Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2023, 00:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe
Resource
win7-20231020-en
windows7-x64
19 signatures
150 seconds
General
-
Target
041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe
-
Size
399KB
-
MD5
4b24f57f224315d69492a029ed43a92f
-
SHA1
bc9724527b74aac48a4c94f7ae7c4f83a5ee8c0d
-
SHA256
041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc
-
SHA512
f9526da1252c24f19159078ca4affb35edbd7d65dbfd1c6cd11d549ff9c22bd8e453f4742a11dc6ad7f6d9845806526898418f7ea13b2b5620f3af4617c91470
-
SSDEEP
6144:YZmsQhU+bZVx5rLKJzu6gLP44ZwcDy/qF6cEOkCybEaQRXr9HNdvOapLF:8UF30Ngj44ecDyfOkx2LIapLF
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3280 created 628 3280 Explorer.EXE 5 -
Downloads MZ/PE file
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\4BZhJvGOIENFM.sys recdisc.exe File opened for modification C:\Windows\system32\drivers\CJcYpEwBGMzFC.xaz recdisc.exe File opened for modification C:\Windows\system32\drivers\M8WY04aTVnF6.sys recdisc.exe File opened for modification C:\Windows\system32\drivers\gc6YyAaPRGD.zqh recdisc.exe File created C:\Windows\System32\drivers\wrxpHR.sys recdisc.exe File opened for modification C:\Windows\system32\drivers\impnK6jwbCEw.rwo recdisc.exe File opened for modification C:\Windows\system32\drivers\ynFDM9yswuLbO.sys recdisc.exe File opened for modification C:\Windows\system32\drivers\rceHG6uPZffd.zmy recdisc.exe File opened for modification C:\Windows\system32\drivers\B59gp2LkXA.sys recdisc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe -
Executes dropped EXE 1 IoCs
pid Process 3172 recdisc.exe -
resource yara_rule behavioral2/files/0x0006000000022e07-331.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x000a000000022e06-85.dat vmprotect behavioral2/files/0x0018000000022e06-145.dat vmprotect behavioral2/files/0x0026000000022e06-203.dat vmprotect behavioral2/files/0x0034000000022e06-259.dat vmprotect -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 recdisc.exe File opened for modification C:\Windows\system32\1vxYN44ftqqA6M.isi recdisc.exe File opened for modification C:\Windows\system32\vAbou4d0DC.axk recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 recdisc.exe File opened for modification C:\Windows\system32\IDIKr1x0uP.sys recdisc.exe File opened for modification C:\Windows\system32\dy5nTrqWFPcSxe.nry recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 recdisc.exe File opened for modification C:\Windows\system32\moyftDUp0eT6.sys recdisc.exe File opened for modification C:\Windows\system32\bB0KWWsKdZkL.sys recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C recdisc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 recdisc.exe File opened for modification C:\Windows\system32\0lzQsv9Zhxi.nxt recdisc.exe File created C:\Windows\system32\ \Windows\System32\18q93fT7.sys recdisc.exe File opened for modification C:\Windows\system32\Y5f6JGkHzOQX.sys recdisc.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MvhU4iM0GWfCXB.jng recdisc.exe File opened for modification C:\Program Files (x86)\vImAroC4jiz.prg recdisc.exe File opened for modification C:\Program Files (x86)\9MaP5TE363R.sys recdisc.exe File opened for modification C:\Program Files\WindowsApps\560f0a84.js Explorer.EXE File opened for modification C:\Program Files\recdisc.exe Explorer.EXE File opened for modification C:\Program Files\lluLZ8LxJ0n.pzs recdisc.exe File opened for modification C:\Program Files\WindowsApps\lib\6466e19a.js Explorer.EXE File opened for modification C:\Program Files\d632oOM5iGCXO.sys recdisc.exe File opened for modification C:\Program Files (x86)\HCOgCNF9yI.sys recdisc.exe File opened for modification C:\Program Files (x86)\fnbTk8EV9X.goo recdisc.exe File opened for modification C:\Program Files\Windows Photo Viewer\manifest.json recdisc.exe File opened for modification C:\Program Files\Windows Photo Viewer\47b72f2c.html recdisc.exe File opened for modification C:\Program Files\WindowsApps\47b7336e.html Explorer.EXE File opened for modification C:\Program Files\MeaIxE25O9YfW.mjc recdisc.exe File opened for modification C:\Program Files\Windows Photo Viewer\395f58f0.js recdisc.exe File created C:\Program Files\recdisc.exe Explorer.EXE File opened for modification C:\Program Files\PmnrAzoRv9.sys recdisc.exe File opened for modification C:\Program Files\4HYHUXMvuo.sys recdisc.exe File opened for modification C:\Program Files\Windows Photo Viewer\560f0568.js recdisc.exe File opened for modification C:\Program Files\WindowsApps\395f5c58.js Explorer.EXE File opened for modification C:\Program Files\pwtCSNnJUNHqX.vfk recdisc.exe File opened for modification C:\Program Files (x86)\0ZbEIQTVZglO.sys recdisc.exe File opened for modification C:\Program Files\bXbisqT9j8Z.cmt recdisc.exe File opened for modification C:\Program Files\Windows Photo Viewer\lib\6466dba4.js recdisc.exe File opened for modification C:\Program Files\DAJN7pvbMs.sys recdisc.exe File opened for modification C:\Program Files (x86)\KHo83uuQQGM9z.sys recdisc.exe File opened for modification C:\Program Files (x86)\i1sSoup58FM.zqv recdisc.exe File opened for modification C:\Program Files\WindowsApps\manifest.json Explorer.EXE -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\1TyqYU.sys recdisc.exe File opened for modification C:\Windows\lAZIKRccFTTuf.sys recdisc.exe File opened for modification C:\Windows\whBeE93JS5.sys recdisc.exe File opened for modification C:\Windows\9Ls77N155DU9i.grx recdisc.exe File opened for modification C:\Windows\wBL0QSRaMduk.hoo recdisc.exe File opened for modification C:\Windows\HcpuVeNIFqhTg.sys recdisc.exe File opened for modification C:\Windows\GxEKLAEH8POj.oob recdisc.exe File opened for modification C:\Windows\ehoUU5joDUWj.rxv recdisc.exe File opened for modification C:\Windows\tpYjAURwI9.sys recdisc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName recdisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 recdisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 recdisc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4500 timeout.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" recdisc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ recdisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" recdisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" recdisc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix recdisc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" recdisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" recdisc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" recdisc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing recdisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 3280 Explorer.EXE 3280 Explorer.EXE 3280 Explorer.EXE 3280 Explorer.EXE 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe 3172 recdisc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3280 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe Token: SeTcbPrivilege 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe Token: SeDebugPrivilege 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe Token: SeDebugPrivilege 3280 Explorer.EXE Token: SeDebugPrivilege 3280 Explorer.EXE Token: SeDebugPrivilege 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe Token: SeDebugPrivilege 3172 recdisc.exe Token: SeDebugPrivilege 3172 recdisc.exe Token: SeDebugPrivilege 3172 recdisc.exe Token: SeIncBasePriorityPrivilege 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeDebugPrivilege 3172 recdisc.exe Token: SeBackupPrivilege 3172 recdisc.exe Token: SeDebugPrivilege 3172 recdisc.exe Token: SeDebugPrivilege 3172 recdisc.exe Token: SeDebugPrivilege 332 dwm.exe Token: SeBackupPrivilege 332 dwm.exe Token: SeDebugPrivilege 3280 Explorer.EXE Token: SeBackupPrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 332 dwm.exe Token: SeCreatePagefilePrivilege 332 dwm.exe Token: SeShutdownPrivilege 332 dwm.exe Token: SeCreatePagefilePrivilege 332 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3280 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3280 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 3280 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 46 PID 2768 wrote to memory of 3280 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 46 PID 2768 wrote to memory of 3280 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 46 PID 2768 wrote to memory of 3280 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 46 PID 2768 wrote to memory of 3280 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 46 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 3280 wrote to memory of 3172 3280 Explorer.EXE 95 PID 2768 wrote to memory of 628 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 5 PID 2768 wrote to memory of 628 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 5 PID 2768 wrote to memory of 628 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 5 PID 2768 wrote to memory of 628 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 5 PID 2768 wrote to memory of 628 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 5 PID 2768 wrote to memory of 2176 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 99 PID 2768 wrote to memory of 2176 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 99 PID 2768 wrote to memory of 2176 2768 041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe 99 PID 2176 wrote to memory of 4500 2176 cmd.exe 101 PID 2176 wrote to memory of 4500 2176 cmd.exe 101 PID 2176 wrote to memory of 4500 2176 cmd.exe 101 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46 PID 3172 wrote to memory of 3280 3172 recdisc.exe 46
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Program Files\recdisc.exe"C:\Program Files\recdisc.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe"C:\Users\Admin\AppData\Local\Temp\041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\041a8f8f1bae4decc9d995d124af170a6ff8ecb80a5338fb2421eeac232ae6fc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:4500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
Filesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
Filesize
14.1MB
MD53acf3e8466847b7da3cb2ddd83079c22
SHA1d058f4dcb913025b0a1ef5d9e87266aca62b8c8a
SHA256cb4d779c782c006ed13ba4a4b11aaf31650c46f9ff8abb8771ed6bf1754cc9f1
SHA512425f0516a7d401bd6459383d031b05dc52459e38599cea5afa964772897bc1dbd9ac6fc70fed1cc7b9816e149e26fe8b16cead837bf23a7a595d2e3c11fb9c7f
-
Filesize
165KB
MD5a9147d9136c83671340463124184052c
SHA1e6cb150312bc325ff89030b75ba9c5da9bd24760
SHA256ca5e6188650898e3481ba599a737bb8bf3ad23e2bfffb15a34e55b5fc3e36188
SHA5129aa4f70a8399a9e56ceedf418e77d1cc731a05fa53d25667604f11500211c643486ceb79b6f8ddcda52955d7da0083838d103992ae77770695aba1b7eb2cd009
-
Filesize
165KB
MD5cc278a89d1f76e74bcd131ccea4a14ab
SHA114477e772ed63f4130611066cec7aee6062c9f83
SHA25663c2abf2fdd410129ffb26630188c1cb786cf1cf8d921181a6b1fa86316ac21b
SHA512bcab37bcb1133b9eff7713af7d43b8084da66b4cb9b890cc6d34e3a391ecd9f4c9116e3051cd5b64f1c03e3fc03ffb4caebc4be7e036fd7f21cbf4bea7c0e7b3
-
Filesize
165KB
MD5e89bccb4de3b18b0d9e5e6da29e60873
SHA109b81d7f8a893d41a82a78e2835e2676bff8cbc4
SHA25665489278d2b259f3e3bc9c08bd4318308a2169bf8740d1ad737177913cc0fa48
SHA512530b4d5de3b3dcfb0b2c78c583df0944c3d9516c567cc776b8fe9f3e5bc24e1bfe704bd76d2cb0502361db6b63f48cbf961b033a5fa2bbf94fdf737c1724a35c
-
Filesize
165KB
MD5240fe254754a2fe23cfb1dfb7ab292d9
SHA1dd4945ee3955c1bb1e2a54aa13a235b41ffae57a
SHA256466fdedb0a54e3502f3d1a8cac0646729c55f17a808fcfb51c8cb489012fa978
SHA5125a418e34ba794c11203a174e47f1a822b42efd452d3bcf1a6e656f6b970a08f1e4b42d1aab08866f5b08348114343803a8baa47946d725bfdde069757099a739