Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
Resource
win7-20231020-en
General
-
Target
aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
-
Size
2.0MB
-
MD5
2f3353e9de4535e858254b2f9ebe0e70
-
SHA1
beb0fe2c7a977abf0f292477466be291fca80a9a
-
SHA256
aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00
-
SHA512
909bb4cd1108fefed5bdf68af29eb0fbc5584f6c9ce7b7a15790af2c24ac2898ab132e7e95b7ba636c131c645e8aee95ef749dc24f7f05c2eb3808ab6c2146d7
-
SSDEEP
49152:8Us4vWvQznXPwh11sXIAyT9tN93ul/lDxqqqoqqqdT:ls4iKXPs1sByTNT
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3208 created 624 3208 Explorer.EXE 3 -
Downloads MZ/PE file
-
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\System32\drivers\9zxaWj7Y.sys newdev.exe File opened for modification C:\Windows\system32\drivers\bZ7WhZ9KkCoht.sys newdev.exe File opened for modification C:\Windows\system32\drivers\vLgTWyHtzlcKt.ghc newdev.exe File opened for modification C:\Windows\system32\drivers\MvGrD9SXZ0.kmz newdev.exe File opened for modification C:\Windows\system32\drivers\e5uumDsZtL.ipj newdev.exe File opened for modification C:\Windows\system32\drivers\psfsZN4lg81.sys newdev.exe File opened for modification C:\Windows\system32\drivers\o4GzoqkWsstj1d.sys newdev.exe File opened for modification C:\Windows\system32\drivers\bXYRsv84z9eF.sys newdev.exe File opened for modification C:\Windows\system32\drivers\9xNTFCfW2r.pax newdev.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe -
Executes dropped EXE 1 IoCs
pid Process 4332 newdev.exe -
resource yara_rule behavioral2/files/0x0007000000022e11-327.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x000a000000022e10-84.dat vmprotect behavioral2/files/0x0018000000022e10-143.dat vmprotect behavioral2/files/0x0026000000022e10-199.dat vmprotect behavioral2/files/0x0034000000022e10-255.dat vmprotect -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B newdev.exe File opened for modification C:\Windows\system32\i9Um4VrAVvOj25.sys newdev.exe File opened for modification C:\Windows\system32\jE8tJUqRtZMe.sys newdev.exe File opened for modification C:\Windows\system32\09dW6UsFQYU.cmu newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 newdev.exe File opened for modification C:\Windows\system32\7aGW9mKNY4iGiN.hpt newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E newdev.exe File created C:\Windows\system32\ \Windows\System32\yrwwOZ.sys newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 newdev.exe File opened for modification C:\Windows\system32\9luetjX3c1W.vnr newdev.exe File opened for modification C:\Windows\system32\rEg8Rylk54Fo7.sys newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 newdev.exe File opened for modification C:\Windows\system32\x1YBPSRluhM.sys newdev.exe File opened for modification C:\Windows\system32\KGgbRFh1XdG.edw newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 newdev.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E newdev.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\Program Files\HCyANxxNlLK3j.aso newdev.exe File opened for modification C:\Program Files (x86)\iFORHjZzu5U9S.hof newdev.exe File opened for modification C:\Program Files\Windows Portable Devices\5610fa02.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office 15\3960a3bc.js newdev.exe File opened for modification C:\Program Files\Windows Portable Devices\lib\646923ad.js Explorer.EXE File opened for modification C:\Program Files\NTn7OkIGOHbEAr.sys newdev.exe File opened for modification C:\Program Files (x86)\Y7PhPcFAfXeFY.sys newdev.exe File opened for modification C:\Program Files\Microsoft Office 15\manifest.json newdev.exe File opened for modification C:\Program Files\Windows Portable Devices\3960a6ac.js Explorer.EXE File opened for modification C:\Program Files\Windows Portable Devices\47b8d057.html Explorer.EXE File opened for modification C:\Program Files (x86)\A12QI947D58.lol newdev.exe File opened for modification C:\Program Files\15fSrGQiSBmI.sys newdev.exe File opened for modification C:\Program Files\Microsoft Office 15\47b8ccab.html newdev.exe File opened for modification C:\Program Files (x86)\LcAUCOCpzE.sys newdev.exe File opened for modification C:\Program Files\TUxgXiBhfu.ovl newdev.exe File opened for modification C:\Program Files (x86)\MiWUXFyowc96a.aea newdev.exe File opened for modification C:\Program Files\rWM7y1LBvlV.sys newdev.exe File opened for modification C:\Program Files\BbV6vlpY2Rp.rja newdev.exe File opened for modification C:\Program Files\Windows Portable Devices\manifest.json Explorer.EXE File opened for modification C:\Program Files\Microsoft Office 15\lib\64691e89.js newdev.exe File opened for modification C:\Program Files (x86)\cwECo8QBBSW.sys newdev.exe File opened for modification C:\Program Files (x86)\Y8u5fdTADW.rlx newdev.exe File opened for modification C:\Program Files\Microsoft Office 15\5610f59a.js newdev.exe File opened for modification C:\Program Files\I3Wiwu08b7V.sys newdev.exe File opened for modification C:\Program Files (x86)\6wypWB2Q5eemR.sys newdev.exe File opened for modification C:\Program Files\qZvp6VKWnoW.pgc newdev.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\NCSBDerxVyp2g.sys newdev.exe File opened for modification C:\Windows\5beefDM9tqK.nqj newdev.exe File created C:\Windows\ZisV8or.sys newdev.exe File opened for modification C:\Windows\9L5VitdsE2NW.bpm newdev.exe File opened for modification C:\Windows\LxWz7kpP3I.lzi newdev.exe File opened for modification C:\Windows\ITDXVDtKLV3pFw.sys newdev.exe File opened for modification C:\Windows\2KbCtAsLRoi.sys newdev.exe File opened for modification C:\Windows\4imvNbxbzRg.hzv newdev.exe File opened for modification C:\Windows\7l0H28ABfv.sys newdev.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 newdev.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName newdev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 newdev.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3320 timeout.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" newdev.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ newdev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" newdev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" newdev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" newdev.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix newdev.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" newdev.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" newdev.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing newdev.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 3208 Explorer.EXE 3208 Explorer.EXE 3208 Explorer.EXE 3208 Explorer.EXE 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe 4332 newdev.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeTcbPrivilege 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 3208 Explorer.EXE Token: SeDebugPrivilege 3208 Explorer.EXE Token: SeDebugPrivilege 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 4332 newdev.exe Token: SeDebugPrivilege 4332 newdev.exe Token: SeDebugPrivilege 4332 newdev.exe Token: SeIncBasePriorityPrivilege 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeShutdownPrivilege 3208 Explorer.EXE Token: SeCreatePagefilePrivilege 3208 Explorer.EXE Token: SeDebugPrivilege 4332 newdev.exe Token: SeBackupPrivilege 4332 newdev.exe Token: SeDebugPrivilege 4332 newdev.exe Token: SeDebugPrivilege 4332 newdev.exe Token: SeDebugPrivilege 340 dwm.exe Token: SeBackupPrivilege 340 dwm.exe Token: SeDebugPrivilege 3208 Explorer.EXE Token: SeBackupPrivilege 3208 Explorer.EXE Token: SeShutdownPrivilege 340 dwm.exe Token: SeCreatePagefilePrivilege 340 dwm.exe Token: SeShutdownPrivilege 340 dwm.exe Token: SeCreatePagefilePrivilege 340 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3208 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3208 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 3208 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 52 PID 1336 wrote to memory of 3208 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 52 PID 1336 wrote to memory of 3208 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 52 PID 1336 wrote to memory of 3208 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 52 PID 1336 wrote to memory of 3208 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 52 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 3208 wrote to memory of 4332 3208 Explorer.EXE 91 PID 1336 wrote to memory of 624 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 3 PID 1336 wrote to memory of 624 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 3 PID 1336 wrote to memory of 624 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 3 PID 1336 wrote to memory of 624 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 3 PID 1336 wrote to memory of 624 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 3 PID 1336 wrote to memory of 2600 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 99 PID 1336 wrote to memory of 2600 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 99 PID 1336 wrote to memory of 2600 1336 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 99 PID 2600 wrote to memory of 3320 2600 cmd.exe 102 PID 2600 wrote to memory of 3320 2600 cmd.exe 102 PID 2600 wrote to memory of 3320 2600 cmd.exe 102 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52 PID 4332 wrote to memory of 3208 4332 newdev.exe 52
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\ProgramData\newdev.exe"C:\ProgramData\newdev.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:3320
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD553e90f70d88430e8e0ae94cb7c9f3dfe
SHA1bae36fe3c2921879426f2cb313630d525458581f
SHA2564500d5b98ef4f901f700a60f9643ac6e31034ff3a72918b68025c7b2ef684f90
SHA51270c4895732c64a45db1c946a9fdbd8d7b6c065f3f1f8831d17da0a98872eeabe96f0cf064c7732e513378812cd956cea80c33759447a60c136b3b4c5d61c75e7
-
Filesize
70KB
MD553e90f70d88430e8e0ae94cb7c9f3dfe
SHA1bae36fe3c2921879426f2cb313630d525458581f
SHA2564500d5b98ef4f901f700a60f9643ac6e31034ff3a72918b68025c7b2ef684f90
SHA51270c4895732c64a45db1c946a9fdbd8d7b6c065f3f1f8831d17da0a98872eeabe96f0cf064c7732e513378812cd956cea80c33759447a60c136b3b4c5d61c75e7
-
Filesize
14.1MB
MD5b66fb2f31bbc7538ade44d5f5d57675f
SHA130c2444dc89cbd6f099d21f00d432ade619ad13d
SHA2563b09106f7813ab3e5b7350d269446298291a2722bdf65f705c749725c11fc2a5
SHA512631307a706880c9fa87dc676169f6130c8150d266823dd7e446a29ea0726b9c81d1944f2cbdb3421b81a7770be90231dbc766aaa3d2cec16265c6f8249f47580
-
Filesize
165KB
MD523d9779ad77df5bd01796cfa5bee2808
SHA1b3de4b2e262215618afd0f97b1ea88a13e7c89b6
SHA256b628ddf5204961e6f076f0cc6cedeba1e9bb1b0bb4e67d864acb7bec5492e341
SHA512637c9530db131399a71f139d7eb299c2996a6e6b7efc4318b2c5046e51a621694673e5ac1fcbf825c2c70db2bad43dcc08797597fae7d498f12183e3159af93b
-
Filesize
165KB
MD5a9147d9136c83671340463124184052c
SHA1e6cb150312bc325ff89030b75ba9c5da9bd24760
SHA256ca5e6188650898e3481ba599a737bb8bf3ad23e2bfffb15a34e55b5fc3e36188
SHA5129aa4f70a8399a9e56ceedf418e77d1cc731a05fa53d25667604f11500211c643486ceb79b6f8ddcda52955d7da0083838d103992ae77770695aba1b7eb2cd009
-
Filesize
165KB
MD5240fe254754a2fe23cfb1dfb7ab292d9
SHA1dd4945ee3955c1bb1e2a54aa13a235b41ffae57a
SHA256466fdedb0a54e3502f3d1a8cac0646729c55f17a808fcfb51c8cb489012fa978
SHA5125a418e34ba794c11203a174e47f1a822b42efd452d3bcf1a6e656f6b970a08f1e4b42d1aab08866f5b08348114343803a8baa47946d725bfdde069757099a739
-
Filesize
165KB
MD5275f6a2f91c52c28b8a9b7ea5830d2da
SHA1466e7d15b447c07260ea89cd7c3b3095f37c22d3
SHA256ea7e5cd23731b093722555d9d351dfe9adf4084612d26fc5319cc7dfe9dda25e
SHA5124096662d5ad5e937a4db959517c64d1695485b4dcae9027cf1c1841b5cc93be96d37bd22dea8a61b14d729c35d68505fd2e857c17fbd9bd0f7996c8c40261d0e