Analysis
-
max time kernel
300s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-01-2024 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
300 seconds
Behavioral task
behavioral2
Sample
f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe
Resource
win10-20231220-en
windows10-1703-x64
0 signatures
300 seconds
General
-
Target
f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe
-
Size
360KB
-
MD5
49c53c376d7ccb9391f4f75f20fba18a
-
SHA1
581e38a0331173c4638d2e536916a7a2805c9bc4
-
SHA256
f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194
-
SHA512
865894203a5a70e893cae92bd40c241fd08681eb890890a4a866c6042afe67fb76755e981ebc8d8cdee91988cee33f718b662f8b554237b74d8cf0a55a6b1e84
-
SSDEEP
6144:AFlWqd4FksgTOzEV6zs1hfk8MIcG1Zb7d+0PuSCU4CzmJkdVds:clWXFkRTOzEV6zs1hfk8oYVd+Dj4mYV+
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile c597597mw77_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" c597597mw77_1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile c597597mw77_1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" c597597mw77_1.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "mswpyuyel.exe" c597597mw77_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe c597597mw77_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "kcdfrgrixuj.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c597597mw77.exe\DisableExceptionChainValidation f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "roszqajxwh.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe c597597mw77_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "rdszekzihzb.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "tbgwuaqvdkd.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "gzu.exe" c597597mw77_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe c597597mw77_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "ptbhcsaoc.exe" c597597mw77_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe c597597mw77_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c597597mw77.exe f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe c597597mw77_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "xnrfkwsuk.exe" c597597mw77_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "weuqznjtt.exe" c597597mw77_1.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2724 c597597mw77_1.exe -
Loads dropped DLL 1 IoCs
pid Process 1900 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\c597597mw77.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\c597597mw77.exe" explorer.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus c597597mw77_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService c597597mw77_1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c597597mw77_1.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 2724 c597597mw77_1.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c597597mw77_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c597597mw77_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1800 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\c597597mw77_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\c597597mw77_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
pid Process 1776 regedit.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 2724 c597597mw77_1.exe 2724 c597597mw77_1.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeRestorePrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeBackupPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeLoadDriverPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeCreatePagefilePrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeShutdownPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeTakeOwnershipPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeChangeNotifyPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeCreateTokenPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeMachineAccountPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeSecurityPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeAssignPrimaryTokenPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeCreateGlobalPrivilege 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: 33 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe Token: SeDebugPrivilege 1900 explorer.exe Token: SeRestorePrivilege 1900 explorer.exe Token: SeBackupPrivilege 1900 explorer.exe Token: SeLoadDriverPrivilege 1900 explorer.exe Token: SeCreatePagefilePrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeTakeOwnershipPrivilege 1900 explorer.exe Token: SeChangeNotifyPrivilege 1900 explorer.exe Token: SeCreateTokenPrivilege 1900 explorer.exe Token: SeMachineAccountPrivilege 1900 explorer.exe Token: SeSecurityPrivilege 1900 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1900 explorer.exe Token: SeCreateGlobalPrivilege 1900 explorer.exe Token: 33 1900 explorer.exe Token: SeDebugPrivilege 2724 c597597mw77_1.exe Token: SeRestorePrivilege 2724 c597597mw77_1.exe Token: SeBackupPrivilege 2724 c597597mw77_1.exe Token: SeLoadDriverPrivilege 2724 c597597mw77_1.exe Token: SeCreatePagefilePrivilege 2724 c597597mw77_1.exe Token: SeShutdownPrivilege 2724 c597597mw77_1.exe Token: SeTakeOwnershipPrivilege 2724 c597597mw77_1.exe Token: SeChangeNotifyPrivilege 2724 c597597mw77_1.exe Token: SeCreateTokenPrivilege 2724 c597597mw77_1.exe Token: SeMachineAccountPrivilege 2724 c597597mw77_1.exe Token: SeSecurityPrivilege 2724 c597597mw77_1.exe Token: SeAssignPrimaryTokenPrivilege 2724 c597597mw77_1.exe Token: SeCreateGlobalPrivilege 2724 c597597mw77_1.exe Token: 33 2724 c597597mw77_1.exe Token: SeCreatePagefilePrivilege 2724 c597597mw77_1.exe Token: SeCreatePagefilePrivilege 2724 c597597mw77_1.exe Token: SeCreatePagefilePrivilege 2724 c597597mw77_1.exe Token: SeCreatePagefilePrivilege 2724 c597597mw77_1.exe Token: SeCreatePagefilePrivilege 2724 c597597mw77_1.exe Token: SeDebugPrivilege 1776 regedit.exe Token: SeRestorePrivilege 1776 regedit.exe Token: SeBackupPrivilege 1776 regedit.exe Token: SeLoadDriverPrivilege 1776 regedit.exe Token: SeCreatePagefilePrivilege 1776 regedit.exe Token: SeShutdownPrivilege 1776 regedit.exe Token: SeTakeOwnershipPrivilege 1776 regedit.exe Token: SeChangeNotifyPrivilege 1776 regedit.exe Token: SeCreateTokenPrivilege 1776 regedit.exe Token: SeMachineAccountPrivilege 1776 regedit.exe Token: SeSecurityPrivilege 1776 regedit.exe Token: SeAssignPrimaryTokenPrivilege 1776 regedit.exe Token: SeCreateGlobalPrivilege 1776 regedit.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 2132 wrote to memory of 1900 2132 f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe 27 PID 1900 wrote to memory of 1152 1900 explorer.exe 19 PID 1900 wrote to memory of 1152 1900 explorer.exe 19 PID 1900 wrote to memory of 1152 1900 explorer.exe 19 PID 1900 wrote to memory of 1152 1900 explorer.exe 19 PID 1900 wrote to memory of 1152 1900 explorer.exe 19 PID 1900 wrote to memory of 1152 1900 explorer.exe 19 PID 1900 wrote to memory of 1188 1900 explorer.exe 12 PID 1900 wrote to memory of 1188 1900 explorer.exe 12 PID 1900 wrote to memory of 1188 1900 explorer.exe 12 PID 1900 wrote to memory of 1188 1900 explorer.exe 12 PID 1900 wrote to memory of 1188 1900 explorer.exe 12 PID 1900 wrote to memory of 1188 1900 explorer.exe 12 PID 1900 wrote to memory of 456 1900 explorer.exe 13 PID 1900 wrote to memory of 456 1900 explorer.exe 13 PID 1900 wrote to memory of 456 1900 explorer.exe 13 PID 1900 wrote to memory of 456 1900 explorer.exe 13 PID 1900 wrote to memory of 456 1900 explorer.exe 13 PID 1900 wrote to memory of 456 1900 explorer.exe 13 PID 1900 wrote to memory of 2564 1900 explorer.exe 29 PID 1900 wrote to memory of 2564 1900 explorer.exe 29 PID 1900 wrote to memory of 2564 1900 explorer.exe 29 PID 1900 wrote to memory of 2564 1900 explorer.exe 29 PID 1900 wrote to memory of 2564 1900 explorer.exe 29 PID 1900 wrote to memory of 2564 1900 explorer.exe 29 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 1900 wrote to memory of 2724 1900 explorer.exe 32 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1776 2724 c597597mw77_1.exe 33 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35 PID 2724 wrote to memory of 1800 2724 c597597mw77_1.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe"C:\Users\Admin\AppData\Local\Temp\f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe"2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\c597597mw77_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\C59759~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:1800
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:456
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a98aab500cbced4d34169bb12130bd68
SHA1cc83f72bf1958add0e9cadbf5bd13139337300cf
SHA256eb945fbf855ecbd8c89150604be992e37b10b83aa9fafc0b8f2e0048ad32e345
SHA51244807bcc54efbea2b35129cacf1e3e642634ffa324927295daaf9c56741ebe7f81aeb05f15b8d456f360c503fa2e4bd1f43b1e03844050458368f9954bf3b755
-
Filesize
161KB
MD57ced602d78059dd0937f7ead99e7ad38
SHA10b194bf3e0c846fd701710221036da53b357c7c7
SHA256e9d4b2eb6b7408ef95162bac8ff8638a2e58c5b5c5f50ae3b672314e7dcfe56b
SHA51244fd0c77b3e8bea6ac1230b18d70a6f1282b7af8ebf4b5ce6dde561c9edc930dd1298c672243e482c4212c029e6e30ce0c9eaf1355033933ced1feb9f9324305
-
Filesize
198KB
MD5b29fe55b46f996219e0ed27e21e4ee5e
SHA1a490876252736cd6c34f9d81420e8df3ad89639a
SHA256083bfa6a9422728b8f2cfb182091a7a29ac3f721dc1d640c270f472df072e984
SHA512ae6948a71810e94baaae4a642bdb903549e1db83c8674ac3f20c80ec7dfd634456fbdddd71bef9430cd5da414706fdd63f7e56f424e5584de7f98203467f1aae