Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 07:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Video.scr
Resource
win7-20231215-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
Video.scr
Resource
win10v2004-20231215-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
Video.scr
-
Size
501KB
-
MD5
95e262649c92fe0ed751212d5ab5ceb4
-
SHA1
47335a184e4ea778f4bd5fefdb84862f53377486
-
SHA256
b401cbb362310927a6c965b0c08572cbe1d306a45f2c4fc0d180950b997c0f45
-
SHA512
b19dfee8dee74636e7887bc8a4e82795040c0508ba41c8fd591ff5ae9933cb4a69c83e4d738a47a771b07d018aee2ed9e8d54f94b5ed05ea4d0fe584f8f1c9dd
-
SSDEEP
6144:mKrxiyLvmWVXGlvqSKMXoztsPaB/9O+xBh0OXjNKU7+X0X+Yhs3hKjV0Muq+p/Oc:3tLXhnWoJsPa/FbTgU7HX+YZVDvZ9Y
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation Video.scr Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÔÀÉËÛ.txt Video.scr -
Executes dropped EXE 1 IoCs
pid Process 2204 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\ja-JP\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\license.rtf svchost.exe File opened for modification \??\c:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\license.rtf svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\Wallpaper = "c:\\ooo.jpg" svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4 svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf svchost.exe File opened for modification \??\c:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\30.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p1.mp4 svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_light.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Wood.jpg svchost.exe File opened for modification C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\fr_1c8f429d30f12575\OOBE_HELP_Cortana_Learn_More.rtf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-100.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_03.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf svchost.exe File opened for modification C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\es_79d7cc9e3e1f0f13\OOBE_HELP_Cortana_Learn_More.rtf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Hero.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\RoundedFreehand3D.mp4 svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg svchost.exe File opened for modification C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\Paper.pdf svchost.exe File opened for modification C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\es_b4637444f479d524\OOBE_HELP_Opt_in_Details.rtf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialSticker.mp4 svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless svchost.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\2.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\7.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_remove_tool.mp4 svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\5.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialRotation.mp4 svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe svchost.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4 svchost.exe File opened for modification \??\c:\Program Files\UnregisterCheckpoint.rtf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\39.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\40.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg svchost.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Welcome_Slide01.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Concrete.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\6.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-100.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg svchost.exe File opened for modification \??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg svchost.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf svchost.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS svchost.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg svchost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.1_de-de_0ba741680574d7ba svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..volume-professional_31bf3856ad364e35_10.0.19041.264_none_0594d8f155680dee\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_es-es_0cef4537345a980a\privacy.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_b2793038e338696e\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_e1ec0ac43f1514a8\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_13dd049228bb1fa4\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_550c9e7e751118c8\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\help.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_es-es_b2448d1ce35f5b13\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img1.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_120.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_68eabd5c6b1d4e11\r\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f7c4147d67e32f2a\license.rtf svchost.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme1\img13.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_de-de_09885a3ff45a5da9\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4c98ca3d4842866a\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_7636dd425605d882\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\help.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_b72d74244058fa79\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\f\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\topGradRepeat.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\f\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\DMR_120.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..l-wallpaper-windows_31bf3856ad364e35_10.0.19041.1_none_910333b84fcf455a\img0_1366x768.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img12.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_de-de_a50685ddae0e0168\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_daa225006716fab2\license.rtf svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\darkBlue_GRAD.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_en-us_b7621740403208d4\license.rtf svchost.exe File opened for modification \??\c:\Windows\Web\Wallpaper\Theme1\img4.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\ASPdotNET_logo.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_b7f76c18d260859b\f\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_b7f76c18d260859b\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_440ce06a0a5cf659\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_de-de_6a8fdccb09b16e45\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_eb9e22c1d4df2ac9\lpeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.xls svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_de-de_6433125a45559aa0\privacy.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_b39472f9da00dbd0\r\de-license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.19041.1_none_3f2b130eba574dfc\typecompendium.hkdoc svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_b2793038e338696e\lipeula.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.423_en-us_dcb2edf1b3b7266d svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..learnmore.resources_31bf3856ad364e35_10.0.19041.1_fr- svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4250fafab5d5796a\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\license.rtf svchost.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d31a99dae024d07\vofflps.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\license.rtf svchost.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\r\de-license.rtf svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1320 2204 WerFault.exe 92 -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop svchost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings Video.scr -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2204 svchost.exe 2204 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4268 4536 Video.scr 91 PID 4536 wrote to memory of 4268 4536 Video.scr 91 PID 4536 wrote to memory of 4268 4536 Video.scr 91 PID 4536 wrote to memory of 2204 4536 Video.scr 92 PID 4536 wrote to memory of 2204 4536 Video.scr 92 PID 4536 wrote to memory of 2204 4536 Video.scr 92 PID 2204 wrote to memory of 2248 2204 svchost.exe 112 PID 2204 wrote to memory of 2248 2204 svchost.exe 112 PID 2204 wrote to memory of 2248 2204 svchost.exe 112 PID 4536 wrote to memory of 3808 4536 Video.scr 114 PID 4536 wrote to memory of 3808 4536 Video.scr 114 PID 4536 wrote to memory of 3808 4536 Video.scr 114 PID 3808 wrote to memory of 732 3808 cmd.exe 116 PID 3808 wrote to memory of 732 3808 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\Video.scr"C:\Users\Admin\AppData\Local\Temp\Video.scr" /S1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\msg.vbs"2⤵PID:4268
-
-
C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe"C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 4443⤵
- Program crash
PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uuu.bat3⤵PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Adobe Systems,inc\Adobe Flash Video\stata.bat" "2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "http://moops.sooot.cn/"3⤵
- Modifies Internet Explorer settings
PID:732 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:732 CREDAT:17410 /prefetch:24⤵PID:2524
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2204 -ip 22041⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93B
MD5b34b57288f11f444c45c6b01a5686f5b
SHA1adf5cd49bba9f026170ba97f2583b4e33cc37eb3
SHA2560e00483a4a7e1c83ad577e08a4207ea62ec51c7e817d921256855d857dda6262
SHA5124aae8d2eeae05d501f98adecbcc54415838b48db405f8bae0afdc156ab633865724a37d9bd0dd08783e7a323b779f4af0702d1d499c593264b8b0cc1b92dc4b7
-
Filesize
54B
MD537f62c226aeaa2be7cdfe7cd079db9fe
SHA15c9479864576b9617a0997fe745b4cf846279073
SHA256b2ad75022d0f6a008df39fc6e5edf3550f6df011a5ff4a0100652a3fa3048179
SHA512fde4d2a763a43403469713df775d1b6e332543d546973ac81158061b3971c1317a9ebbd7b0c7a2564f9297981ffb12f36b61f81f7a83b0c62751c80e458d2fbe
-
Filesize
363KB
MD551110e395ff4bd02ba1964e0aac40ede
SHA15f6071853af3d92b90ba514f66272b2b40c6903c
SHA256d941bbe06aa47be79909ec6b94d6ba68358c5cdfb542cb3de3acfe8895f889ab
SHA5129de12e8feab39a41c2098526e24318b9ecbb972c4bb08e1ac82ee13e107dad8d91d876ad252a290d26e50ddc80bb1479cf62b8a5b425f7098ddcd36b6a7b6dce
-
Filesize
69KB
MD5b6464769e6a6e5921ce14a3aa8e18995
SHA174afa91347dc0f1eefd967235376859df6487343
SHA2568b8ce9e23e9fd5eaca187bfb2d17e701bdd840f8d131dc30d069120a7a464300
SHA512508cfb0f2bafcbc85eb4a9e514e0c6e87623ee785c19c842f85849af1d1afe590eac4394edc9657db51d0753f86b1256cb4e2a91802e25fcaed6ee179c74ad7f
-
Filesize
17B
MD5bf55292f19b02c6dd1934f2ea2c6ae9d
SHA10dc0e99b63b557bd0eef88422a98bdd944bc0d86
SHA2560a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e
SHA512e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500