Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2023, 06:52
Behavioral task
behavioral1
Sample
ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe
Resource
win7-20231023-en
General
-
Target
ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe
-
Size
2.0MB
-
MD5
396936c3276814680b90a5641f158dfa
-
SHA1
0b88285750160285e27f242ec480a9cf2b40f5b5
-
SHA256
ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9
-
SHA512
4e838dc7771f2836f1caf40a2c05cfc874e0fdf4ed384879ca5719c0149b05b99998a90823de1af0e4a292c99a915fea0709557defa9c30f6d26db2bd73b3e21
-
SSDEEP
12288:SOuW5o/oStscy+4CWKKCrZTGF/k8uMxtxPvvzz5KnL/JLW8Wdvp/8DeBo1irkoEQ:SjSow18JbKkKF/eMNPjgI1rh
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3112 created 632 3112 Explorer.EXE 47 -
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\System32\drivers\0zoTJw.sys wiawow64.exe File opened for modification C:\Windows\system32\drivers\FaHKAPq4a4.sys wiawow64.exe File opened for modification C:\Windows\system32\drivers\Gb63qFprmfm3Fe.sys wiawow64.exe File opened for modification C:\Windows\system32\drivers\tp8xX1jSabVPM3.sys wiawow64.exe File opened for modification C:\Windows\system32\drivers\yp6WryiY2R.ovf wiawow64.exe File opened for modification C:\Windows\system32\drivers\Mrgvaro7AM0l.sys wiawow64.exe File opened for modification C:\Windows\system32\drivers\FxHKqRg00UTMG.esg wiawow64.exe File opened for modification C:\Windows\system32\drivers\sZ9M5Z3gYH85.vkv wiawow64.exe File opened for modification C:\Windows\system32\drivers\W6rQYZLQQiHX.axt wiawow64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe -
Executes dropped EXE 1 IoCs
pid Process 3952 wiawow64.exe -
resource yara_rule behavioral2/memory/4572-0-0x0000000000610000-0x000000000067E000-memory.dmp upx behavioral2/memory/4572-27-0x0000000000610000-0x000000000067E000-memory.dmp upx behavioral2/memory/4572-54-0x0000000000610000-0x000000000067E000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x0014000000022e57-93.dat vmprotect behavioral2/files/0x0022000000022e57-153.dat vmprotect behavioral2/files/0x0030000000022e57-209.dat vmprotect behavioral2/files/0x003e000000022e57-270.dat vmprotect -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 wiawow64.exe File opened for modification C:\Windows\system32\FVAR4siETnu96.zim wiawow64.exe File created C:\Windows\system32\ \Windows\System32\eS9n98nX.sys wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 wiawow64.exe File opened for modification C:\Windows\system32\SOs8y7NDuZN7R7.sys wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B wiawow64.exe File opened for modification C:\Windows\system32\FdS6kbDVsv15.mcv wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 wiawow64.exe File opened for modification C:\Windows\system32\AWhj3QFnG1.nuh wiawow64.exe File opened for modification C:\Windows\system32\Htoizm3BXYH5w.jrh wiawow64.exe File opened for modification C:\Windows\system32\T0sLgNMVUMo.sys wiawow64.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C wiawow64.exe File opened for modification C:\Windows\system32\xQaEjryIXmln.sys wiawow64.exe File opened for modification C:\Windows\system32\9JyV0oGDthZKT.sys wiawow64.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\Program Files\vV9zKcUnHh22q.sys wiawow64.exe File opened for modification C:\Program Files\uvSmYoB0o2DM8.sys wiawow64.exe File opened for modification C:\Program Files\66YfZl2pP1GTz.sys wiawow64.exe File opened for modification C:\Program Files\Microsoft Office 15\47bbff75.html Explorer.EXE File opened for modification C:\Program Files\jZ1fuBm3LLPvuU.qin wiawow64.exe File opened for modification C:\Program Files (x86)\gliMWuJHIm.jyu wiawow64.exe File opened for modification C:\Program Files\6aluAGuvvEPMaY.jyl wiawow64.exe File opened for modification C:\Program Files\Microsoft Office 15\396332c4.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office 15\5614cc26.js Explorer.EXE File opened for modification C:\Program Files (x86)\6sIAib81aaE8c.sys wiawow64.exe File opened for modification C:\Program Files (x86)\UeYaELkSZZ.fcf wiawow64.exe File opened for modification C:\Program Files\EqS4LezAVgIYCW.nwx wiawow64.exe File opened for modification C:\Program Files\Reference Assemblies\manifest.json wiawow64.exe File opened for modification C:\Program Files\Reference Assemblies\lib\646d8ac2.js wiawow64.exe File opened for modification C:\Program Files (x86)\7CcdIRccfA.sys wiawow64.exe File opened for modification C:\Program Files (x86)\umzMDtMfWUT2j.ode wiawow64.exe File opened for modification C:\Program Files (x86)\0p1QIFJf0aKZs.xmz wiawow64.exe File opened for modification C:\Program Files\Reference Assemblies\47bbf566.html wiawow64.exe File opened for modification C:\Program Files\Reference Assemblies\5614c014.js wiawow64.exe File opened for modification C:\Program Files\9EBqjx6fdmQIO.sys wiawow64.exe File opened for modification C:\Program Files (x86)\k2Qw14gyfzh2Fj.sys wiawow64.exe File opened for modification C:\Program Files (x86)\811kwkbkDM.sys wiawow64.exe File opened for modification C:\Program Files\1dlvFBI80EUvcY.gpr wiawow64.exe File opened for modification C:\Program Files\Reference Assemblies\39632ab8.js wiawow64.exe File opened for modification C:\Program Files\Microsoft Office 15\manifest.json Explorer.EXE File opened for modification C:\Program Files\Microsoft Office 15\lib\646d98d7.js Explorer.EXE -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\gohXTYdKG.sys wiawow64.exe File opened for modification C:\Windows\cnr9j2G2tiv.wyg wiawow64.exe File opened for modification C:\Windows\HHfrGQaAe6GT.sys wiawow64.exe File opened for modification C:\Windows\GTMXWRZwon7TH9.bpl wiawow64.exe File opened for modification C:\Windows\d1Kn8ExOz5.sys wiawow64.exe File created C:\Windows\wiawow64.exe Explorer.EXE File opened for modification C:\Windows\vqG38yWNvEY.sys wiawow64.exe File opened for modification C:\Windows\KMtQ49ibYTMtTL.sys wiawow64.exe File opened for modification C:\Windows\h1InMDS7DBj9EE.bjo wiawow64.exe File opened for modification C:\Windows\IcnM9XwsSc.khz wiawow64.exe File opened for modification C:\Windows\wiawow64.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 wiawow64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wiawow64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wiawow64.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2036 timeout.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wiawow64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wiawow64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wiawow64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wiawow64.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" runonce.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wiawow64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wiawow64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wiawow64.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wiawow64.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix runonce.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" runonce.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wiawow64.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 3112 Explorer.EXE 3112 Explorer.EXE 3112 Explorer.EXE 3112 Explorer.EXE 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 3952 wiawow64.exe 3952 wiawow64.exe 2464 runonce.exe 2464 runonce.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3112 Explorer.EXE 3112 Explorer.EXE 3112 Explorer.EXE 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3952 wiawow64.exe 3112 Explorer.EXE 3952 wiawow64.exe 3112 Explorer.EXE 3952 wiawow64.exe 3112 Explorer.EXE 3952 wiawow64.exe 3112 Explorer.EXE 3952 wiawow64.exe 3112 Explorer.EXE 3952 wiawow64.exe 3112 Explorer.EXE 3952 wiawow64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3112 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe Token: SeTcbPrivilege 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe Token: SeDebugPrivilege 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe Token: SeDebugPrivilege 3112 Explorer.EXE Token: SeDebugPrivilege 3112 Explorer.EXE Token: SeDebugPrivilege 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeIncBasePriorityPrivilege 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe Token: SeShutdownPrivilege 3112 Explorer.EXE Token: SeCreatePagefilePrivilege 3112 Explorer.EXE Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeBackupPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3952 wiawow64.exe Token: SeDebugPrivilege 3112 Explorer.EXE Token: SeBackupPrivilege 3112 Explorer.EXE Token: SeDebugPrivilege 336 dwm.exe Token: SeBackupPrivilege 336 dwm.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3112 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3112 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 3112 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 52 PID 4572 wrote to memory of 3112 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 52 PID 4572 wrote to memory of 3112 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 52 PID 4572 wrote to memory of 3112 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 52 PID 4572 wrote to memory of 3112 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 52 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 3112 wrote to memory of 3952 3112 Explorer.EXE 96 PID 4572 wrote to memory of 632 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 47 PID 4572 wrote to memory of 632 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 47 PID 4572 wrote to memory of 632 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 47 PID 4572 wrote to memory of 632 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 47 PID 4572 wrote to memory of 632 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 47 PID 4572 wrote to memory of 3920 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 100 PID 4572 wrote to memory of 3920 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 100 PID 4572 wrote to memory of 3920 4572 ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe 100 PID 3920 wrote to memory of 2036 3920 cmd.exe 102 PID 3920 wrote to memory of 2036 3920 cmd.exe 102 PID 3920 wrote to memory of 2036 3920 cmd.exe 102 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 2464 3952 wiawow64.exe 105 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52 PID 3952 wrote to memory of 3112 3952 wiawow64.exe 52
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\wiawow64.exe"C:\Windows\wiawow64.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe"3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe"C:\Users\Admin\AppData\Local\Temp\ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\ee882c7298dfb477789205f2e6be0aca489f9bbc07bbfbb25ff3c897b0b0b9d9.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:2036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
447KB
MD582e9fa2573b81c7b1c0f6209b4f44b6c
SHA16126218e677ca1dd9139c9267aa40dcc58936274
SHA256a18c6c4ca31cfc43bb455212b67072a65d27c423d2e2bb6164eac6eda9d750fb
SHA51251761b70f5f93e7f8f4de981d73168cf25b76a816df444d821cdc657e3c87e4e7d5aa9f615f15a8b75e184ff5906930472348c45c3fc10d0f5964442c568d688
-
Filesize
415KB
MD57bada704db29ee9510021fa9683914d7
SHA1629a95e8f6e77f352c7e3d673924f81d6fb80094
SHA2567c758ea877cb3b133e2f773e8ec47f0a2d5a2713806059a67e2e2513931a045a
SHA512ed64f744b505e0f0b6823150bab62fb4732d587cfb3ffbf85aff696c398d4c63533d1c54a339e33d1066e1194bee74c316077263fcfac1e229317015802990fb
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
Filesize
38KB
MD557672b94bf24e8ec8dcd56f28142f60a
SHA10ed9edf34ae137e3ef5f6a619e1fa12b0eb9d051
SHA2565cbb42d37f3fea5496598a6fe85405047c7e78697e6fa474353cfedcae9883ea
SHA512c038a89ca60d0a95de4c5395f49f07134f63b748f331d02001e0d21ddd8f7454d376e9b0dcbb6166314e5f13bf51880cd540f854fc3c1e755c22c90a0c9dd832
-
Filesize
38KB
MD557672b94bf24e8ec8dcd56f28142f60a
SHA10ed9edf34ae137e3ef5f6a619e1fa12b0eb9d051
SHA2565cbb42d37f3fea5496598a6fe85405047c7e78697e6fa474353cfedcae9883ea
SHA512c038a89ca60d0a95de4c5395f49f07134f63b748f331d02001e0d21ddd8f7454d376e9b0dcbb6166314e5f13bf51880cd540f854fc3c1e755c22c90a0c9dd832