Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 21:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
7e0244a8bc506ac34c494c55c52a03b5.exe
Resource
win7-20231129-en
windows7-x64
20 signatures
150 seconds
General
-
Target
7e0244a8bc506ac34c494c55c52a03b5.exe
-
Size
2.1MB
-
MD5
7e0244a8bc506ac34c494c55c52a03b5
-
SHA1
60552dff2005084e18aa148ea1e865f5580d067d
-
SHA256
40d8d89e6aa8a95ed370d23588de5bf3601c650334986d8a222e4582be7c4ef5
-
SHA512
6cecdec9ed0dca6714e299be18043e932e5ed9a25c5018af56f5f7823a1ec46a50a735f933236fe6d70bc338effe5896daf838f8594559ebb02c4d0e9c81e45a
-
SSDEEP
49152:51vqjd/Qvq/AvCGVIBzES3kJy7qE6kDHfZ5:51vqjskOi0JUB5
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" ConnectionClient7.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ConnectionClient7.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = "1" ConnectionClient7.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" ConnectionClient7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ConnectionClient7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = "1" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" ConnectionClient7.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 7e0244a8bc506ac34c494c55c52a03b5.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation ConnectionClient7.exe -
Executes dropped EXE 4 IoCs
pid Process 3604 ConnectionClient7.exe 2044 TsCredentials.exe 5776 TsCredentials.exe 1040 TsCredentials.exe -
Loads dropped DLL 2 IoCs
pid Process 752 regsvr32.exe 3604 ConnectionClient7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = "1" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" ConnectionClient7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" ConnectionClient7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ConnectionClient7.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: ConnectionClient7.exe File opened (read-only) \??\N: ConnectionClient7.exe File opened (read-only) \??\O: ConnectionClient7.exe File opened (read-only) \??\W: ConnectionClient7.exe File opened (read-only) \??\E: ConnectionClient7.exe File opened (read-only) \??\G: ConnectionClient7.exe File opened (read-only) \??\R: ConnectionClient7.exe File opened (read-only) \??\Y: ConnectionClient7.exe File opened (read-only) \??\H: ConnectionClient7.exe File opened (read-only) \??\M: ConnectionClient7.exe File opened (read-only) \??\J: ConnectionClient7.exe File opened (read-only) \??\L: ConnectionClient7.exe File opened (read-only) \??\P: ConnectionClient7.exe File opened (read-only) \??\T: ConnectionClient7.exe File opened (read-only) \??\U: ConnectionClient7.exe File opened (read-only) \??\V: ConnectionClient7.exe File opened (read-only) \??\A: ConnectionClient7.exe File opened (read-only) \??\B: ConnectionClient7.exe File opened (read-only) \??\Z: ConnectionClient7.exe File opened (read-only) \??\S: ConnectionClient7.exe File opened (read-only) \??\X: ConnectionClient7.exe File opened (read-only) \??\I: ConnectionClient7.exe File opened (read-only) \??\Q: ConnectionClient7.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0006000000023207-63.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\TSRedirFlags ConnectionClient7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\Device Parameters ConnectionClient7.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters ConnectionClient7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags ConnectionClient7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Device Parameters ConnectionClient7.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters ConnectionClient7.exe -
Modifies Control Panel 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\LowPowerTimeOut = "0" ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" ConnectionClient7.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\LowPowerActive = "0" ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\PowerOffActive = "0" ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\PowerOffTimeOut = "0" ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "300000" ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveActive = "0" ConnectionClient7.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "0" ConnectionClient7.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\ProxyStubClsid32\ = "{A1230201-1439-4E62-A414-190D0AC3D40E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230204-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\ = "IWTSBitmapRenderer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ace575fd-1fcf-4074-9401-ebab990fa9de} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8C11EFA1-92C3-11D1-BC1E-00C04FA31489} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\ = "IWTSPluginServiceProvider" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a41a4187-5a86-4e26-b40a-856f9035d9cb}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230201-1439-4E62-A414-190D0AC3D40E}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230206-9A39-4D58-8674-CDB4DFF4E73B}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230203-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\ = "IWTSBitmapRendererCallback" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230201-1439-4E62-A414-190D0AC3D40E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\NumMethods\ = "4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\ = "IWTSBitmapRenderService" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE29350-321B-42be-BBE5-12FB5270C0DE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7cacbd7b-0d99-468f-ac33-22e495c0afe5}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a41a4187-5a86-4e26-b40a-856f9035d9cb} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a9d7038d-b5ed-472e-9c47-94bea90a5910}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4eb2f086-c818-447e-b32c-c51ce2b30d31} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7584c670-2274-4efb-b00b-d6aaba6d3850}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230206-9A39-4D58-8674-CDB4DFF4E73B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a9d7038d-b5ed-472e-9c47-94bea90a5910}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3523c2fb-4031-44e4-9a3b-f1e94986ee7f}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE29350-321B-42be-BBE5-12FB5270C0DE}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7584c670-2274-4efb-b00b-d6aaba6d3850} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1230205-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RemoteDesktopClient.RemoteDesktopClient\ = "RemoteDesktopClient Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EDCB26C-D24C-4e72-AF07-B576699AC0DE}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\ = "IRemoteDesktopClientTouchPointer" regsvr32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3604 ConnectionClient7.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3604 ConnectionClient7.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe 3604 ConnectionClient7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3604 ConnectionClient7.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4864 wrote to memory of 3604 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 85 PID 4864 wrote to memory of 3604 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 85 PID 4864 wrote to memory of 3604 4864 7e0244a8bc506ac34c494c55c52a03b5.exe 85 PID 3604 wrote to memory of 5816 3604 ConnectionClient7.exe 89 PID 3604 wrote to memory of 5816 3604 ConnectionClient7.exe 89 PID 3604 wrote to memory of 5816 3604 ConnectionClient7.exe 89 PID 5816 wrote to memory of 752 5816 cmd.exe 88 PID 5816 wrote to memory of 752 5816 cmd.exe 88 PID 5816 wrote to memory of 752 5816 cmd.exe 88 PID 3604 wrote to memory of 2044 3604 ConnectionClient7.exe 90 PID 3604 wrote to memory of 2044 3604 ConnectionClient7.exe 90 PID 3604 wrote to memory of 2044 3604 ConnectionClient7.exe 90 PID 3604 wrote to memory of 5776 3604 ConnectionClient7.exe 93 PID 3604 wrote to memory of 5776 3604 ConnectionClient7.exe 93 PID 3604 wrote to memory of 5776 3604 ConnectionClient7.exe 93 PID 3604 wrote to memory of 4804 3604 ConnectionClient7.exe 94 PID 3604 wrote to memory of 4804 3604 ConnectionClient7.exe 94 PID 3604 wrote to memory of 4804 3604 ConnectionClient7.exe 94 PID 4804 wrote to memory of 3700 4804 cmd.exe 96 PID 4804 wrote to memory of 3700 4804 cmd.exe 96 PID 4804 wrote to memory of 3700 4804 cmd.exe 96 PID 3604 wrote to memory of 1040 3604 ConnectionClient7.exe 105 PID 3604 wrote to memory of 1040 3604 ConnectionClient7.exe 105 PID 3604 wrote to memory of 1040 3604 ConnectionClient7.exe 105 PID 3604 wrote to memory of 2172 3604 ConnectionClient7.exe 108 PID 3604 wrote to memory of 2172 3604 ConnectionClient7.exe 108 PID 3604 wrote to memory of 2172 3604 ConnectionClient7.exe 108 PID 2172 wrote to memory of 868 2172 cmd.exe 106 PID 2172 wrote to memory of 868 2172 cmd.exe 106 PID 2172 wrote to memory of 868 2172 cmd.exe 106 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ConnectionClient7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ConnectionClient7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e0244a8bc506ac34c494c55c52a03b5.exe"C:\Users\Admin\AppData\Local\Temp\7e0244a8bc506ac34c494c55c52a03b5.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Roaming\RDP6\ConnectionClient7.exe"C:\Users\Admin\AppData\Roaming\RDP6\ConnectionClient7.exe" -server 82.233.77.1 -port 443 -user owdemo1 -psw owdemo1 -color 15 -alttab 0 -full 1 -printer on -preview on -seamless on -wallp green -sound on -loadbalancing 0 -localtb 322⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Control Panel
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\RDP6\TSFTPClient.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:5816
-
-
C:\Users\Admin\AppData\Roaming\RDP6\TsCredentials.exe"C:\Users\Admin\AppData\Roaming\RDP6\TsCredentials.exe" 82.233.77.1 /Delete3⤵
- Executes dropped EXE
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\RDP6\TsCredentials.exe"C:\Users\Admin\AppData\Roaming\RDP6\TsCredentials.exe" 82.233.77.1 owdemo1 owdemo13⤵
- Executes dropped EXE
PID:5776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32.exe /s C:\Windows\SysWOW64\mstscax.dll3⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Windows\SysWOW64\mstscax.dll4⤵
- Modifies registry class
PID:3700
-
-
-
C:\Users\Admin\AppData\Roaming\RDP6\TsCredentials.exe"C:\Users\Admin\AppData\Roaming\RDP6\TsCredentials.exe" 82.233.77.1 /Delete3⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regsvr32.exe "C:\Windows\SysWOW64\mstscax.dll" /s3⤵
- Suspicious use of WriteProcessMemory
PID:2172
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\RDP6\TSFTPClient.dll"1⤵
- Loads dropped DLL
PID:752
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe "C:\Windows\SysWOW64\mstscax.dll" /s1⤵
- Modifies registry class
PID:868
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD56f46f9edd355b899a14067bd7bb65333
SHA1f5e7cfcea1075927452210a042fc3185ba1419a1
SHA256c28fc522a25aa9f2bbb6fe3222249e00d39f8140829c5729c32de774fb8c4b68
SHA5123bcd54d6c9241b46875e8fade9065870b5625a4687d807d2fa131faaea0c5c84959f3ef0e1d7887d7cfe1c569acede162a26f1e59e5fb7ce80cd0b5ddb20c430
-
Filesize
180KB
MD50dc3c0622c59ae9b97d874eb312cf69e
SHA16068890a47e89ac4c6ddd2d282d82e82dea40930
SHA256c81971f6747c521b4409d3bbc2c39a50d34dc95cd60a4f9f321a768f8e9d29c3
SHA512ec2350a39474cb799f22c4ce72fa43e2fbcc4af1ff98b014ccddb1fe6f72449b325b6d4269b5a37eb72252179101eb0a7fa03dbe7b4f28799d74123c70319935
-
Filesize
131KB
MD5d0350c7da46fdc8e6b4fdec70ef9d48a
SHA1def3d6d9a24d53e922d2edf5b22a4c3c49df7637
SHA2569f2ef867247663b1db6aad6eaebb57bfab80f093c2b52d8bf664e135995b471d
SHA5122c14655746154339dd245b42ae530cdaa10f9123dd23c14a6f9470336942ff3e55cc03eaa9eb97162df0c39d129ba4b82c8b7285832734ab867a2daee86be27f
-
Filesize
7KB
MD5feb0692918248950d909d114b957d722
SHA16858973ee8e05a16aabae9065f10617d4147e826
SHA2563c1fb9294d8e0c12d608d3d59a798d3b065a06c1f845fdbceafd22b31096c10a
SHA512d9e7eb8746686b3864ec25b662e05747ed35c954650c6feb064417abfa93257eef1862235bd3d60c0f9098cdcb0f915025325b9fd1d853b32b5d23a187b851f7
-
Filesize
4KB
MD56376d93f503ea89c279fe132cf02d3f5
SHA14e97b8ec955c9a45853c4a51196bd6ba39821b15
SHA256ba430972b2204862a0e1958256db90f435a1364b01d358cc92d4df00338e2049
SHA5126e16357ec249e1ab114654b67cc1b3a3b99fbe641dbf1cd3d39da24e5f1c72fa51465f8d78f44b297ddfe6e4421447d058d28d44a3a8da15806a477fb0f08cb9
