Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/12/2023, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
ad49dd256adedfa2be9188ec3f68cb75.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ad49dd256adedfa2be9188ec3f68cb75.exe
Resource
win10v2004-20231130-en
General
-
Target
ad49dd256adedfa2be9188ec3f68cb75.exe
-
Size
1.6MB
-
MD5
ad49dd256adedfa2be9188ec3f68cb75
-
SHA1
fe2b02b3d63339ca976759c0e450f82c288b8f3b
-
SHA256
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
-
SHA512
d20c1b37e4ae6fe1cf0451037192299939beabfa9eebf1d103481370a7c730d843d2ec3eae0483e6dfa27bd088d6d1f9539b033ea0f82d7379723ea245d622fc
-
SSDEEP
49152:BTouQ/MlgHcg1OeuDBLWoaOlJgbJrypAgLWnl:xouQ/olWglwrDJl
Malware Config
Extracted
risepro
193.233.132.51
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/3044-237-0x0000000000080000-0x00000000000BC000-memory.dmp family_redline behavioral1/memory/3044-243-0x00000000023F0000-0x0000000002430000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk AppLaunch.exe -
Executes dropped EXE 5 IoCs
pid Process 2956 yo6PH81.exe 3008 1Ma25Tt3.exe 2604 3Eo80hP.exe 1796 4XL763tv.exe 3044 93A8.exe -
Loads dropped DLL 10 IoCs
pid Process 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 2956 yo6PH81.exe 2956 yo6PH81.exe 2956 yo6PH81.exe 3008 1Ma25Tt3.exe 2956 yo6PH81.exe 2956 yo6PH81.exe 2604 3Eo80hP.exe 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 1796 4XL763tv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" yo6PH81.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ad49dd256adedfa2be9188ec3f68cb75.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ipinfo.io 19 ipinfo.io 4 ipinfo.io 5 ipinfo.io -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 4XL763tv.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 4XL763tv.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol 4XL763tv.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 4XL763tv.exe File opened for modification C:\Windows\System32\GroupPolicy AppLaunch.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini AppLaunch.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol AppLaunch.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI AppLaunch.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3008 set thread context of 2148 3008 1Ma25Tt3.exe 30 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Eo80hP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Eo80hP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Eo80hP.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4XL763tv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AppLaunch.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4XL763tv.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2640 schtasks.exe 2588 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 4XL763tv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4XL763tv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4XL763tv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4XL763tv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2604 3Eo80hP.exe 2604 3Eo80hP.exe 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2604 3Eo80hP.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 1380 Process not Found Token: SeShutdownPrivilege 1380 Process not Found Token: SeShutdownPrivilege 1380 Process not Found Token: SeShutdownPrivilege 1380 Process not Found Token: SeDebugPrivilege 3044 93A8.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1380 Process not Found 1380 Process not Found 1380 Process not Found 1380 Process not Found -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1380 Process not Found -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2664 wrote to memory of 2956 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 28 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 2956 wrote to memory of 3008 2956 yo6PH81.exe 29 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 3008 wrote to memory of 2148 3008 1Ma25Tt3.exe 30 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2956 wrote to memory of 2604 2956 yo6PH81.exe 35 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2640 2148 AppLaunch.exe 32 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2148 wrote to memory of 2588 2148 AppLaunch.exe 34 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 2664 wrote to memory of 1796 2664 ad49dd256adedfa2be9188ec3f68cb75.exe 36 PID 1380 wrote to memory of 3044 1380 Process not Found 37 PID 1380 wrote to memory of 3044 1380 Process not Found 37 PID 1380 wrote to memory of 3044 1380 Process not Found 37 PID 1380 wrote to memory of 3044 1380 Process not Found 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4XL763tv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe"C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:2640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:2588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- outlook_office_path
- outlook_win_path
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\93A8.exeC:\Users\Admin\AppData\Local\Temp\93A8.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
33KB
MD54bd1f7172295b1896bbcbc8f88d28153
SHA1763da94baca744eb3ece854dc4b569d920b3ceba
SHA256b1a9fd3939af89a044c4857b330573ebbbce6ae6d67ca565ca9cfad9be06ea83
SHA512b36be409d9b92262e079e94f36c40a94a5bfeebfd6338e878ccbc0c1abcaf4f664b0676fc25adea6ede225b33959eb51a0712a62f7954a347368c9e7c82d2f2a
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
27KB
MD5283ebab4724046bd89ef19ce0db3b179
SHA1623c174ecd291813152a078c767bcdc6ab18d5b0
SHA256da0548940ba94abeb8cd71d1d08b9c7db457826e4dd4c0bc890647e039070adc
SHA512024e6c3741a66a77461c76ed9e29fdbaffb7ad64fb77c82685d8d5925b189f4f51fe55f08eda602bd9230d945ca665b20ab13e2a82ab5a10e0fb39c7f5eaa114
-
Filesize
31KB
MD5b1f07635cd8782a22e706a1f0b6ccea3
SHA1666f464231bf8f37f6477cd5ebd826fbfbc7940d
SHA256378597455d54bf75c87075d72dd9cba2f2c7ccf368db7f49acfeb06ff1736b59
SHA51205a34dcac3f8f15433c11f53c2d03f149006de81d34ba78bcb9b3070be6f3157f431fdf129759241a3609be8ac1b198c8d0bd32f4fcf8bc51a5f1f64bbc61d56
-
Filesize
88KB
MD556e9d1a9d5d8fde4d8cb2188ecd61292
SHA1222065d9cc9748490258478f29d22ef58464f193
SHA2566ee5bbae539eae44246c9b69ec328f8a741c878ae9d5afeefadcb147e1bc9fc4
SHA51261f00ab2a37c349e7d32fe8965ee3e4a28ccc2cc064a044f652533956ee3677f1ac723d5dc36e5688260917ff58bd989bd3e5d1858669735860d97f1e623b932
-
Filesize
750KB
MD5415b10f5d0181c003eef4924a53e451d
SHA1e0c60105155b5912e5fc8fec57dd2164b4f150d2
SHA256518e213caa1e2661e4cfcd1a7f147c8db63319336dadf7706320979a02d3922d
SHA512c7102b4af72c7bba8776ab02c6be57041ef478ab8a0a965aedf645a8d23559ba7410f3404688c1b64b0b2c3e33f3bcdcff8debaaf74e9b3869e9989e8402ce06
-
Filesize
540KB
MD51b14c4ab68e8a34bec5ff96d089a643c
SHA1835bbc82bf82123bf3fe485b2edcc3de5d7b4d49
SHA25651a6633df8b57ce822176c7dc8953f99561747d4efc9c25572e87eb2b6a34413
SHA5124170e8ebabfe82b63ccea84d18fda211556de4795dee73935381483ce5068e63b91f42019e11d07dea6aa383ba8a63dd7320de7712e1f11ba6e97ab442612992
-
Filesize
427KB
MD567ac77d68dafb1946713f2e332e1d4b1
SHA13cc85e2621df2da7d2f87c07d5203de312651d4e
SHA25667bc1910950b904c88250bac704457bc4bf90418b467743e7c265962859beda6
SHA5120d6bb5620b8102c1cc7cf31fda24c0a9092a13553ee231d05f81edab16ccad3cbfa8179ed2205b7a2bdc2ffbdf1c3b4c1d5ef28136dcb530afe4a01624a19d95
-
Filesize
384KB
MD5af58cd09c246b6cabc94e9fc90c66eed
SHA10bd8353505b3d3e80ec5651432304ec395a34c74
SHA25608dc56904e8ef4638f94a945e71d577a473ea911fb8bd9d8ffeceb750beb3263
SHA512f922f7165c31c5fcb718a6f43872c38052d107249dc3f5500321297119052bce2f2f78821424246d4fca226ba716a97709d76ffdf5bc2dcee6068c5f29bcc901
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
3KB
MD5f23c9dc8654c3834c5c6218bab91b383
SHA183626fec28a0d677fb6e8c43fd3d8a92b1099099
SHA256e6d8da5351fa297a93a2fb7914db4940be5f27f05a42fbe258d1261bb8e4dde9
SHA512313308418c813abfdc798f5d90b65b21dcf6b25a83fbfceea4704c0bb72416e17a2624063fb2b956474087f2cb3c7a149ee11bc4491b69e47b6b4b6c2d031ea7
-
Filesize
4KB
MD5974cc190d5703018c01ce08b904e227b
SHA1b4f0f2a72907fcf9551846411a7221f60a88f97d
SHA256204a93e1274c57f489adb21e0bf56064624582bb3b79fd59ba779ec8a137d8ff
SHA5121949cd5ef9ae8ecb93c47e777dd183e758744d5768d024848e462b5416034d7d5cb2a9190d6ac7a2b8151380910ecde4df9396a8e9910b0582015a4923e7103e
-
Filesize
3KB
MD58c4216393b7b2ed7aa8aac0f0780f59c
SHA1413cb9f0c51ce98cb9668b80ad577a93224790f9
SHA2569a02ac3a95bc009fc4e98417d699a440cddf497492816c69d631e7e9c2336d30
SHA51284428640182c9aa00f74ad54368ced689dccb0db8e99e4900a48159979bf22a6d1194c50737462282a35e61e27f6ff6ef090539c6410a85f38783c6026c41b7b
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
92KB
MD569b4e9248982ac94fa6ee1ea6528305f
SHA16fb0e765699dd0597b7a7c35af4b85eead942e5b
SHA25653c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883
SHA5125cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d
-
Filesize
5.0MB
MD54a20152560726c963e9c777030638741
SHA19c633496231903c8a160c4a209ed07be33edf780
SHA25601adf05f70f2f29804b71223067d65de1de51e578a1885fd17448b0e8c1d8c46
SHA51277908a3cf41c2d93b4d9e5776e407d7a3efd86470d48aa117dcb0d130795c49991e92e884402cd0387622007937c50132bca9e67f1e58398cdbdf0a1683e0aa5
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
1KB
MD5cf908eba005e7c484d648c69c562434f
SHA1a19eb554dbf4800a9692bc1eeba13e0d951c6165
SHA2567b419097059036c7c2befe440331e56b5ed1edba811b2445c942d8c7ad5f40f5
SHA512f87c12bfe95fa7682a1f61f0e0dc227f84d16b5328c808fd605a8c56fe64793488d2241b22083930367ea79fe24744948a82b4c631e776f347af68b26d931bd5
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
Filesize
337KB
MD51b8d09783864a7b2c55e48dbc18e0889
SHA1e3186fb615988011a1cfa11b41b4303e7656e060
SHA256ca61fb44e70cf8d8929e0f80f800615c7bfec66c27615114c206b7b9c2de244a
SHA51203f4d7e08b5c86c3df46600a8594f960119c435f6ee532d1d027c705c493a8779b4956496af30c60a45712f27ad4122d1a2bfb7036cb74d6a4918027c191a7fa
-
Filesize
73KB
MD5fa2aaf7580277008ceb9c166b06bcb21
SHA113f09f859c24a8b01b35f13d6c003bdf2396d912
SHA256efe6bf3853c4cdddfe77e134ec0ef29a59f182a95cfe91a91129c00e2b8cfc34
SHA5120e264e7c3a2d0f274d2fd2ea61c36a533f8a851f72958ab00fad768469123dd80a88b9a216c6c1b0ab763986f7ebd9ada7004ff47e2e1598d492a4032b085201
-
Filesize
935KB
MD5a9f0755518f7b32840de5ee0a96e20e4
SHA1df640c0b6c99529a67befc9fae50141e4c176ebb
SHA256adc0697873fb5f526c9edd475f7b4bfd3556346f7e1cfe2b30dcdf751edff5b4
SHA5128f854804552bd1178aa4820f8be7d1175f83469f20d56526dcad3a81527b10834dee8ab44ecca46d9084a59af79887af9d19c7c7acdf8dbac01df65e74798d78
-
Filesize
405KB
MD5522322c35e5b0ad7e5c7355f502d398f
SHA1f7ca9fd1cd87e6c80906505c2d8159ca39ba6ad3
SHA256509bf6aac2dc07e76eb2e5e5ea25eb72fc7e6c0964d8a1f4422bb0c40c82a1ae
SHA5128d841a346db1c8886059a779be04546662af70bd65abe8a10aa1b4934810034586c219b4ff835a439a14c8c840323812bfc46f1208c2f25ce300d577f9d97c4e
-
Filesize
381KB
MD546ed37357e51540a699220a6df79fc5d
SHA1d09f7927137000d875186f7f0ce79adb4e3ab3b1
SHA256792fcd033937866de46a641758fd7efadbb292fec15840ace99e0bc1c6a27812
SHA51209b506a3ba9733499a3437d10c2e5c1f372537ca5c736272e6ecfe1dbe28cc44d8081f7f42224db9b6d88416b5141d949cb79bc8a633c9b6b1455de61005b5ac
-
Filesize
241KB
MD5a3c90c880c9625680c82dfce245b52dc
SHA1c9bbeb8d04eb0cee45d1e512cd0ad306e728706b
SHA2564bdf014e2e39dece2239e0d5996918466ab8065bbdbb77dca09bb927e7a35744
SHA51296ccf172b8247e45505f739a1a465b1696f1b853a4ce6b1faa52a97e7a21d4f6a66a2233eaf5783938fdca5117961e4becfb3c7eeebeb154d851907f09684ae7
-
Filesize
45KB
MD5738a0438f8e65be092450d364972cf9b
SHA1eb2f34f1422a87658defdc0da7f4f7955d78d670
SHA25610b09a992ce7b644fefd0214ad22eb7cef7bf5dc942d4282a47cbba1038ab846
SHA5124eb50d8741070444f2299b018cf1e0855f121977cd3364e7a1290f41ded35cd04464bf38c1e0882d8fd873a4bbb919134f810c5f438be4dd195860d44d5d1089
-
Filesize
37KB
MD57b4b527e87299f96a5094c09a47a5766
SHA1b992a44e6d2b55353c9d1bc546b31223a63864f3
SHA2561d6cb99c74f653f94dccfce32a3a9386e2cc883e79136bd62cc7238d49808c6a
SHA512e9865754261e665356dcaabfdc6444b2de5440f35eb853cc5a1ae021447c0da555484533e311ada19a423f7677bff65d0fefcd4e2c064b676f3b52364846d9b4