Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 04:15
Static task
static1
Behavioral task
behavioral1
Sample
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
Resource
win10v2004-20231222-en
General
-
Target
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
-
Size
791KB
-
MD5
ec2c94a21a52027c229a7824d4a1c5ca
-
SHA1
b17aa25017bf7d0af7ffb946bcace0d51331d351
-
SHA256
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
-
SHA512
f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761
-
SSDEEP
24576:Skt2zwjdnAwQ4x2K3yWds0JkKyV0+mZbmNrUCV+7d9/1:PnnAlpadsLK+mZSgfpF
Malware Config
Extracted
amadey
4.15
http://185.215.113.68
-
install_dir
d887ceb89d
-
install_file
explorhe.exe
-
strings_key
7cadc181267fafff9df8503e730d60e1
-
url_paths
/theme/index.php
Extracted
risepro
193.233.132.62:50500
Signatures
-
Detect ZGRat V1 19 IoCs
resource yara_rule behavioral1/memory/1808-236-0x0000000002030000-0x000000000212E000-memory.dmp family_zgrat_v1 behavioral1/memory/2784-250-0x0000000004610000-0x000000000504D000-memory.dmp family_zgrat_v1 behavioral1/memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-306-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-307-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-311-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-314-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-317-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-332-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-330-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-328-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-326-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-324-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1808-321-0x0000000002030000-0x0000000002128000-memory.dmp family_zgrat_v1 behavioral1/memory/1868-614-0x0000000000250000-0x0000000000350000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
resource yara_rule behavioral1/memory/2552-72-0x0000000001E90000-0x0000000001ED2000-memory.dmp family_redline behavioral1/memory/2552-102-0x0000000004830000-0x0000000004870000-memory.dmp family_redline behavioral1/memory/2552-151-0x0000000002120000-0x000000000215E000-memory.dmp family_redline behavioral1/memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/2484-292-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-293-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-296-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-295-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-294-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-297-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-299-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-298-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-302-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-316-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/2484-319-0x0000000140000000-0x0000000140840000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2480 rundll32.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion moto.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iojmibhyhiws.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iojmibhyhiws.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion moto.exe -
Executes dropped EXE 24 IoCs
pid Process 2784 explorhe.exe 2580 num.exe 1728 rback.exe 2552 leg221.exe 2140 leg221.exe 1744 7z.exe 1808 Gzxzuhejdab.exe 2372 7z.exe 2156 crypted.exe 2380 7z.exe 1992 explorhe.exe 1984 7z.exe 924 7z.exe 1980 7z.exe 3004 7z.exe 1632 7z.exe 2180 7z.exe 1868 xfAk7rC2FeEN35Y8o.exe 2984 moto.exe 472 Process not Found 2980 iojmibhyhiws.exe 1992 explorhe.exe 2384 qemu-ga.exe 2568 explorhe.exe -
Loads dropped DLL 35 IoCs
pid Process 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe 2784 explorhe.exe 2784 explorhe.exe 2784 explorhe.exe 2784 explorhe.exe 1732 cmd.exe 2784 explorhe.exe 1744 7z.exe 1732 cmd.exe 2372 7z.exe 2784 explorhe.exe 1732 cmd.exe 2380 7z.exe 1732 cmd.exe 1992 explorhe.exe 1732 cmd.exe 1984 7z.exe 1732 cmd.exe 924 7z.exe 1732 cmd.exe 1980 7z.exe 1732 cmd.exe 3004 7z.exe 1732 cmd.exe 1632 7z.exe 1732 cmd.exe 2180 7z.exe 2784 explorhe.exe 2784 explorhe.exe 2480 rundll32.exe 2480 rundll32.exe 2480 rundll32.exe 2480 rundll32.exe 472 Process not Found 2216 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000564001\\num.exe" explorhe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000567001\\rback.exe" explorhe.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
pid Process 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe 1728 rback.exe 2784 explorhe.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2156 set thread context of 2216 2156 crypted.exe 48 PID 2980 set thread context of 2492 2980 iojmibhyhiws.exe 68 PID 2980 set thread context of 2484 2980 iojmibhyhiws.exe 69 PID 1868 set thread context of 1784 1868 xfAk7rC2FeEN35Y8o.exe 78 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2808 sc.exe 2732 sc.exe 468 sc.exe 580 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2444 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1868 xfAk7rC2FeEN35Y8o.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2984 moto.exe 2984 moto.exe 2984 moto.exe 2984 moto.exe 2984 moto.exe 2980 iojmibhyhiws.exe 2980 iojmibhyhiws.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2216 RegAsm.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 1784 RegSvcs.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe 2484 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeRestorePrivilege 1744 7z.exe Token: 35 1744 7z.exe Token: SeSecurityPrivilege 1744 7z.exe Token: SeSecurityPrivilege 1744 7z.exe Token: SeRestorePrivilege 2372 7z.exe Token: 35 2372 7z.exe Token: SeSecurityPrivilege 2372 7z.exe Token: SeSecurityPrivilege 2372 7z.exe Token: SeRestorePrivilege 2380 7z.exe Token: 35 2380 7z.exe Token: SeSecurityPrivilege 2380 7z.exe Token: SeSecurityPrivilege 2380 7z.exe Token: SeRestorePrivilege 1992 explorhe.exe Token: 35 1992 explorhe.exe Token: SeSecurityPrivilege 1992 explorhe.exe Token: SeSecurityPrivilege 1992 explorhe.exe Token: SeRestorePrivilege 1984 7z.exe Token: 35 1984 7z.exe Token: SeSecurityPrivilege 1984 7z.exe Token: SeSecurityPrivilege 1984 7z.exe Token: SeRestorePrivilege 924 7z.exe Token: 35 924 7z.exe Token: SeSecurityPrivilege 924 7z.exe Token: SeSecurityPrivilege 924 7z.exe Token: SeRestorePrivilege 1980 7z.exe Token: 35 1980 7z.exe Token: SeSecurityPrivilege 1980 7z.exe Token: SeSecurityPrivilege 1980 7z.exe Token: SeRestorePrivilege 3004 7z.exe Token: 35 3004 7z.exe Token: SeSecurityPrivilege 3004 7z.exe Token: SeSecurityPrivilege 3004 7z.exe Token: SeRestorePrivilege 1632 7z.exe Token: 35 1632 7z.exe Token: SeSecurityPrivilege 1632 7z.exe Token: SeSecurityPrivilege 1632 7z.exe Token: SeRestorePrivilege 2180 7z.exe Token: 35 2180 7z.exe Token: SeSecurityPrivilege 2180 7z.exe Token: SeSecurityPrivilege 2180 7z.exe Token: SeDebugPrivilege 1808 Gzxzuhejdab.exe Token: SeLockMemoryPrivilege 2484 conhost.exe Token: SeDebugPrivilege 2216 RegAsm.exe Token: SeDebugPrivilege 1784 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe 2784 explorhe.exe 1728 rback.exe 1992 explorhe.exe 2568 explorhe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 2784 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe 28 PID 1588 wrote to memory of 2784 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe 28 PID 1588 wrote to memory of 2784 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe 28 PID 1588 wrote to memory of 2784 1588 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe 28 PID 2784 wrote to memory of 2444 2784 explorhe.exe 29 PID 2784 wrote to memory of 2444 2784 explorhe.exe 29 PID 2784 wrote to memory of 2444 2784 explorhe.exe 29 PID 2784 wrote to memory of 2444 2784 explorhe.exe 29 PID 2784 wrote to memory of 2580 2784 explorhe.exe 31 PID 2784 wrote to memory of 2580 2784 explorhe.exe 31 PID 2784 wrote to memory of 2580 2784 explorhe.exe 31 PID 2784 wrote to memory of 2580 2784 explorhe.exe 31 PID 2784 wrote to memory of 1728 2784 explorhe.exe 33 PID 2784 wrote to memory of 1728 2784 explorhe.exe 33 PID 2784 wrote to memory of 1728 2784 explorhe.exe 33 PID 2784 wrote to memory of 1728 2784 explorhe.exe 33 PID 2784 wrote to memory of 2552 2784 explorhe.exe 34 PID 2784 wrote to memory of 2552 2784 explorhe.exe 34 PID 2784 wrote to memory of 2552 2784 explorhe.exe 34 PID 2784 wrote to memory of 2552 2784 explorhe.exe 34 PID 2580 wrote to memory of 1732 2580 num.exe 37 PID 2580 wrote to memory of 1732 2580 num.exe 37 PID 2580 wrote to memory of 1732 2580 num.exe 37 PID 2580 wrote to memory of 1732 2580 num.exe 37 PID 2784 wrote to memory of 2140 2784 explorhe.exe 36 PID 2784 wrote to memory of 2140 2784 explorhe.exe 36 PID 2784 wrote to memory of 2140 2784 explorhe.exe 36 PID 2784 wrote to memory of 2140 2784 explorhe.exe 36 PID 1732 wrote to memory of 2008 1732 cmd.exe 38 PID 1732 wrote to memory of 2008 1732 cmd.exe 38 PID 1732 wrote to memory of 2008 1732 cmd.exe 38 PID 1732 wrote to memory of 1744 1732 cmd.exe 39 PID 1732 wrote to memory of 1744 1732 cmd.exe 39 PID 1732 wrote to memory of 1744 1732 cmd.exe 39 PID 2784 wrote to memory of 1808 2784 explorhe.exe 40 PID 2784 wrote to memory of 1808 2784 explorhe.exe 40 PID 2784 wrote to memory of 1808 2784 explorhe.exe 40 PID 2784 wrote to memory of 1808 2784 explorhe.exe 40 PID 1732 wrote to memory of 2372 1732 cmd.exe 41 PID 1732 wrote to memory of 2372 1732 cmd.exe 41 PID 1732 wrote to memory of 2372 1732 cmd.exe 41 PID 2784 wrote to memory of 2156 2784 explorhe.exe 43 PID 2784 wrote to memory of 2156 2784 explorhe.exe 43 PID 2784 wrote to memory of 2156 2784 explorhe.exe 43 PID 2784 wrote to memory of 2156 2784 explorhe.exe 43 PID 1732 wrote to memory of 2380 1732 cmd.exe 42 PID 1732 wrote to memory of 2380 1732 cmd.exe 42 PID 1732 wrote to memory of 2380 1732 cmd.exe 42 PID 1732 wrote to memory of 1992 1732 cmd.exe 74 PID 1732 wrote to memory of 1992 1732 cmd.exe 74 PID 1732 wrote to memory of 1992 1732 cmd.exe 74 PID 1732 wrote to memory of 1984 1732 cmd.exe 45 PID 1732 wrote to memory of 1984 1732 cmd.exe 45 PID 1732 wrote to memory of 1984 1732 cmd.exe 45 PID 1732 wrote to memory of 924 1732 cmd.exe 46 PID 1732 wrote to memory of 924 1732 cmd.exe 46 PID 1732 wrote to memory of 924 1732 cmd.exe 46 PID 1732 wrote to memory of 1980 1732 cmd.exe 47 PID 1732 wrote to memory of 1980 1732 cmd.exe 47 PID 1732 wrote to memory of 1980 1732 cmd.exe 47 PID 1732 wrote to memory of 3004 1732 cmd.exe 49 PID 1732 wrote to memory of 3004 1732 cmd.exe 49 PID 1732 wrote to memory of 3004 1732 cmd.exe 49 PID 1732 wrote to memory of 1632 1732 cmd.exe 50 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 868 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F3⤵
- Creates scheduled task(s)
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\mode.commode 65,105⤵PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p4632370330209207692137030328 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_9.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_8.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\system32\attrib.exeattrib +H "xfAk7rC2FeEN35Y8o.exe"5⤵
- Views/modifies file attributes
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe"xfAk7rC2FeEN35Y8o.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"3⤵
- Executes dropped EXE
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"3⤵
- Executes dropped EXE
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"5⤵
- Executes dropped EXE
PID:2384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2984 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "FLWCUERA"4⤵
- Launches sc.exe
PID:2808
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"4⤵
- Launches sc.exe
PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"4⤵PID:2548
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵PID:1704
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "FLWCUERA"4⤵
- Launches sc.exe
PID:468
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:580
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2480
-
-
-
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exeC:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2492
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {26E75C87-5A32-40B2-A05C-DB3831445712} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeC:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeC:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b65204b855a9031d3a1e8480899ed0ce
SHA1bae418328b0bd303dc712a1861771451da0df0dc
SHA25639dd749c32c81af709f676a0bcb808191244439090f6404aabb445d16723a2e2
SHA51243c5309c42bacf69df58880b9dafdf2652fe3d66acad779c95bce29272de696d94cdb5bd3437ab192db99cf44eedf3da4b3e7483db15cdcbe22ea3d721210a60
-
Filesize
1.7MB
MD5cb0c32dbd9299ced29a49721c9665815
SHA10c90839639eed636b94f8f2ca43dee0f495e6218
SHA2567d87e7dbcb78412a71770d9b6361611af4062ef29ece3878c9ed921fbe5672da
SHA512a90c2bf577c6c5f1161863025dc8fb48fe253a5cb4a071a425f009599495fea17a2cbb1017317e162fc3ef99c090ed6e63dda2071e802def364654d4cd59df12
-
Filesize
1.2MB
MD5d5af5fe1f4a7f598abfefdba5f2c755d
SHA1fbf50fd43a5ac059b35f239e1ad7c710289800cb
SHA256d4027a5e8436b4887830bc890345cb061a0b6d38962f76f68990424345a8b840
SHA512db3dea30f75728a0010f31d72981342a2b851d2b6f41718b8bd9351e6153ff3fdb03509bde8ee5fed52c12f3522790562a6508e7140a50486218ef01bf5626d5
-
Filesize
793KB
MD5dc41db2f1a79d6a6fe0d35c842b39adc
SHA159b155df668de78669f45a741dc1581f835d674d
SHA256fcc65263f1b2ce58bf23b3c1da6ac08b8b10ff1824d100a4852f01a9832013a3
SHA512361a79323e6cb03a01ae2d641cd7952425bf41ede79de770c2e79312c67f8338a72c3d979da86feaa3a224661623533a222891d547e61fbe237e395f5fdd84ca
-
Filesize
292KB
MD5d177caf6762f5eb7e63e33d19c854089
SHA1f25cf817e3272302c2b319cedf075cb69e8c1670
SHA2564296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA5129d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25
-
Filesize
1.0MB
MD52fadc3984b71f0fd08c832adeedf2b52
SHA1cc1fc06a55af72364fb0a1266d3f5936577162f9
SHA25634f47e63788cdb398c48ad06f3878ec9bce9fd0e261306b2c81b3796925f9240
SHA51263e8127e2d44cd98cd6225eb8d1f348f5e3e7d7f86900e2f949329f6d35a943147aa1fb72061a8868cfcd9e53fde536dc870b3a9c9248b6aab067774b1654685
-
Filesize
576KB
MD5219bbf6cbe4a20ce93e50137a47c9be3
SHA125d68c1f11d5624bcc94e5bf9d382fad55d3058f
SHA25647d7c430478b2cc240f9077f22051146c30412868ada9289c819c9ec16c612ae
SHA51217df2bd3a6d83f91690ec806056b34a9860216c259a16c7e7cfcc1a8f7ce823e5e58474b4ae38b876fb0f5ec8f338f819e69276fb63b635b757e26351127ba1a
-
Filesize
412KB
MD53c9da20ad78d24df53b661b7129959e0
SHA1e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA2562fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA5121a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4
-
Filesize
192KB
MD5f4ec0a6240099958d490c053e0a1b6d4
SHA1b00d1d9ec4991c6156d508504276f7fb6428096a
SHA25699b156a2926cc2dd2be7df741563a66aef1af075f835cb2b42835eba792f2f70
SHA51260193ad4993cb45a8f859336d38c1af29e9528cd65350c804e856846fcb74276f3e44f470ada4ebe353eeba8f6c6e644c3d500ad695f6951a25516c190189bd4
-
Filesize
791KB
MD5ec2c94a21a52027c229a7824d4a1c5ca
SHA1b17aa25017bf7d0af7ffb946bcace0d51331d351
SHA256cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
SHA512f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
2.2MB
MD549de8961e3d7dcbc6a0bc6d5800c17dd
SHA17b5b96d1217b8a6fc1587a8920ea587d86a804c3
SHA256bf26a770ef4fdd475d4789eb9e9572c6b3dba2d81159f4e2e15bdd4bc11b3b95
SHA512bbee597d3940403a51ad4defdd9e8b56cb575d44d7513a630ad82def0a401a4eeade58d93e7d2819d7e6c0d55a430916ab0a9cf9bb6f69d0b510a84ddab2b118
-
Filesize
97KB
MD522a25a629e495aed50731591b05c997a
SHA1cb93590710e0b2b142fe252f775015237dad10da
SHA25616a82ffd653bacaa05e181ec61b0900077955187288908e75c332d3fb54a368d
SHA51264d71421cf124e3b4c66020e8ab7a6760625ec40cbb2e960e87d5ad5683cdd09f37bd26353dd98a5a5068ae712c0b6a05a5deff08dea1d4a4cb7da837c6376d2
-
Filesize
97KB
MD524ca7dbb6f0cc43aa650807593091ff2
SHA1db0e37151a82120c3519f3b587b8ad452e96fc75
SHA256216f5cd816b0bbc83a27d4d9198994a85eca951e571983e82e3d9fa51a1aac8f
SHA5122b13d8e66979ede339338f786db9d8788ac4aac3d383ed2e491c51418022c6342484d659cdc4fd55f3b03141286cfc245187a978ef5fdf9c9d015dbd1dea9d86
-
Filesize
98KB
MD5eb8ae67add0315dd587f99d81e0f53f7
SHA18d2e1afc03e3549775065f541417778eea6c3e6e
SHA25695379f57e916b94e093e3bef9f4a7d92869951b6c369c5801fedd48a72b5efde
SHA5124485773f12fcb34a1fed8e9b764c98e629239e51d99623deba17c237e59d1ad23ad2d755cd0917cb6789b0c52471c9b21f8c0ff2898c8e74ea0b577930d2079a
-
Filesize
98KB
MD5781e90fd2d92487c572cb80b35067285
SHA10b436e2afdd1cc954ddc86b22500540624d0e598
SHA256037ecc54896d74db57489337f7ffff292ad7f8e650833689efc763293e0ae6f1
SHA51213f47e023297520eb0a0f3aff657158d91c92cb770ed706ad73b95e087bec22e0475e28f427af853c2786b9b2fa8cb7f2fa06ccde847f3f3e32d93d7fe10685a
-
Filesize
98KB
MD529d5a47c9a1eccdbd25c49cd540f742f
SHA181332aed09c142f8ee235c0303c9cae2466a96f3
SHA256bd48f756c7c1d7883b2ae5934260ce04b08e488108ca75953a8e8fe9ee89770c
SHA512051039bc5e23fdc0273c7f6e78655c285de84f2b64358af857d5a25d9df01515fedd5ec0f91c7e8d9a8faf00c9a2412d3b0c322a4110ce335fae4abd6fecd089
-
Filesize
98KB
MD5fe835c127049c665c997e7bf7b5b85f5
SHA1fe1b418c2b5eca8f800db39a3740b276c95a41ea
SHA256620d0bb3e2f0f8ac7e96623f89842433a4bea299f9d8c8481fba868ba15f8930
SHA512284244c3887ce3f10d387c56e59969f763de33517f36c2393e4bee56fb91306f3e0c5b2e162f37c07b490e6a354e57edd71b31317509191eaa4879140c08a680
-
Filesize
98KB
MD511f1ca0c43391dc92905d9f728428e68
SHA12287377b147573503e20abd97330a681eca88b9d
SHA256704255efb181a254b7ee6da512ea67db6243881c8dfddd520337d1a3aa4ee9b5
SHA51214ef19ebb5eb017edeb203f263c4f64f9f58adb5715ce11dab258ff09b51bcdf072cc9678ca110fcc0cf4e43f9c64726d0b719b95408b2c321c1bb5baf8cc62c
-
Filesize
98KB
MD5aaa97cae61f10770ab65892fb10b827d
SHA10f5f5b27b4603a2a9a6d778263ca402d22fc964f
SHA25696767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3
SHA512dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295
-
Filesize
1.1MB
MD540235b44032f0152340cf8abf962b5cc
SHA1a47551c300cb4491e9dc82734466d243e8eee584
SHA2563a424ab07ae35d2f8ecee2b7117b477b092c429d49323eba29ba0afe15a1ad22
SHA51282fdf657ba3c6be68d266218c15c58b2fb758d82241e86459f0a30e6c2bb4728a62f2c14a1a52df79c118cf2c9e6e19690e5f8a408acf5cf9a4455cd7145eaf3
-
Filesize
246KB
MD554ce50e8d50599046a20a47555dfb5eb
SHA196a891edc54ba1f6d66fbdde47c884e535c83ebe
SHA2563662c80499b08fe24e982ab558897cfca2cd5e7198b1519bc4490a8551b486ac
SHA512e787782b960dd3d36972616c42be13e66ad15c3ae6c3e3c8c8f04c5667529568a8c7ecceca8a2971fc71b039aea63cb6ebfb49c3263d82a9fb2f654ccb133892
-
Filesize
1.7MB
MD55adb0fa82d102152c869f831bdf2ad89
SHA1bba32248250524ba6ef6dd499462ddc02e2bc720
SHA2562055429dc5a7506e14e3fc328a278c61992147ed12a368243f1a5e5535f7a327
SHA512e20d652ff39c95ca34c8ad6378e15b24853f23ad34c1e610eead1bee39f0aaef1187abc120e9b3a96e16b58ec38d929d71e220e17ad968f8c8f7a5f328cb9681
-
Filesize
514B
MD54b3a5b96f9eedd8626a8c12976765b56
SHA185307e380d233c8229f9e0de16ed82821221a0be
SHA2561651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef
SHA512b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790
-
Filesize
102KB
MD585af6c99d918757171d2d280e5ac61ef
SHA1ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA51212c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
14B
MD55cac70fbe2fc9869397bf1989e592841
SHA1cc522bec3c1772269465799d35268630248e801b
SHA25617e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806
SHA512f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9
-
Filesize
1.1MB
MD573102c5b3abea202c716dc000639501f
SHA19f25b23dc8c3132f707490b747bdc110aa0a1bf4
SHA25647ead837fbf7d50b81ee8cde52fc82fe07134b3a522e1ca5fe80f0c9ff55df30
SHA51290e999b71ae0aa7ac6cf7488ace95d571ec57360cfdd8d889c467945f908272204e276c167ff4621f14e3d22d3366d482d3cb962f1d3a7261a822e77b2a59163
-
Filesize
768KB
MD55eca966dd56f0189904b8240878cba81
SHA1770520d011c21409b93a77bf45fc858ccaaaa8af
SHA256b09dd6fd6cb440cd5263f442082effb1089961d2c1ff86dd5cc5e47e78aa350e
SHA51299cdf082fe098418a33eeba18799b6ccf22e08de99cab546f0add72d941fec7363c0a8d073283369c7cbd66d67ebdb0803215d19944aa30db576d467a65c2953
-
Filesize
1.2MB
MD5931afc729d4dc9c815f25a6e71605882
SHA1cb03ffc5bdfad24ea2f85bc72302b8b518b8c841
SHA256e6610aee9c7eccfd728c524ef30047f1fff02f5023e80a6f7f0dc41a9642dbff
SHA5127071d8d9ed5c8a63ac4cbbc16ee53417b4e2c8fb5007f901e5d538f43859d343816758d22e96a9ef3d3e22318206068cdca1a213be77da8d382bde0d851622ad
-
Filesize
1.4MB
MD5e27ed9139b5deae4b799ef17880eb82f
SHA1210f8087ce88aeb5eb0cdd8a7992adbd3cb35e1e
SHA256b293901df19277cd5908ea67aa9503839631ae19f312eaf378296f0642f18ead
SHA5124fa7c75230a7f5a8b760534a28cc74f7beff2fc302c9ac70e6de9544e4d892e09387351ace4d523c4f0e18c2bdff5fffc0f15bf680cad88dc54a65b3a978167e
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
64KB
MD52ac9bea08704210b2537fcbd3f244496
SHA18ee3e4f4b2a582c97b80a3f5a0e2344c43d6bfa3
SHA256c3c3ac7c56ca6e9387dbf41b1a3e3708ece828b6260a30f8a5d67d4ae27763fd
SHA5127db3f1988b0384046a837c9df0917be5810b1596477643eaa2fa40fd2e21a52756a1d58616b8445d1c08aada48bf5ba972bfa3f6dba392f448f9678bab441682