Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
24/10/2023, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi
Resource
win10v2004-20231020-en
General
-
Target
NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi
-
Size
9.2MB
-
MD5
69f900118f985990f488121cd1cf5e2b
-
SHA1
33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
-
SHA256
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
-
SHA512
09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
-
SSDEEP
196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO
Malware Config
Extracted
darkgate
civilian1337
http://185.130.227.202
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
VPsTDMdPtonzYs
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
civilian1337
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
description pid Process procid_target PID 4844 created 1396 4844 Autoit3.exe 109 PID 4844 created 3696 4844 Autoit3.exe 17 PID 4844 created 2488 4844 Autoit3.exe 52 PID 4844 created 3996 4844 Autoit3.exe 43 PID 4844 created 4240 4844 Autoit3.exe 29 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 3820 5080 cmd.exe 16 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 2780 5080 cmd.exe 23 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 2488 5080 cmd.exe 52 PID 5080 created 3820 5080 cmd.exe 16 PID 5080 created 1396 5080 cmd.exe 109 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 3820 5080 cmd.exe 16 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 3820 5080 cmd.exe 16 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 3996 5080 cmd.exe 43 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 3996 5080 cmd.exe 43 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 2488 5080 cmd.exe 52 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 2444 5080 cmd.exe 53 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 2488 5080 cmd.exe 52 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 3996 5080 cmd.exe 43 PID 5080 created 1396 5080 cmd.exe 109 PID 5080 created 2444 5080 cmd.exe 53 PID 5080 created 2444 5080 cmd.exe 53 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 3996 5080 cmd.exe 43 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 3696 5080 cmd.exe 17 PID 5080 created 1396 5080 cmd.exe 109 PID 5080 created 3900 5080 cmd.exe 15 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 2764 5080 cmd.exe 48 PID 5080 created 2444 5080 cmd.exe 53 PID 5080 created 4240 5080 cmd.exe 29 PID 5080 created 1396 5080 cmd.exe 109 PID 5080 created 3996 5080 cmd.exe 43 PID 5080 created 1396 5080 cmd.exe 109 PID 5080 created 2444 5080 cmd.exe 53 PID 5080 created 2764 5080 cmd.exe 48 -
Blocklisted process makes network request 54 IoCs
flow pid Process 48 5080 cmd.exe 49 5080 cmd.exe 50 5080 cmd.exe 57 5080 cmd.exe 59 5080 cmd.exe 60 5080 cmd.exe 61 5080 cmd.exe 62 5080 cmd.exe 63 5080 cmd.exe 64 5080 cmd.exe 65 5080 cmd.exe 66 5080 cmd.exe 67 5080 cmd.exe 68 5080 cmd.exe 69 5080 cmd.exe 70 5080 cmd.exe 71 5080 cmd.exe 74 5080 cmd.exe 75 5080 cmd.exe 76 5080 cmd.exe 77 5080 cmd.exe 78 5080 cmd.exe 79 5080 cmd.exe 80 5080 cmd.exe 81 5080 cmd.exe 82 5080 cmd.exe 83 5080 cmd.exe 84 5080 cmd.exe 85 5080 cmd.exe 86 5080 cmd.exe 87 5080 cmd.exe 89 5080 cmd.exe 90 5080 cmd.exe 91 5080 cmd.exe 92 5080 cmd.exe 93 5080 cmd.exe 94 5080 cmd.exe 95 5080 cmd.exe 96 5080 cmd.exe 97 5080 cmd.exe 98 5080 cmd.exe 99 5080 cmd.exe 100 5080 cmd.exe 101 5080 cmd.exe 102 5080 cmd.exe 103 5080 cmd.exe 104 5080 cmd.exe 105 5080 cmd.exe 108 5080 cmd.exe 110 5080 cmd.exe 111 5080 cmd.exe 112 5080 cmd.exe 113 5080 cmd.exe 114 5080 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gkekaaf.lnk cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4844 Autoit3.exe -
Loads dropped DLL 2 IoCs
pid Process 700 MsiExec.exe 700 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 3456 ICACLS.EXE 1720 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4844 set thread context of 5080 4844 Autoit3.exe 113 -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI371A.tmp msiexec.exe File created C:\Windows\Installer\e58241d.msi msiexec.exe File opened for modification C:\Windows\Installer\e58241d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI25B3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI370A.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000004e6fa88768ff2e40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000004e6fa880000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090004e6fa88000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d04e6fa88000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000004e6fa8800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings Autoit3.exe Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings OpenWith.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1988 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4476 msiexec.exe 4476 msiexec.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 4844 Autoit3.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe 5080 cmd.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 4852 msiexec.exe Token: SeIncreaseQuotaPrivilege 4852 msiexec.exe Token: SeSecurityPrivilege 4476 msiexec.exe Token: SeCreateTokenPrivilege 4852 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4852 msiexec.exe Token: SeLockMemoryPrivilege 4852 msiexec.exe Token: SeIncreaseQuotaPrivilege 4852 msiexec.exe Token: SeMachineAccountPrivilege 4852 msiexec.exe Token: SeTcbPrivilege 4852 msiexec.exe Token: SeSecurityPrivilege 4852 msiexec.exe Token: SeTakeOwnershipPrivilege 4852 msiexec.exe Token: SeLoadDriverPrivilege 4852 msiexec.exe Token: SeSystemProfilePrivilege 4852 msiexec.exe Token: SeSystemtimePrivilege 4852 msiexec.exe Token: SeProfSingleProcessPrivilege 4852 msiexec.exe Token: SeIncBasePriorityPrivilege 4852 msiexec.exe Token: SeCreatePagefilePrivilege 4852 msiexec.exe Token: SeCreatePermanentPrivilege 4852 msiexec.exe Token: SeBackupPrivilege 4852 msiexec.exe Token: SeRestorePrivilege 4852 msiexec.exe Token: SeShutdownPrivilege 4852 msiexec.exe Token: SeDebugPrivilege 4852 msiexec.exe Token: SeAuditPrivilege 4852 msiexec.exe Token: SeSystemEnvironmentPrivilege 4852 msiexec.exe Token: SeChangeNotifyPrivilege 4852 msiexec.exe Token: SeRemoteShutdownPrivilege 4852 msiexec.exe Token: SeUndockPrivilege 4852 msiexec.exe Token: SeSyncAgentPrivilege 4852 msiexec.exe Token: SeEnableDelegationPrivilege 4852 msiexec.exe Token: SeManageVolumePrivilege 4852 msiexec.exe Token: SeImpersonatePrivilege 4852 msiexec.exe Token: SeCreateGlobalPrivilege 4852 msiexec.exe Token: SeBackupPrivilege 4780 vssvc.exe Token: SeRestorePrivilege 4780 vssvc.exe Token: SeAuditPrivilege 4780 vssvc.exe Token: SeBackupPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeBackupPrivilege 2464 srtasks.exe Token: SeRestorePrivilege 2464 srtasks.exe Token: SeSecurityPrivilege 2464 srtasks.exe Token: SeTakeOwnershipPrivilege 2464 srtasks.exe Token: SeBackupPrivilege 2464 srtasks.exe Token: SeRestorePrivilege 2464 srtasks.exe Token: SeSecurityPrivilege 2464 srtasks.exe Token: SeTakeOwnershipPrivilege 2464 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4852 msiexec.exe 4852 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1396 OpenWith.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4476 wrote to memory of 2464 4476 msiexec.exe 96 PID 4476 wrote to memory of 2464 4476 msiexec.exe 96 PID 4476 wrote to memory of 700 4476 msiexec.exe 99 PID 4476 wrote to memory of 700 4476 msiexec.exe 99 PID 4476 wrote to memory of 700 4476 msiexec.exe 99 PID 700 wrote to memory of 3456 700 MsiExec.exe 100 PID 700 wrote to memory of 3456 700 MsiExec.exe 100 PID 700 wrote to memory of 3456 700 MsiExec.exe 100 PID 700 wrote to memory of 4560 700 MsiExec.exe 102 PID 700 wrote to memory of 4560 700 MsiExec.exe 102 PID 700 wrote to memory of 4560 700 MsiExec.exe 102 PID 700 wrote to memory of 2572 700 MsiExec.exe 105 PID 700 wrote to memory of 2572 700 MsiExec.exe 105 PID 700 wrote to memory of 2572 700 MsiExec.exe 105 PID 2572 wrote to memory of 4844 2572 windbg.exe 106 PID 2572 wrote to memory of 4844 2572 windbg.exe 106 PID 2572 wrote to memory of 4844 2572 windbg.exe 106 PID 700 wrote to memory of 1720 700 MsiExec.exe 107 PID 700 wrote to memory of 1720 700 MsiExec.exe 107 PID 700 wrote to memory of 1720 700 MsiExec.exe 107 PID 4844 wrote to memory of 456 4844 Autoit3.exe 111 PID 4844 wrote to memory of 456 4844 Autoit3.exe 111 PID 4844 wrote to memory of 456 4844 Autoit3.exe 111 PID 456 wrote to memory of 1988 456 cmd.exe 112 PID 456 wrote to memory of 1988 456 cmd.exe 112 PID 456 wrote to memory of 1988 456 cmd.exe 112 PID 4844 wrote to memory of 5080 4844 Autoit3.exe 113 PID 4844 wrote to memory of 5080 4844 Autoit3.exe 113 PID 4844 wrote to memory of 5080 4844 Autoit3.exe 113 PID 4844 wrote to memory of 5080 4844 Autoit3.exe 113 PID 4844 wrote to memory of 5080 4844 Autoit3.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3696
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2780
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4240
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4852
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2488
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2444
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 44293BD0E0D4E6A687D384872B7A0E572⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:3456
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\files\windbg.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit5⤵
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.15⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:1720
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
170B
MD516c583dd4cef16479e98b8cfd61e9224
SHA140148d4ee1b587f694559e45b32e5dbf4a724269
SHA256cfdf1246e153daebe22d2cf41bc43d840593f09a4ebf9d8ae39122b95f21ab3f
SHA512f3e74d260fc06a051b883f03e064b1be1045238477696630e8eff1830841eb426ca110a6504a68cfd4fd00307feef9ffb1c9bd80c2b52ee8cc3f3489bedbba28
-
Filesize
8.9MB
MD53a4de3260c72e38f814cc2a7b2d42df7
SHA119458fb6838dd9d8be113b0b9983c7d77c12eb25
SHA256411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7
SHA5123493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e
-
Filesize
370B
MD59f464b04d5e081a34a1e57803e7ae9c2
SHA1d2484f8fd6101b62512ea48f68dfbb3953f17b7b
SHA25691c32b0868aac1df0c922b736fb570ebddf50020e8dab8de57f557795037a259
SHA512fa4139b6e7a1bd54a7865d9271a895def695d9306283b72631a61a9d72bf8088236399c012efeec43147dd7bfc8bb43dd836c78e49b73d5fc98d4b75c8bc705c
-
Filesize
1KB
MD5e74be5141a6064fffff3e623266884d1
SHA10388cb3e6e5d5a6bb093c476ddaf19eb1c473212
SHA256de2ffcb1f54ca5dafce9793a44877b21fdf3e6319264e5d9baafa9f872234dc6
SHA5122f77f40845b5d3e7b21144c3e0c260944a538040377091035ff19b0e5a7c3676ecb8f48cac5af77ad7e8df6e1da00031d3997b28bbc05b802f05d9d90cb62ffd
-
Filesize
1KB
MD5e74be5141a6064fffff3e623266884d1
SHA10388cb3e6e5d5a6bb093c476ddaf19eb1c473212
SHA256de2ffcb1f54ca5dafce9793a44877b21fdf3e6319264e5d9baafa9f872234dc6
SHA5122f77f40845b5d3e7b21144c3e0c260944a538040377091035ff19b0e5a7c3676ecb8f48cac5af77ad7e8df6e1da00031d3997b28bbc05b802f05d9d90cb62ffd
-
Filesize
1KB
MD553d0db59ee04582ea0d182fbcea3fc72
SHA1ee88870dbaa235be262651d6a9301d34c6a8db49
SHA256cfc3a04571af7f5e1f206aacb41920ec96d18d32f044c836fbdc3df35022cf3a
SHA512edb2b9f7839e43af1e6554a0d160a40441a90670ebd2f4542ab4942c2b3ffb560ef5c4d2b73a8bd2e76d063d34abeb8356fd30487f49ea401fd363893968aa18
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.0MB
MD525b5063e7ec0279cab22192b0234a951
SHA188f2bebe8faaad15abe02b84020fd58eea3919d2
SHA2563b4d6a2c534a7be0abadf7cfbcc6f44e1f9f9ef3649b0270b5e618cd722a9da6
SHA512a539541120748d1cede7d4306ddfaf3ca05f98633bea2582079a894cf42feed097c4d6fca60a2ac91ee7bef4968da42bb340771b69c1109509d3fbe0dbe31b23
-
\??\Volume{88fae604-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{389da1fe-678f-4f2a-88b3-fe75b06de221}_OnDiskSnapshotProp
Filesize5KB
MD5c0ef3df088998868f3a1b914379dbfa2
SHA1bc9a7ddc1568e333b1cfe897fce4422d6f0bded6
SHA256553925d4623215986d9b1b4c38f699d69930ce3cf8c4455f224faa94419f468a
SHA512fe5c22c4abe2e2dd5c5f49526614cadf2ea9c59c398604cb790b1ee44d6bf1c8c8e825c9e91f60fa1eb2eb40fd4f7907a2b2258b075f086ecad9323c47acb3ff
-
Filesize
490KB
MD5e6c14274f52c3de09b65c182807d6fe9
SHA15bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA2565fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA5127aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
490KB
MD5e6c14274f52c3de09b65c182807d6fe9
SHA15bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA2565fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA5127aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e