Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 19:03
Behavioral task
behavioral1
Sample
41ab5171ab01c33b6ab3c99c0bbc238b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
41ab5171ab01c33b6ab3c99c0bbc238b.exe
Resource
win10v2004-20231222-en
General
-
Target
41ab5171ab01c33b6ab3c99c0bbc238b.exe
-
Size
13.6MB
-
MD5
41ab5171ab01c33b6ab3c99c0bbc238b
-
SHA1
ee64a916167c4e3790e238bc2c91ee2fd46a3652
-
SHA256
479a38d36694b48372c4994002ae90cd991c217bf91fc98bb0eadd4399a8318d
-
SHA512
5173bbaab41c0f82413d3e571948b1779bb012d9b13357a551b75ffb259f6e8b35f2c9bbd46c4b8a340d9c7b3f27a446e7da74d26b99d4a349d3f2704cb78a0d
-
SSDEEP
98304:jjBxcO4EYTjmOxTPKvXhH1yjmOxTPKvXK1yjmOxTPKvXhPsY+dy0ZScIBqBT11o:jjBxcO4jjmUjNUjqsC
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\Drivers\ETC\HOSTS 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Windows\system32\Drivers\ETC\HOSTS\HOSTS 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
resource yara_rule behavioral1/memory/2088-1-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/files/0x004a000000010454-7.dat upx behavioral1/memory/2088-280-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\System Database Administration Service = "C:\\Windows\\system32\\DbTasker.exe" 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\DbTasker.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Windows\SysWOW64\DbTasker.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Windows\SysWOW64\hal.dll 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Windows\SysWOW64\DBTASK.EXE 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Windows\SysWOW64\dbzip2.dll 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Windows\SysWOW64\dbexe2.dll 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Windows\SysWOW64\LockFile.dat 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\program files\common files\microsoft shared\ink\cs-cz\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\es-es\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\pt-pt\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\triedit\ja-jp\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\msinfo\en-us\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fi-fi\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\nl-nl\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\office14\cultures\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\triedit\de-de\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\triedit\it-it\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\ar-sa\Windows XP SP2 WORKING activation crack.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Internet Explorer\iexplore.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\triedit\en-us\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\vsto\10.0\1033\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\bg-bg\NORTON Internet security 2006.rar .scr 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\numbers\Pamela Anderson FULL VIDEO.mpg .scr 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\textconv\en-us\Internet Explorer 7 FULL BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\7-Zip\7z.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\sl-si\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\sv-se\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\msinfo\fr-fr\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\ar-sa\NORTON Internet security 2006.rar .scr 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\bg-bg\Internet Explorer 7 FULL BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\da-dk\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fr-fr\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\triedit\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\filters\Internet Explorer 7 FULL BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\ar-sa\HalfLife 2 WORKING Steam Activation crack.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\ru-ru\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\textconv\ja-jp\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\en-us\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\numbers\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\lt-lt\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Internet Explorer\ieinstal.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\msinfo\de-de\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\et-ee\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\sk-sk\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\msinfo\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\stationery\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\textconv\en-us\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\ink\fsdefinitions\web\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\vgx\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\vsto\10.0\1033\DVD Xcopy PRO Illegal Warez.iso .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created \??\c:\program files\common files\microsoft shared\msinfo\es-es\How to stop NetSky.doc .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\WinTask.zip 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2852 2088 WerFault.exe 27 -
NTFS ADS 64 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\€Õ(c:\program files\common files\microsoft shared\ink\ar-sa\Visual Studio .NET FULL.zip .cpl 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\ink\et-ee\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\â(c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\â(c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\ink\nl-nl\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ÿÿÿÿc:\program files\common files\microsoft shared\ink\sl-si\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\textconv\en-us\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\a\ÚÐÿÌA8à(c:\program files\common files\microsoft shared\vsto\10.0\1033\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\el-gc:\program files\common files\microsoft shared\ink\fi-fi\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ÿÿÿÿc:\program files\common files\microsoft shared\ink\fi-fi\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\ko-kr\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ÿÿÿÿc:\program files\common files\microsoft shared\ink\pt-pt\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\el-gr\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\vsto\10.0\1033\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\1Ê`{;Èâ(c:\program files\common files\microsoft shared\ink\cs-cz\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\nb-nc:\program files\common files\microsoft shared\ink\nl-nl\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\ink\ru-ru\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\t€Lc:\program files\common files\microsoft shared\msinfo\it-it\Pamela Anderson FULL VIDEO.mpg .scr 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\textconv\ja-jp\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuLå(c:\program files\common files\microsoft shared\ink\fsdefinitions\main\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\hr-hr\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\pt-br\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\ru-ru\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\triedit\it-it\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\8Ú(c:\program files\common files\microsoft shared\filters\Matrix Reloaded.avi .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuLå(c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuLå(c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\ko-kc:\program files\common files\microsoft shared\ink\lv-lv\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\ink\ru-ru\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\a\ÚÀDöÈâ(c:\program files\common files\microsoft shared\msinfo\de-de\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\ink\ar-sa\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\1Ê`{;Èâ(c:\program files\common files\microsoft shared\ink\bg-bg\Full warez download sites.html .pif 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\sk-sk\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\sk-sc:\program files\common files\microsoft shared\ink\sv-se\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\c:\program files\common files\microsoft shared\textconv\en-us\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\4‚Lc:\program files\common files\microsoft shared\textconv\it-it\Pamela Anderson FULL VIDEO.mpg .scr 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\rfold HOT.gif .scrc:\program files\common files\microsoft shared\vsto\Visual Studio .NET FULL.zip .cpl 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\ink\fr-fr\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ÿÿÿÿc:\program files\common files\microsoft shared\ink\tr-tr\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\textconv\de-de\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\triedit\ja-jp\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuLå(c:\program files\common files\microsoft shared\vsto\10.0\1033\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\ink\nb-no\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\ink\pl-pl\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\stationery\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\ink\en-us\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\h5‰c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\Windows 2000.iso .com 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ÿÿÿÿc:\program files\common files\microsoft shared\ink\zh-cn\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\`c:\program files\common files\microsoft shared\msinfo\de-de\DVD Xcopy PRO Illegal Warez.iso .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\textconv\de-de\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\|ç(c:\program files\common files\microsoft shared\vc\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\nb-nc:\program files\common files\microsoft shared\ink\pt-pt\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\sv-se\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\common files\microsoft shared\vsto\10.0\Visual Studio .NET FULL.zip .cpl 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\t€Lc:\program files\common files\microsoft shared\msinfo\fr-fr\Pamela Anderson FULL VIDEO.mpg .scr 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\àc:\program files\common files\microsoft shared\office14\cultures\DVD Xcopy PRO Illegal Warez.iso .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùulê(c:\program files\common files\microsoft shared\stationery\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ÿÿÿÿc:\program files\common files\microsoft shared\ink\el-gr\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\nb-nc:\program files\common files\microsoft shared\ink\ro-ro\WinAmp 5.08 FULL.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\c:\c:\program files\common files\microsoft shared\textconv\it-it\Windows XP SP3 REAL VERSION.zip .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\åOùuÜç(c:\program files\common files\microsoft shared\triedit\en-us\Hacking and Virus Writing for Dummies.pdf .exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe File created C:\Users\Admin\AppData\Local\Temp\ìä(c:\program files\common files\microsoft shared\ink\bg-bg\WinRAR 4.01 Cracked BETA.exe 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2852 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 28 PID 2088 wrote to memory of 2852 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 28 PID 2088 wrote to memory of 2852 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 28 PID 2088 wrote to memory of 2852 2088 41ab5171ab01c33b6ab3c99c0bbc238b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ab5171ab01c33b6ab3c99c0bbc238b.exe"C:\Users\Admin\AppData\Local\Temp\41ab5171ab01c33b6ab3c99c0bbc238b.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 20922⤵
- Program crash
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5bea604bac5a3d158eda116b9bc05f3bb
SHA1efcf7bdcb0f2c513aa30301487764e8fb776593d
SHA25663fd697884eb5e7aa110951dcbc0e7e5081b91fe2fa267f0560b601cb43ba06c
SHA5126ca72c09947cf5c81636be9fbc0f78bb2fdb6d39ea6973b5f6dce9f9435823105c28c42f1a3137e206ec1fc8d9b663ff60a66766bef2882b73df5969d7ef60a3