Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11/12/2023, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
ad49dd256adedfa2be9188ec3f68cb75.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ad49dd256adedfa2be9188ec3f68cb75.exe
Resource
win10v2004-20231127-en
General
-
Target
ad49dd256adedfa2be9188ec3f68cb75.exe
-
Size
1.6MB
-
MD5
ad49dd256adedfa2be9188ec3f68cb75
-
SHA1
fe2b02b3d63339ca976759c0e450f82c288b8f3b
-
SHA256
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
-
SHA512
d20c1b37e4ae6fe1cf0451037192299939beabfa9eebf1d103481370a7c730d843d2ec3eae0483e6dfa27bd088d6d1f9539b033ea0f82d7379723ea245d622fc
-
SSDEEP
49152:BTouQ/MlgHcg1OeuDBLWoaOlJgbJrypAgLWnl:xouQ/olWglwrDJl
Malware Config
Extracted
risepro
193.233.132.51
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2292-223-0x0000000000170000-0x00000000001AC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk AppLaunch.exe -
Executes dropped EXE 5 IoCs
pid Process 2976 yo6PH81.exe 1072 1Ma25Tt3.exe 2900 3Eo80hP.exe 2972 4XL763tv.exe 2292 3488.exe -
Loads dropped DLL 10 IoCs
pid Process 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 2976 yo6PH81.exe 2976 yo6PH81.exe 2976 yo6PH81.exe 1072 1Ma25Tt3.exe 2976 yo6PH81.exe 2976 yo6PH81.exe 2900 3Eo80hP.exe 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 2972 4XL763tv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ad49dd256adedfa2be9188ec3f68cb75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" yo6PH81.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" AppLaunch.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ipinfo.io 4 ipinfo.io 5 ipinfo.io 15 ipinfo.io -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 4XL763tv.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol 4XL763tv.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 4XL763tv.exe File opened for modification C:\Windows\System32\GroupPolicy AppLaunch.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini AppLaunch.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol AppLaunch.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI AppLaunch.exe File opened for modification C:\Windows\System32\GroupPolicy 4XL763tv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1072 set thread context of 2712 1072 1Ma25Tt3.exe 30 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Eo80hP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Eo80hP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Eo80hP.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4XL763tv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4XL763tv.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 2388 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 4XL763tv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4XL763tv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4XL763tv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4XL763tv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2900 3Eo80hP.exe 2900 3Eo80hP.exe 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2900 3Eo80hP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1336 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1336 Process not Found 1336 Process not Found 1336 Process not Found 1336 Process not Found -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1336 Process not Found -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2112 wrote to memory of 2976 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 2976 wrote to memory of 1072 2976 yo6PH81.exe 29 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 1072 wrote to memory of 2712 1072 1Ma25Tt3.exe 30 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2976 wrote to memory of 2900 2976 yo6PH81.exe 31 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 3004 2712 AppLaunch.exe 33 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2712 wrote to memory of 2388 2712 AppLaunch.exe 34 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2112 wrote to memory of 2972 2112 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 1336 wrote to memory of 2292 1336 Process not Found 39 PID 1336 wrote to memory of 2292 1336 Process not Found 39 PID 1336 wrote to memory of 2292 1336 Process not Found 39 PID 1336 wrote to memory of 2292 1336 Process not Found 39 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe"C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:3004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:2388
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2900
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- outlook_office_path
- outlook_win_path
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\3488.exeC:\Users\Admin\AppData\Local\Temp\3488.exe1⤵
- Executes dropped EXE
PID:2292
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
465KB
MD5b2ab4f4594d5651c0e797ccbfd9531a1
SHA1db093f5b3b4324834f5882111d815568a48006a4
SHA2561cc55eb083022063c4885a015348f1664eadd8152c72d807c0026a66623b51cb
SHA512be3c30446bceb040a17d315797077667e85757998299f38d821ef737424d792e0a6ce8db7cc59cfeeeb32bf6950e35f4428e1e69e22273ca7bf0b032924dd674
-
Filesize
443KB
MD567c695ccd6a758e64c772fcb07331502
SHA1d7af6ba4b04c437c46dc9383d32ef87670771e6e
SHA2560e10ac9d6c88794c712e58b0b4777b8a268118b89d9faa49481dd76a4c046715
SHA512cf8e1b89058c862f500c198241c23a1dbe99d09e261a75ba512f1a2aa17535c4f7c8f09eb1c33b573528d00c7da3c3418080c7cde367a7ca835ab0e25c07182d
-
Filesize
142KB
MD56fb13f081aa2afdb105e2a39d604b2b7
SHA103f230f66d3371c755bbf2673f861f99f775c620
SHA256fa202544d4b33ce63d3c74a7b00f2e9ac9c222d930b2946195cba55a4fc65561
SHA5126ce6bd6b0ddf993473a1c3d7168300851d0473c71b670eda512c945bf4f95ecf62863cbf98e1865582d84b779ef8904929471365faa0c1dd469768c91d2d1b24
-
Filesize
37KB
MD57b4b527e87299f96a5094c09a47a5766
SHA1b992a44e6d2b55353c9d1bc546b31223a63864f3
SHA2561d6cb99c74f653f94dccfce32a3a9386e2cc883e79136bd62cc7238d49808c6a
SHA512e9865754261e665356dcaabfdc6444b2de5440f35eb853cc5a1ae021447c0da555484533e311ada19a423f7677bff65d0fefcd4e2c064b676f3b52364846d9b4
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
3KB
MD5d0fde51bbc35bceebd1d755cabc7a1d6
SHA1adc667d0e2c7d00b8883fccafbdf5ecec6f6bd3c
SHA2568358744e509477d10c6634d06a7ba23e56b1387d4d8532c6dcfeec447bc09c3b
SHA512ba36e92522a5f68c5a134127088203e11d5305662d0c3944a8e71439322c8f6a2e5c81677a8841d7604253e8e2725d0969c8e59c1f898e93df729398960eaf81
-
Filesize
4KB
MD5974cc190d5703018c01ce08b904e227b
SHA1b4f0f2a72907fcf9551846411a7221f60a88f97d
SHA256204a93e1274c57f489adb21e0bf56064624582bb3b79fd59ba779ec8a137d8ff
SHA5121949cd5ef9ae8ecb93c47e777dd183e758744d5768d024848e462b5416034d7d5cb2a9190d6ac7a2b8151380910ecde4df9396a8e9910b0582015a4923e7103e
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
92KB
MD58fff4afa5c28dcfdfb7bac7c3950841d
SHA1dd3fbd23bf6ca1bcdd15e6c984d676e43cf4dfc4
SHA256c454b6533ff9fb8d73697fb7845adc2463ecc3a69e926de5dadb17f1012f6203
SHA512bcd79fa0ddef1138fe6b47295d5ea491546bb9399a723ce6984f3139ae6fc6e98d0ca764120aa65a670db46c75143b493676d161cabd863f26d1950ade69412a
-
Filesize
5.0MB
MD5ffb739db1355592aed5aaf4ac178d6e8
SHA1071394b99508d5faaa81bd9f698172d789375d8e
SHA25630be1bc16e903f795e6ebda1731c9ffcf251edb5712915216577ec4c67f65ca6
SHA512a85e8de79f205cc48ccc33eb9c5f7456e28bb5b2fbcb9c77d3b4cc7ced7a3d5aa8c7350fcfb48db5e4232b6b69667c231afec41948ea5cab0e0b29a4eb2b870c
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
13B
MD52ebf6338aa9569651865b4c289fb9b92
SHA1c33544b1ea00ce3742e117719e2d4d6a86476081
SHA256c0e52c57dd2a1abb3285c45cce8e630b5f82ccc89131d8651e992184c52be3b8
SHA51296b762fc6ee8a251f1464ad0074bc3a49968e6dec5a64e57aef91d7cfff5a22e1f7b3b2a09a4ab0acbb56c0216c57cdd7626f5575af9905886847c6edb0af163
-
Filesize
1KB
MD5d508ee3c21c873c1a90c66dcee6b1501
SHA1f1e7d2d33db810c15903c7e855210d7982e5f4f2
SHA256551959b0ae48512d5ae8d7ce15580f052e6057521b7a223c79d200536cc9cf67
SHA51276de2d5aaafe433be1f5bfd4f32b066eaf6490b5372f2fca34c2203475f265838fc6f2ce2501f5a77c92b0b9671e93d04eb2eb9e76f4672ebd2cc1d01d3c9440
-
Filesize
11B
MD5ec3584f3db838942ec3669db02dc908e
SHA18dceb96874d5c6425ebb81bfee587244c89416da
SHA25677c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA51235253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e
-
Filesize
127B
MD57cc972a3480ca0a4792dc3379a763572
SHA1f72eb4124d24f06678052706c542340422307317
SHA25602ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7
-
Filesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
Filesize
1.6MB
MD5a62ae51d8c650079d2769d4384a4bd13
SHA1517142dfaf4ecf361e8be3ccda47dcf682eb1da1
SHA2563886542c0796c1b7239aa3dffc81f2d6d7f3dacd0fd5d8adca11807e7433ebbd
SHA512823023d109f244b0d588cb6829d6432bd5f2fd849c071fa5253d70557d19f5ea446079a15bcd3bf78f716f5f985381cb880683024ce555fe3c218172118bbefa
-
Filesize
935KB
MD5a9f0755518f7b32840de5ee0a96e20e4
SHA1df640c0b6c99529a67befc9fae50141e4c176ebb
SHA256adc0697873fb5f526c9edd475f7b4bfd3556346f7e1cfe2b30dcdf751edff5b4
SHA5128f854804552bd1178aa4820f8be7d1175f83469f20d56526dcad3a81527b10834dee8ab44ecca46d9084a59af79887af9d19c7c7acdf8dbac01df65e74798d78
-
Filesize
528KB
MD5ddf13a8ea12ffc5b2f93f58697289fa1
SHA19ded6bf94ef86d7e4c2f1e7a03bc82aedf169cd6
SHA2563d72d66485a5c25f7923561d840ef66a1d78d670736925a6092c4348882dd870
SHA512ec0c9ddb74dadad86e782d416ca34ed9af7a8e9a626420c9601dce6b962769bd5d7aa969d622fc306091709b632884a49d72e5bd53a635377c223114c26776db
-
Filesize
697KB
MD56d08501f1d02fe25c528690f8544725c
SHA1159ba5981d2b7538e0b822a278901294f36dfc70
SHA2568949ae972c7955cf9c9620803dab37a6b3ba4b4d4b3946311fb4653572902f2b
SHA5121aff81887552dee275a3e972b5f959c90cb00af5f3f7ad2f691cc423100f824e7cf79c96b3cc5dd07ea4d41a698c3fd2f7ad98f56d0dbc231905002b3c9efd6b
-
Filesize
71KB
MD53dba64eb4588b621a25a087f7e834cf8
SHA1730445da8381e5bbdcf15dbd1b59751056845f8b
SHA2561ea105695e853a67317f337f9dbf259b01b1cdc0e33deff9ec6d4bef6b1d0bcd
SHA5129fc0523cbe87d3efdccbb41c890aef5372ca63621b1a09cdc3c3360b9268f0908ff68ef25f980495981abb89318c9a63379325f01bad45f927ef6177de14f33c