Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1799s -
max time network
1808s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
23/02/2024, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
infectprint1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
infectprint1.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
infectprint1.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral4
Sample
infectprint1.exe
Resource
win11-20240221-en
General
-
Target
infectprint1.exe
-
Size
79KB
-
MD5
0d4af64eb1995e67483f1ac5cde08aa3
-
SHA1
e12cb2931e67de580a8342bc478ef92e582b49ac
-
SHA256
580755838d3205f51c43877d96f43572dc53d6d8f94cf59ecdf5f5b3384f2b31
-
SHA512
7cd5124215968e3517c6c7cf1f62dcbc6c1295a1e8e200744e10375625e953eb5f376008abbe0e8524bd7a60193458123b372c342ab474a372b3f9cafe57e8fa
-
SSDEEP
1536:Oaci2JuhUKuTJk/K7t5bpQrnPheGIFZXDF5TBjg:6vnb+r2Ny
Malware Config
Extracted
njrat
v4.0
i-miss-u
2.tcp.eu.ngrok.io:18876
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe pronto.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe pronto.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Svhostr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk pronto.exe -
Executes dropped EXE 2 IoCs
pid Process 3636 Svhostr.exe 3380 pronto.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pronto.exe" Svhostr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" pronto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" pronto.exe Set value (str) \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" pronto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" pronto.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 15 2.tcp.eu.ngrok.io 18 2.tcp.eu.ngrok.io 23 2.tcp.eu.ngrok.io 27 2.tcp.eu.ngrok.io 48 2.tcp.eu.ngrok.io 69 2.tcp.eu.ngrok.io 2 2.tcp.eu.ngrok.io 13 2.tcp.eu.ngrok.io -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\TsWpfWrp.exe infectprint1.exe File opened for modification C:\Windows\System32\UevAgentPolicyGenerator.exe infectprint1.exe File opened for modification C:\Windows\System32\AppV\AppVStreamingUX.exe infectprint1.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe infectprint1.exe File opened for modification C:\Windows\System32\acu.exe infectprint1.exe File opened for modification C:\Windows\System32\Microsoft.Uev.SyncController.exe infectprint1.exe File opened for modification C:\Windows\System32\UevTemplateConfigItemGenerator.exe infectprint1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe infectprint1.exe File opened for modification C:\Windows\System32\SyncAppvPublishingServer.exe infectprint1.exe File opened for modification C:\Windows\System32\tzsync.exe infectprint1.exe File opened for modification C:\Windows\System32\FileHistory.exe infectprint1.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe infectprint1.exe File opened for modification C:\Windows\System32\UevAppMonitor.exe infectprint1.exe File opened for modification C:\Windows\System32\UevTemplateBaselineGenerator.exe infectprint1.exe File opened for modification C:\Windows\System32\ScriptRunner.exe infectprint1.exe File opened for modification C:\Windows\System32\stordiag.exe infectprint1.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe infectprint1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe infectprint1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE infectprint1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE infectprint1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe infectprint1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe infectprint1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe infectprint1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe infectprint1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.ResourceResolver.exe infectprint1.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe infectprint1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\x86_aspnet_regsql_b03f5f7f11d50a3a_10.0.15063.0_none_092aa9735899975c\aspnet_regsql.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\x86_msbuild_b03f5f7f11d50a3a_10.0.15063.0_none_3a83aad74d9d5e68\MSBuild.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_jsc_b03f5f7f11d50a3a_4.0.15552.17062_none_6f731e8beb401478\jsc.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_4.0.15552.17062_none_6788349eefb164f4\AddInProcess32.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_netfx35linq-addinutil_31bf3856ad364e35_10.0.15063.0_none_dc3212611c2a948b\AddInUtil.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.14917.0_none_7d238688e7b91815\aspnet_regbrowsers.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-ngentask_exe_b03f5f7f11d50a3a_4.0.15552.17062_none_409d39d091c700e8\ngentask.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_10.0.15063.0_none_bcc29c4403c6219c\WsatConfig.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\msil_wsatconfig_b03f5f7f11d50a3a_4.0.15552.17062_none_1829ead3dfc61a50\WsatConfig.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.15063.0_none_0dbf7ea91dc966a4\Microsoft.Uev.SyncController.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.15063.0_none_0dbf7ea91dc966a4\UevTemplateConfigItemGenerator.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_regasm_b03f5f7f11d50a3a_4.0.14917.0_none_8acfa578e42b49b9\RegAsm.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_msbuild_b03f5f7f11d50a3a_4.0.14917.0_none_f4ee99737fde9832\MSBuild.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\x86_caspol_b03f5f7f11d50a3a_4.0.14917.0_none_273f63add301dc34\CasPol.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-wsatconfig_b03f5f7f11d50a3a_4.0.15552.17062_none_78b9226616885377\WsatConfig.exe infectprint1.exe File opened for modification C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_regasm_b03f5f7f11d50a3a_4.0.15552.17062_none_deb32e32294d82cd\RegAsm.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_wcf-smsvchost_b03f5f7f11d50a3a_10.0.15063.0_none_acba7ecbeae0a029\SMSvcHost.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_jsc_b03f5f7f11d50a3a_4.0.14917.0_none_1b8f95d2a61ddb64\jsc.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-microsoft.workflow.compiler_b03f5f7f11d50a3a_4.0.14917.0_none_72cb179532097ac4\Microsoft.Workflow.Compiler.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.15063.0_none_0dbf7ea91dc966a4\UevAppMonitor.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.15063.0_none_dd86505400f5b57f\SyncAppvPublishingServer.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.15063.0_none_dd86505400f5b57f\AppVStreamingUX.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.15063.0_none_0d07ce77359b6878\SecureAssessmentBrowser.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\msil_comsvcconfig_b03f5f7f11d50a3a_4.0.15552.17062_none_fad4b804fcdf35c4\ComSvcConfig.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\msil_edmgen_b77a5c561934e089_4.0.14917.0_none_0ee3d0558c8031fd\EdmGen.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\msil_smsvchost_b03f5f7f11d50a3a_10.0.15063.0_none_cbaa590df0d6f1ef\SMSvcHost.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\x86_aspnet_regsql_b03f5f7f11d50a3a_4.0.15552.17062_none_5f26579fe4793340\aspnet_regsql.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe infectprint1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-dfsvc_b03f5f7f11d50a3a_4.0.15552.17062_none_12b99b4650fa55ae\dfsvc.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-edmgen_b03f5f7f11d50a3a_4.0.15552.17062_none_5f3ba588162c68d4\EdmGen.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\msil_servicemodelreg_b03f5f7f11d50a3a_10.0.15063.0_none_041d4efe986b9f51\ServiceModelReg.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\x86_installutil_b03f5f7f11d50a3a_4.0.14917.0_none_36e051080443881b\InstallUtil.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_regsvcs_b03f5f7f11d50a3a_4.0.15552.17062_none_b1ce58d87bc07b7d\RegSvcs.exe infectprint1.exe File opened for modification C:\Windows\WinSxS\amd64_wpf-xamlviewer_31bf3856ad364e35_10.0.15063.0_none_672225bab5bb9bf7\XamlViewer_v0300.exe infectprint1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3380 pronto.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe Token: SeIncBasePriorityPrivilege 3380 pronto.exe Token: 33 3380 pronto.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3580 wrote to memory of 3636 3580 infectprint1.exe 71 PID 3580 wrote to memory of 3636 3580 infectprint1.exe 71 PID 3580 wrote to memory of 3636 3580 infectprint1.exe 71 PID 3636 wrote to memory of 3380 3636 Svhostr.exe 74 PID 3636 wrote to memory of 3380 3636 Svhostr.exe 74 PID 3636 wrote to memory of 3380 3636 Svhostr.exe 74 PID 3636 wrote to memory of 4676 3636 Svhostr.exe 72 PID 3636 wrote to memory of 4676 3636 Svhostr.exe 72 PID 3636 wrote to memory of 4676 3636 Svhostr.exe 72 PID 3380 wrote to memory of 4656 3380 pronto.exe 77 PID 3380 wrote to memory of 4656 3380 pronto.exe 77 PID 3380 wrote to memory of 4656 3380 pronto.exe 77 PID 3380 wrote to memory of 3884 3380 pronto.exe 75 PID 3380 wrote to memory of 3884 3380 pronto.exe 75 PID 3380 wrote to memory of 3884 3380 pronto.exe 75 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4676 attrib.exe 3884 attrib.exe 4656 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\infectprint1.exe"C:\Users\Admin\AppData\Local\Temp\infectprint1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\Documents\Svhostr.exe"C:\Users\Admin\Documents\Svhostr.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\pronto.exe"3⤵
- Views/modifies file attributes
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\pronto.exe"C:\Users\Admin\AppData\Local\Temp\pronto.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"4⤵
- Views/modifies file attributes
PID:3884
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"4⤵
- Drops startup file
- Views/modifies file attributes
PID:4656
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe
Filesize55KB
MD5d6e8f28c9e1e254b1cc4ccd375ca6668
SHA1efe5e84ada49e93aa991732290bb332d6ce13063
SHA256f0b662a907423aff1f91bdbe0a90d8f32f89dd160a2c0991aca1a069d0cd7b52
SHA51243b868d418269a83f99f60bcdd9c0ed7cc67e2863f23e57cbba4ee682dd7e046faa717b5e5cb12bdf76b8abbb3c5f71bf22f7a6e004ff8cbe54757ad8d38f833
-
Filesize
1KB
MD52938324423a248c2fa858304c588d9cf
SHA127678f1cfea94c0cde2cb66f69bd142bb966adbf
SHA256eb5ad4f45c71e7d133bd61a18f08565b33911d8ed73f6426a8d76439c2d0cc2d
SHA512ef025c6e65ff293547567f94e49db9d9364f6d416fffef82faccc9a48f333b4f88bde4de59132b499e03bedaa2312d31f75b7cbaf15dbd5c30e2cfb56ff8ea1d
-
Filesize
1KB
MD566090e08bae4a9dc1cae7e2e88c4cd93
SHA18c2ffed288850f67f48e29ea49eb89457945db3b
SHA2563a55dda614ea1b556877806438a50928182263a0095c122e557dfbdbd3f42bf7
SHA5121f9b8da508d5152f73d37ffdd7a99d042328b2e59f2b5351aa9b5843a3b0baeb756ca8e9848eadc6868ebfa8f2da4727ae63870a80d8ddb955511c1565711d10
-
Filesize
27KB
MD5c596af6b612263a4f8522e8ff345fd77
SHA126bd8d1eacb0940afbb3fc56ca3900e20a573a06
SHA256ae46054bcc8861d767cf7c39d11e18aca0f9f393d6e26c779b95b12ddc725aa1
SHA512185ca33f9579270ceeb08cd1cdaa2d9c3157e677eebe0ab54956106866f3fabf83aaa60f5db3944b47090e8550ff3ade4caab538f383a8bca32dd3f1ae9e6a11