c1d7804ec028965d
SHA1453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA51259c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf