Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/01/2024, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
0131cfffda842b8b3da4ad14b00b1d4a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0131cfffda842b8b3da4ad14b00b1d4a.exe
Resource
win10v2004-20231222-en
General
-
Target
0131cfffda842b8b3da4ad14b00b1d4a.exe
-
Size
3.2MB
-
MD5
0131cfffda842b8b3da4ad14b00b1d4a
-
SHA1
99d6917f016a45a4deba595a5bc77bc87c14f54c
-
SHA256
1785f5f01c24a146f857a3b4a1b9e9cd0d23dea8b25f51c36186cdbeae50a0f2
-
SHA512
23fcdb269d5470491b23e558682eaecfefbcf9b728b764cfd4d859895aece566179c5a33924f0a5c2eea04d94f56ae0ce12a3dc767be5160d2f94166bd64c08d
-
SSDEEP
49152:bberQZbd2GerQZbd2GerQZbd2ZerQZbd2GerQZbd2GerQZbd2t:WrQZ8rQZ8rQZnrQZ8rQZ8rQZy
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" regedit.exe -
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "KAVStart.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "CCenter.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "RavMon.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "rfwcfg.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "RavService.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "KPFW32.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "KPFW32X.EXE" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "KAVPFW.EXE" regedit.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "RavMoD.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "RavStub.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "avp.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "RfwMain.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "Rav.exe" regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "Rfwsrv.exe" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KAV32.EXE" regedit.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMoD.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwsrv.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\RECYCLER\\????8.exe" regedit.exe -
Executes dropped EXE 1 IoCs
pid Process 1868 KavUpda.exe -
Loads dropped DLL 2 IoCs
pid Process 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\Autorun.inf KavUpda.exe File opened for modification C:\Autorun.inf KavUpda.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Option.bat 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Windows\SysWOW64\Option.bat KavUpda.exe File opened for modification C:\Windows\SysWOW64\Folderdir 0131cfffda842b8b3da4ad14b00b1d4a.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Program Files\7-Zip\7z.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Sysinf.bat 0131cfffda842b8b3da4ad14b00b1d4a.exe File created C:\Windows\regedt32.sys 0131cfffda842b8b3da4ad14b00b1d4a.exe File created C:\Windows\regedt32.sys KavUpda.exe File created C:\Windows\system\KavUpda.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Windows\system\KavUpda.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File created C:\Windows\Help\HelpCat.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Windows\regedt32.sys KavUpda.exe File opened for modification C:\Windows\Help\HelpCat.exe 0131cfffda842b8b3da4ad14b00b1d4a.exe File opened for modification C:\Windows\system\KavUpda.exe KavUpda.exe File opened for modification C:\Windows\Sysinf.bat KavUpda.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2140 sc.exe 1120 sc.exe 528 sc.exe 2608 sc.exe 1036 sc.exe 940 sc.exe 1228 sc.exe 1680 sc.exe -
Runs net.exe
-
Runs regedit.exe 1 IoCs
pid Process 2924 regedit.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: 33 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe Token: SeIncBasePriorityPrivilege 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 1868 KavUpda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1016 wrote to memory of 2644 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 28 PID 1016 wrote to memory of 2644 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 28 PID 1016 wrote to memory of 2644 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 28 PID 1016 wrote to memory of 2644 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 28 PID 1016 wrote to memory of 1716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 30 PID 1016 wrote to memory of 1716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 30 PID 1016 wrote to memory of 1716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 30 PID 1016 wrote to memory of 1716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 30 PID 1716 wrote to memory of 2456 1716 net.exe 32 PID 1716 wrote to memory of 2456 1716 net.exe 32 PID 1716 wrote to memory of 2456 1716 net.exe 32 PID 1716 wrote to memory of 2456 1716 net.exe 32 PID 1016 wrote to memory of 2668 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 33 PID 1016 wrote to memory of 2668 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 33 PID 1016 wrote to memory of 2668 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 33 PID 1016 wrote to memory of 2668 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 33 PID 1016 wrote to memory of 2784 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 35 PID 1016 wrote to memory of 2784 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 35 PID 1016 wrote to memory of 2784 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 35 PID 1016 wrote to memory of 2784 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 35 PID 1016 wrote to memory of 2836 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 62 PID 1016 wrote to memory of 2836 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 62 PID 1016 wrote to memory of 2836 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 62 PID 1016 wrote to memory of 2836 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 62 PID 1016 wrote to memory of 2716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 36 PID 1016 wrote to memory of 2716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 36 PID 1016 wrote to memory of 2716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 36 PID 1016 wrote to memory of 2716 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 36 PID 1016 wrote to memory of 2696 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 59 PID 1016 wrote to memory of 2696 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 59 PID 1016 wrote to memory of 2696 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 59 PID 1016 wrote to memory of 2696 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 59 PID 2784 wrote to memory of 3052 2784 cmd.exe 38 PID 2784 wrote to memory of 3052 2784 cmd.exe 38 PID 2784 wrote to memory of 3052 2784 cmd.exe 38 PID 2784 wrote to memory of 3052 2784 cmd.exe 38 PID 1016 wrote to memory of 2724 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 37 PID 1016 wrote to memory of 2724 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 37 PID 1016 wrote to memory of 2724 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 37 PID 1016 wrote to memory of 2724 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 37 PID 2836 wrote to memory of 2612 2836 cmd.exe 57 PID 2836 wrote to memory of 2612 2836 cmd.exe 57 PID 2836 wrote to memory of 2612 2836 cmd.exe 57 PID 2836 wrote to memory of 2612 2836 cmd.exe 57 PID 1016 wrote to memory of 2588 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 56 PID 1016 wrote to memory of 2588 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 56 PID 1016 wrote to memory of 2588 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 56 PID 1016 wrote to memory of 2588 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 56 PID 2716 wrote to memory of 2620 2716 net.exe 41 PID 2716 wrote to memory of 2620 2716 net.exe 41 PID 2716 wrote to memory of 2620 2716 net.exe 41 PID 2716 wrote to memory of 2620 2716 net.exe 41 PID 2696 wrote to memory of 2564 2696 net.exe 42 PID 2696 wrote to memory of 2564 2696 net.exe 42 PID 2696 wrote to memory of 2564 2696 net.exe 42 PID 2696 wrote to memory of 2564 2696 net.exe 42 PID 1016 wrote to memory of 2584 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 54 PID 1016 wrote to memory of 2584 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 54 PID 1016 wrote to memory of 2584 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 54 PID 1016 wrote to memory of 2584 1016 0131cfffda842b8b3da4ad14b00b1d4a.exe 54 PID 2724 wrote to memory of 2616 2724 net.exe 52 PID 2724 wrote to memory of 2616 2724 net.exe 52 PID 2724 wrote to memory of 2616 2724 net.exe 52 PID 2724 wrote to memory of 2616 2724 net.exe 52 -
Views/modifies file attributes 1 TTPs 15 IoCs
pid Process 2716 attrib.exe 1472 attrib.exe 2888 attrib.exe 2624 attrib.exe 2604 attrib.exe 2508 attrib.exe 2560 attrib.exe 1368 attrib.exe 1608 attrib.exe 2488 attrib.exe 2420 attrib.exe 620 attrib.exe 336 attrib.exe 2328 attrib.exe 1796 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0131cfffda842b8b3da4ad14b00b1d4a.exe"C:\Users\Admin\AppData\Local\Temp\0131cfffda842b8b3da4ad14b00b1d4a.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat2⤵PID:2644
-
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y3⤵PID:2456
-
-
-
C:\Windows\SysWOW64\At.exeAt.exe 3:53:38 PM C:\Windows\Help\HelpCat.exe2⤵PID:2668
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 3:52:40 PM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\at.exeat 3:52:40 PM C:\Windows\Sysinf.bat3⤵PID:3052
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y3⤵PID:2620
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y3⤵PID:2616
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
PID:1120
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
PID:528
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:2584
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:2588
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
- Suspicious use of WriteProcessMemory
PID:2696
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 3:55:40 PM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2836
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
- Runs regedit.exe
PID:2924
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:1636
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵PID:2156
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1868 -
C:\Windows\SysWOW64\net.exenet.exe start schedule /y3⤵PID:2864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y4⤵PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat3⤵PID:1468
-
-
C:\Windows\SysWOW64\At.exeAt.exe 3:53:45 PM C:\Windows\Help\HelpCat.exe3⤵PID:1404
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 3:52:47 PM C:\Windows\Sysinf.bat3⤵PID:1756
-
C:\Windows\SysWOW64\at.exeat 3:52:47 PM C:\Windows\Sysinf.bat4⤵PID:2336
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵PID:1380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y4⤵PID:2000
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:1036
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
PID:940
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:1536
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:552
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2016
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1608
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵PID:2280
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:1228
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
PID:1680
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵PID:2112
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵PID:2100
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵PID:2604
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 3:55:47 PM C:\Windows\Sysinf.bat3⤵PID:1512
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:3060
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2852
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2420
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:1992
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:324
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:872
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2248
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:568
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2676
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2956
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1368
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:440
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:832
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2332
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1680
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2328
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1960
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:332
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2324
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:2496
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:1664
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2456
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1700
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2772
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵PID:2584
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵PID:2120
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵PID:1992
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
PID:620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵PID:2080
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵PID:828
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y3⤵PID:2464
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵PID:632
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y3⤵PID:1032
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵PID:1108
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵PID:2792
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵PID:3012
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:2564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:2128
-
C:\Windows\SysWOW64\at.exeat 3:55:40 PM C:\Windows\Sysinf.bat1⤵PID:2612
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:892
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵PID:2060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:2332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵PID:1960
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵PID:1624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵PID:936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵PID:836
-
C:\Windows\SysWOW64\at.exeat 3:55:47 PM C:\Windows\Sysinf.bat1⤵PID:1112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82B
MD53f7fbd2eb34892646e93fd5e6e343512
SHA1265ac1061b54f62350fb7a5f57e566454d013a66
SHA256e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7
SHA51253d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140
-
Filesize
460B
MD57db3d565d6ddbe65a8b0e093910e7dcd
SHA1d4804e6180c6e74ba79d3343f2f2ccb15e502f12
SHA256a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f
SHA5120b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b
-
Filesize
2KB
MD5e7d7ec66bd61fac3843c98650b0c68f6
SHA1a15ae06e1be51038863650746368a71024539bac
SHA2566475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8
SHA512ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6
-
Filesize
701KB
MD55ae5089638a3adfa843a05bd15f2bde8
SHA1716f1be2fb882e123e69f8a6966ae4eecbe1f693
SHA25676452402a958183c4b04dbe10a324e0e1bf423899ffa9a551686f9e6861000ce
SHA512bed7ac82fcab02948bf60b92102b0e8ed006608cb659a449b5eb023acd5920b7b45df72616bf53e5f3c07facb552877e796f74d37a950baf33f4424a32085bc9
-
Filesize
87KB
MD5ac5587aa6ae3d2a6dda199e53d80a46a
SHA14466bd75fa6e5213984ffee27a78af3fbfad3c28
SHA256da58824f26d2b4191a51f629ef769d59516440622d82972a1088be27d2fbd547
SHA5121abd07b02abfb8839907d8611e9ce00da15a5d860b5cad46d910fb8643ee23646346a4abab4ab2cafcbe6f815e26b399fc04cde27c4a1bc9bf72a1acf8206a7d
-
Filesize
119KB
MD510f66d5928423d543b07037e72173e5f
SHA136500f2277a4797b4cd4af3ed82f9d34443e530d
SHA2568c1e1b5f74519f3a744469bb2a6e5d7e8984aa42baa1dfef46e28a837f957500
SHA512c92be26e9132c51dcbe19d76dc21393e79c94b30083aa52eef24ee12c41f84359ddf7eb1f0b7305e5de509674ad58af844759c667b0be40403a3f8405a5668b4
-
Filesize
237B
MD594bcd02c5afd5918b4446345e7a5ded9
SHA179839238e84be225132e1382fae6333dfc4906a1
SHA2565d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1
SHA512149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500
-
Filesize
117KB
MD5190f8310fbba21895620dda954caaa4d
SHA157636862ac8df14a12733a4078aa5a537ac16c1f
SHA2566455d5560f4ada9cc6dd330bbaf966bfe75245b19f59f6770b1e88940520c46e
SHA512b6912aa3ce5fcd977f532a271910e129122b8f6207160b2621eb11e1b1a0da49cf6022b4e7f2cdcb7c443cae50596a7b2c502ba8b061acf07fb2ccd43bddb93a
-
Filesize
170KB
MD5c8733c57dc7397701d6ce3eedbdb499d
SHA13ec777f2ffb79bcb196e49a6eb454e7bb40d00b3
SHA256cb26b83fd7ddd72d78a94ef35c499b2da4b58afaefc135829a201e0ab46367a5
SHA5124ae275d72a5aa2faba6e3c005729611751a6855f8f3ff93cc6916ea503672dcafbb6deb288e7ef43a23fa40b2e0a4b7a1a91d930671d258214de68390173679c