Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 11:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
179c225bcff75d26ca4577d77732f67d.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
179c225bcff75d26ca4577d77732f67d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
179c225bcff75d26ca4577d77732f67d.exe
-
Size
26KB
-
MD5
179c225bcff75d26ca4577d77732f67d
-
SHA1
5e96cf772e4143e28cdd7693319c7d0d704ea305
-
SHA256
93d63a89c3831bd2c922accb28ce7b02ab18e92c9856eaa465c09102f4d74a96
-
SHA512
638af6d8b499af41993536ef0a5d21cfbb929765cec9009ce7579fc53c53835b78f2f91c75281c04ad5add2db57f548ea0ff12c5cd772dc8dfbc46faba183729
-
SSDEEP
768:cf7T23HlfKG3hT/sCWTxVsIhxN0qfFXGn:kH2Xl39EdL92n
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys 360safe.pif -
Sets file execution options in registry 2 TTPs 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe" 179c225bcff75d26ca4577d77732f67d.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 179c225bcff75d26ca4577d77732f67d.exe -
Executes dropped EXE 1 IoCs
pid Process 3300 360safe.pif -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\T: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\U: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\G: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\N: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\I: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\K: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\R: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\X: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\E: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\H: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\Q: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\V: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\Y: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\Z: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\O: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\P: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\M: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\W: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\J: 179c225bcff75d26ca4577d77732f67d.exe File opened (read-only) \??\L: 179c225bcff75d26ca4577d77732f67d.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF 179c225bcff75d26ca4577d77732f67d.exe File created C:\AUTORUN.INF 179c225bcff75d26ca4577d77732f67d.exe File opened for modification F:\AUTORUN.INF 179c225bcff75d26ca4577d77732f67d.exe File created F:\AUTORUN.INF 179c225bcff75d26ca4577d77732f67d.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\360safe.pif 179c225bcff75d26ca4577d77732f67d.exe File created C:\Windows\SysWOW64\360tray.dll 179c225bcff75d26ca4577d77732f67d.exe File opened for modification C:\Windows\SysWOW64\360tray.dll 179c225bcff75d26ca4577d77732f67d.exe File created C:\Windows\SysWOW64\c0n1me.exe 179c225bcff75d26ca4577d77732f67d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CC13FF2F-0028-11D6-BB50-7672481B3261} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{00D6B58F-0029-11D6-BB50-7672481B3261} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe 1008 179c225bcff75d26ca4577d77732f67d.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1008 179c225bcff75d26ca4577d77732f67d.exe Token: SeSystemtimePrivilege 1008 179c225bcff75d26ca4577d77732f67d.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5024 iexplore.exe 2708 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 5024 iexplore.exe 5024 iexplore.exe 4460 IEXPLORE.EXE 4460 IEXPLORE.EXE 4460 IEXPLORE.EXE 4460 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 3932 IEXPLORE.EXE 3932 IEXPLORE.EXE 3932 IEXPLORE.EXE 3932 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1008 wrote to memory of 3452 1008 179c225bcff75d26ca4577d77732f67d.exe 93 PID 1008 wrote to memory of 3452 1008 179c225bcff75d26ca4577d77732f67d.exe 93 PID 1008 wrote to memory of 3452 1008 179c225bcff75d26ca4577d77732f67d.exe 93 PID 1008 wrote to memory of 1976 1008 179c225bcff75d26ca4577d77732f67d.exe 96 PID 1008 wrote to memory of 1976 1008 179c225bcff75d26ca4577d77732f67d.exe 96 PID 1008 wrote to memory of 1976 1008 179c225bcff75d26ca4577d77732f67d.exe 96 PID 3452 wrote to memory of 2312 3452 cmd.exe 97 PID 3452 wrote to memory of 2312 3452 cmd.exe 97 PID 3452 wrote to memory of 2312 3452 cmd.exe 97 PID 2312 wrote to memory of 380 2312 net.exe 99 PID 2312 wrote to memory of 380 2312 net.exe 99 PID 2312 wrote to memory of 380 2312 net.exe 99 PID 1976 wrote to memory of 1848 1976 cmd.exe 100 PID 1976 wrote to memory of 1848 1976 cmd.exe 100 PID 1976 wrote to memory of 1848 1976 cmd.exe 100 PID 1848 wrote to memory of 3896 1848 net.exe 101 PID 1848 wrote to memory of 3896 1848 net.exe 101 PID 1848 wrote to memory of 3896 1848 net.exe 101 PID 1008 wrote to memory of 4140 1008 179c225bcff75d26ca4577d77732f67d.exe 102 PID 1008 wrote to memory of 4140 1008 179c225bcff75d26ca4577d77732f67d.exe 102 PID 1008 wrote to memory of 4140 1008 179c225bcff75d26ca4577d77732f67d.exe 102 PID 4140 wrote to memory of 4368 4140 cmd.exe 104 PID 4140 wrote to memory of 4368 4140 cmd.exe 104 PID 4140 wrote to memory of 4368 4140 cmd.exe 104 PID 4368 wrote to memory of 2516 4368 net.exe 105 PID 4368 wrote to memory of 2516 4368 net.exe 105 PID 4368 wrote to memory of 2516 4368 net.exe 105 PID 1008 wrote to memory of 3952 1008 179c225bcff75d26ca4577d77732f67d.exe 106 PID 1008 wrote to memory of 3952 1008 179c225bcff75d26ca4577d77732f67d.exe 106 PID 1008 wrote to memory of 3952 1008 179c225bcff75d26ca4577d77732f67d.exe 106 PID 3952 wrote to memory of 2016 3952 cmd.exe 108 PID 3952 wrote to memory of 2016 3952 cmd.exe 108 PID 3952 wrote to memory of 2016 3952 cmd.exe 108 PID 2016 wrote to memory of 2364 2016 net.exe 110 PID 2016 wrote to memory of 2364 2016 net.exe 110 PID 2016 wrote to memory of 2364 2016 net.exe 110 PID 1008 wrote to memory of 4960 1008 179c225bcff75d26ca4577d77732f67d.exe 111 PID 1008 wrote to memory of 4960 1008 179c225bcff75d26ca4577d77732f67d.exe 111 PID 1008 wrote to memory of 4960 1008 179c225bcff75d26ca4577d77732f67d.exe 111 PID 4960 wrote to memory of 2676 4960 cmd.exe 113 PID 4960 wrote to memory of 2676 4960 cmd.exe 113 PID 4960 wrote to memory of 2676 4960 cmd.exe 113 PID 2676 wrote to memory of 4868 2676 net.exe 114 PID 2676 wrote to memory of 4868 2676 net.exe 114 PID 2676 wrote to memory of 4868 2676 net.exe 114 PID 1008 wrote to memory of 2952 1008 179c225bcff75d26ca4577d77732f67d.exe 115 PID 1008 wrote to memory of 2952 1008 179c225bcff75d26ca4577d77732f67d.exe 115 PID 1008 wrote to memory of 2952 1008 179c225bcff75d26ca4577d77732f67d.exe 115 PID 2952 wrote to memory of 5112 2952 cmd.exe 117 PID 2952 wrote to memory of 5112 2952 cmd.exe 117 PID 2952 wrote to memory of 5112 2952 cmd.exe 117 PID 5112 wrote to memory of 628 5112 net.exe 118 PID 5112 wrote to memory of 628 5112 net.exe 118 PID 5112 wrote to memory of 628 5112 net.exe 118 PID 1008 wrote to memory of 680 1008 179c225bcff75d26ca4577d77732f67d.exe 119 PID 1008 wrote to memory of 680 1008 179c225bcff75d26ca4577d77732f67d.exe 119 PID 1008 wrote to memory of 680 1008 179c225bcff75d26ca4577d77732f67d.exe 119 PID 680 wrote to memory of 3656 680 cmd.exe 121 PID 680 wrote to memory of 3656 680 cmd.exe 121 PID 680 wrote to memory of 3656 680 cmd.exe 121 PID 3656 wrote to memory of 3904 3656 net.exe 122 PID 3656 wrote to memory of 3904 3656 net.exe 122 PID 3656 wrote to memory of 3904 3656 net.exe 122 PID 1008 wrote to memory of 3300 1008 179c225bcff75d26ca4577d77732f67d.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\179c225bcff75d26ca4577d77732f67d.exe"C:\Users\Admin\AppData\Local\Temp\179c225bcff75d26ca4577d77732f67d.exe"1⤵
- Sets file execution options in registry
- Checks computer location settings
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\cmd.execmd /c net stop McShield2⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\net.exenet stop McShield3⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield4⤵PID:380
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵PID:3896
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KPfwSvc2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\net.exenet stop KPfwSvc3⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KPfwSvc4⤵PID:2516
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus"2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus"3⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus"4⤵PID:2364
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Definition Watcher"2⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Definition Watcher"3⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"4⤵PID:4868
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee Framework ·þÎñ"2⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\net.exenet stop "McAfee Framework ·þÎñ"3⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"4⤵PID:628
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Norton AntiVirus Server"2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\net.exenet stop "Norton AntiVirus Server"3⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Norton AntiVirus Server"4⤵PID:3904
-
-
-
-
C:\Windows\SysWOW64\360safe.pifC:\Windows\system32\360safe.pif2⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3300 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5024 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5024 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4460
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f2⤵PID:2524
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f2⤵PID:4852
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f2⤵PID:3200
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f2⤵PID:4560
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f2⤵PID:444
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f2⤵PID:3632
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f2⤵PID:2908
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f2⤵PID:3896
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CC13FF2F-0028-11D6-BB50-7672481B3261}.dat
Filesize5KB
MD57377352dd7df9e54e70914d4bc880030
SHA1e48f09ff55a0485aa5ca55a6f19db23d55e7f994
SHA256ee9ae655d5f7e2b3388d3eb778aa3e0bae405d6bc32898466dee7813dd266b89
SHA512ddad06582d21962cceb7b3116ebf11a2f63eeb2aff42553c14796835ea1d935f945e08a9fb05f26fd3bd7e9c3c06129bce123e91072308bcb35a2a0756b58ddc
-
Filesize
4KB
MD5b8f28133525c53a754c4c9b6e76f0ca6
SHA18fa6e2b123fbbefea1cf5d3af04c73a81f73f5a4
SHA25656b6985ef209c84cc7015fbffd6200829f2893d4c985c9b48caaf42662553a48
SHA5127e225e7c585eac3ce1a50f378fe8932601df84fbd535c32323743216e33f15cadf32e6a0cca3a00a1fe0a027cd639db3a3260a38d7775c4d2a58aa8601074a40