Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/02/2024, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
27022024_2353_scan.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27022024_2353_scan.msi
Resource
win10v2004-20240226-en
General
-
Target
27022024_2353_scan.msi
-
Size
5.7MB
-
MD5
50c85e84f91c3b7f1811380aeae9d606
-
SHA1
7703c4ec1ea28c2b9785eb02b5c11b7b226155eb
-
SHA256
ef989e3924e2f9e3fe7ec53fd870124b8f9174275428c36e03a991a55ce5ad54
-
SHA512
e5b2930d2c44d27af969f96b2040045b6a9a6d6ad6cd500a3b01b7b789e713f8bd6dc867a7d6bfc39b87004bfb67744899cb5e94e37bef142aa2f0e21fe7d02c
-
SSDEEP
49152:opUPXXhs0/Te0LjgIAkr5VbSPn9VISBdxXhYHGphbEEoGVupQMKk+/GTeonv3c9M:opEpoVR0mVERDCjk+Onva46G
Malware Config
Extracted
darkgate
admin888
remasterprodelherskjs.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
kiQRLFmc
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 14 IoCs
resource yara_rule behavioral1/memory/2640-357-0x00000000036E0000-0x00000000046B0000-memory.dmp family_darkgate_v6 behavioral1/memory/2640-359-0x0000000004B60000-0x0000000004EAF000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-365-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 behavioral1/memory/2640-366-0x0000000004B60000-0x0000000004EAF000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-370-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 behavioral1/memory/2112-375-0x0000000000930000-0x00000000010D2000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-376-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-377-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-378-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 behavioral1/memory/2112-381-0x0000000000930000-0x00000000010D2000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-382-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 behavioral1/memory/2112-383-0x0000000000930000-0x00000000010D2000-memory.dmp family_darkgate_v6 behavioral1/memory/2112-393-0x0000000000930000-0x00000000010D2000-memory.dmp family_darkgate_v6 behavioral1/memory/1144-396-0x00000000007D0000-0x0000000000F72000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2640 created 1180 2640 Autoit3.exe 11 PID 1144 created 1120 1144 GoogleUpdateCore.exe 12 -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2324 ICACLS.EXE 860 ICACLS.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\hAEaGEF = "C:\\ProgramData\\cckkfea\\Autoit3.exe C:\\ProgramData\\cckkfea\\bfcchdc.a3x" GoogleUpdateCore.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2872 msiexec.exe 5 2872 msiexec.exe 7 2696 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76f873.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\f76f872.msi msiexec.exe File opened for modification C:\Windows\Installer\f76f872.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\f76f873.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1856 iTunesHelper.exe 2640 Autoit3.exe -
Loads dropped DLL 3 IoCs
pid Process 2612 MsiExec.exe 2612 MsiExec.exe 1856 iTunesHelper.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2696 msiexec.exe 2696 msiexec.exe 2640 Autoit3.exe 2640 Autoit3.exe 1144 GoogleUpdateCore.exe 1144 GoogleUpdateCore.exe 2112 GoogleUpdateCore.exe 1144 GoogleUpdateCore.exe 1144 GoogleUpdateCore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1144 GoogleUpdateCore.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 2872 msiexec.exe Token: SeIncreaseQuotaPrivilege 2872 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeSecurityPrivilege 2696 msiexec.exe Token: SeCreateTokenPrivilege 2872 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2872 msiexec.exe Token: SeLockMemoryPrivilege 2872 msiexec.exe Token: SeIncreaseQuotaPrivilege 2872 msiexec.exe Token: SeMachineAccountPrivilege 2872 msiexec.exe Token: SeTcbPrivilege 2872 msiexec.exe Token: SeSecurityPrivilege 2872 msiexec.exe Token: SeTakeOwnershipPrivilege 2872 msiexec.exe Token: SeLoadDriverPrivilege 2872 msiexec.exe Token: SeSystemProfilePrivilege 2872 msiexec.exe Token: SeSystemtimePrivilege 2872 msiexec.exe Token: SeProfSingleProcessPrivilege 2872 msiexec.exe Token: SeIncBasePriorityPrivilege 2872 msiexec.exe Token: SeCreatePagefilePrivilege 2872 msiexec.exe Token: SeCreatePermanentPrivilege 2872 msiexec.exe Token: SeBackupPrivilege 2872 msiexec.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeShutdownPrivilege 2872 msiexec.exe Token: SeDebugPrivilege 2872 msiexec.exe Token: SeAuditPrivilege 2872 msiexec.exe Token: SeSystemEnvironmentPrivilege 2872 msiexec.exe Token: SeChangeNotifyPrivilege 2872 msiexec.exe Token: SeRemoteShutdownPrivilege 2872 msiexec.exe Token: SeUndockPrivilege 2872 msiexec.exe Token: SeSyncAgentPrivilege 2872 msiexec.exe Token: SeEnableDelegationPrivilege 2872 msiexec.exe Token: SeManageVolumePrivilege 2872 msiexec.exe Token: SeImpersonatePrivilege 2872 msiexec.exe Token: SeCreateGlobalPrivilege 2872 msiexec.exe Token: SeBackupPrivilege 2296 vssvc.exe Token: SeRestorePrivilege 2296 vssvc.exe Token: SeAuditPrivilege 2296 vssvc.exe Token: SeBackupPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 1408 DrvInst.exe Token: SeLoadDriverPrivilege 1408 DrvInst.exe Token: SeLoadDriverPrivilege 1408 DrvInst.exe Token: SeLoadDriverPrivilege 1408 DrvInst.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2872 msiexec.exe 2872 msiexec.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2696 wrote to memory of 2612 2696 msiexec.exe 34 PID 2612 wrote to memory of 2324 2612 MsiExec.exe 35 PID 2612 wrote to memory of 2324 2612 MsiExec.exe 35 PID 2612 wrote to memory of 2324 2612 MsiExec.exe 35 PID 2612 wrote to memory of 2324 2612 MsiExec.exe 35 PID 2612 wrote to memory of 572 2612 MsiExec.exe 37 PID 2612 wrote to memory of 572 2612 MsiExec.exe 37 PID 2612 wrote to memory of 572 2612 MsiExec.exe 37 PID 2612 wrote to memory of 572 2612 MsiExec.exe 37 PID 2612 wrote to memory of 1856 2612 MsiExec.exe 39 PID 2612 wrote to memory of 1856 2612 MsiExec.exe 39 PID 2612 wrote to memory of 1856 2612 MsiExec.exe 39 PID 2612 wrote to memory of 1856 2612 MsiExec.exe 39 PID 1856 wrote to memory of 2640 1856 iTunesHelper.exe 40 PID 1856 wrote to memory of 2640 1856 iTunesHelper.exe 40 PID 1856 wrote to memory of 2640 1856 iTunesHelper.exe 40 PID 1856 wrote to memory of 2640 1856 iTunesHelper.exe 40 PID 2612 wrote to memory of 1848 2612 MsiExec.exe 41 PID 2612 wrote to memory of 1848 2612 MsiExec.exe 41 PID 2612 wrote to memory of 1848 2612 MsiExec.exe 41 PID 2612 wrote to memory of 1848 2612 MsiExec.exe 41 PID 2612 wrote to memory of 860 2612 MsiExec.exe 43 PID 2612 wrote to memory of 860 2612 MsiExec.exe 43 PID 2612 wrote to memory of 860 2612 MsiExec.exe 43 PID 2612 wrote to memory of 860 2612 MsiExec.exe 43 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 2640 wrote to memory of 1144 2640 Autoit3.exe 45 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 2112 1144 GoogleUpdateCore.exe 46 PID 1144 wrote to memory of 1572 1144 GoogleUpdateCore.exe 48 PID 1144 wrote to memory of 1572 1144 GoogleUpdateCore.exe 48 PID 1144 wrote to memory of 1572 1144 GoogleUpdateCore.exe 48 PID 1144 wrote to memory of 1572 1144 GoogleUpdateCore.exe 48 PID 1572 wrote to memory of 3040 1572 cmd.exe 49 PID 1572 wrote to memory of 3040 1572 cmd.exe 49 PID 1572 wrote to memory of 3040 1572 cmd.exe 49 PID 1572 wrote to memory of 3040 1572 cmd.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s C:\ProgramData\cckkfea\ & rmdir /s /q C:\ProgramData\cckkfea\3⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3040
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\27022024_2353_scan.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2872
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5850FBB27B22029710EDE2E248112852⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2114eb99-24c5-4b57-877d-ba750e5968f6\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2324
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:572
-
-
C:\Users\Admin\AppData\Local\Temp\MW-2114eb99-24c5-4b57-877d-ba750e5968f6\files\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-2114eb99-24c5-4b57-877d-ba750e5968f6\files\iTunesHelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-2114eb99-24c5-4b57-877d-ba750e5968f6\files"3⤵PID:1848
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2114eb99-24c5-4b57-877d-ba750e5968f6\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:860
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "0000000000000540"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5ec5d16f665052c8321182f4aa0c3a395
SHA1bb77b031e29e0a2448ed6e02e446888615787a15
SHA256989cf43948a517d8cb8f04edf697952a1ca366f5d5937697eccb20c7e18547f6
SHA512e6e2c1658be4de4c422fbae6b580189792dae02d741d1142b99915810f3624e7d31df301db4e039163afac9c5601903c169d8d27c447b4061bf776e059cd564a
-
Filesize
1KB
MD547452ffe3abf4b95120490d8f1a9d349
SHA1488e6d2c0a1851413d533acdcf744e561208ffca
SHA256e416b2830ac29a24530334b7fbaa89456220064ff1d907e7ee3d0a7bd582d425
SHA512b4cf56de2ef46b5f7316b22d7376b2412162e908bba338b56a7373a0b64c285c87b3ab92380dbd97e85b852e15c0329970c807b94da9aa0206b630c582b44116
-
Filesize
1KB
MD5e94fb54871208c00df70f708ac47085b
SHA14efc31460c619ecae59c1bce2c008036d94c84b8
SHA2567b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86
SHA5122e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ddec838e0fb4962886d5d9b57a3a5637
SHA1741e448ba432d57660bb3f7a2c51a8dd8241f9b4
SHA256dc702880ae8dfc198b86f12f7a78e810700ac66d046dcbcb4c59b6532dab44c1
SHA512d51dd0aac310412d11c965ad035da123130e517fb331b90ace8eaa8788c8e05e1ef6621489c29e5606c667fa2b8d3aedcdc4ec761293b94e572181ab7efb691f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
Filesize264B
MD586a0350fec48ef916c63569961ebb929
SHA1fe858beac0a202fc24a7048296bb0f9e340766f2
SHA256cf28d24d6f73d99c5b6d19154cf049ac146e821c564494489c80031a8c46a8e9
SHA512be2a30d744accd9ed1410682e6fad721a30dbb9a1ea9eb9c373d471a092b074210e8d71147cc0e35122cf5b9d11af54b8c70425303d17917ec2c743a1c3e1557
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
3.3MB
MD54660ece36b1ca384d4ba197b066e4d31
SHA15f92cf3fcb2b2c07439fb1fbfc8710b6a49bba6b
SHA256780567989c0953ec26a16592961712b47930d7eb6317f014c6275e1c5ddb24d4
SHA512c1aca88035f72061636dd47f24ae0f0bb70d9f668d10788db90114e1932dd9eee0b2624fa6e3200244e7d5ad20212651fa97b3ba48356121b4f597174c8fdb07
-
Filesize
180KB
MD5ea44e022115262f0fcd672aead815ec6
SHA129760451d49c588e2cd8e2d308029b6ac4dbed5f
SHA256c18ac1d78bc0ae5e6f5f4271b2a4a88a41a70a0d5c23e6713508e1e4d510779e
SHA51238f33bc7dec012569ed701fc6f15cf6d4146ce04ef9837295ca4212a50f77031f1fe7ebf526f36ab8dc78d78735c8497c344c41022d87525b7c434eea4d255a1
-
Filesize
342KB
MD560ccc7ad19b160699a155c525d521b7c
SHA1cd9a03da0e97640ca1a467276b45df59b09078c4
SHA2567b80bb9945046e7063c95be7e8d26de2fe9c4abbe1c717e2f5645173b1270d86
SHA51269bae9a50a662cd9c6ddcc76c15338754c2f58dd587717e4b9da42f2ff8da88740e50f22ef6107711ee1a1eb9f01c016a9c25d7331907b8332f608993703aee6
-
Filesize
221KB
MD5eddbd4f8a5ae50e89be04839d2b6a4f4
SHA126f55706c7f6e6cf2077842ebc63f152f4689800
SHA256736568326bdc062e45f3a63fb39ba07f4387e79f27abcd897a406ef100f5eea0
SHA51244da9c8fc855f742a5a7056eb23e4088872e8bef833cdc3d51474b8f1e4b00b1b284d47f45ea78e1cdc76d49ef4010cca3ce334e0c3d08298343e16150ede4ac
-
Filesize
91KB
MD5389a81c3c4a68c692d087c2b1c89f66a
SHA1fad8fbd4aaa965d47adef8e573229a9da55af647
SHA2565ac83e785ce539aa68bd6c773df7101b136e6186fdc316094b9e3f9e1198451b
SHA5125e004c8741d0ca77756b73b0331bc9426a4c3e50b0878a01df9c3c417bc7134c00bd11105cb6376b5a395902b4f7b7b0042180c13dc6cb6166ff0fb8d4072728
-
Filesize
1KB
MD5c47a37a2c7e7edf6049760067b1c1b87
SHA1785875948453289685413702c45dbbd5d94aacf6
SHA256921c773dcfae783ece1943d74d02ca089757f34aa69dd08fa559f30db8c3c257
SHA51277f66d2a0ffed4dda829b5aeb7792c7c1091a7822f4829d30339cc87e13eddd259e85013e771b07f4f522784fa740817ab1e4c2a981f56103844bd14dba16788
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
32B
MD5aee5a173dc9b95635f386f584cd1637f
SHA1299e8c2d18492164d3c7c8fe229f0474c77a27ff
SHA2562ace43458f218944acc2ba730052b97780e4cc390086aad2ae00aa5933d21339
SHA5128442b03de4403795ec10575082fafad867436a3ef8d92a5efe54ab8d57d563bae096dc0b88212422b28d6d187ac526e388d896774d4a948e59ba2123aff61357
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
4B
MD5af131fe719fd16a123464261c57ed870
SHA1d046943f9bf8e31c3fb191e4f3ee3ff114aa4d47
SHA256f12de95c81eb6751da166777d3a990feadb0ae19ed2816d9d2da6efcc307e0c2
SHA51236d8fa50da7ce1e39402a7d9314b10c5d5332c2d28548c98d708071d37d9ba948e13eb1f01ab36a98e49996d2a9ed98b2d21ec8e32d66fc339b38ee865051101
-
Filesize
4B
MD53dbf418e3fbbd1b4bcd10ca0b79a3282
SHA131ece91b9a37a8b65d5234f2742e496da35b63c6
SHA256da25ac203fa0f322fe9191bba67dbaf3910477e159c7e6861e51828434c2094f
SHA51204ea5ccd222e9e6383053aaabcf72b2e462fd1d36655084ff8f6dd77cc9efc303df199697f16df408448d30125520d981d6c3a514f29c6cd6ed7fea7be77af4c
-
Filesize
4B
MD5120e1fe93fe16823cc52e6dc4d4f1672
SHA16c61b520a744587b47ee7181aa3d3dd029baf88a
SHA256841de7e17dfea986912f1658775c437e0bf5313fb6a842f791ef57f738d58b60
SHA5120a8c65c42068073ceb1b4858992d4f4fc0d139bcbd783b2ae520218a86b6c24e0fdca8f99d87c8867f1df47d8eb2e068bab334aff66c9d3cc733637e3d7e58c2
-
Filesize
610KB
MD59b2870caba71468e66f61f578d600815
SHA10f1a16fd71c5698167e24641d7df3c1c694cb22e
SHA2569cb2ac69b74a015d6ba02ad15632ff56246df6c22d32febeae32e0851f89d505
SHA512b40388bf96ffdcb9379a6caa4817dfdab60036b179d1e903ac472fd6b9544bd2bc6c6fad30e71fbaf3097b6a1bfcf8ff9b5ebcaa38b53132baa0d0898ecf60fc
-
Filesize
4B
MD5edcf4e77d9cc196d99531ab71f3765ac
SHA197a2d64f731bb6c2d5d99833207e1bc2e512ac88
SHA2567bd825dc94755e6a7f4fd01b8c41f915260f6e4279a0149d5238b55f6c851d05
SHA51266d2e942285561130626380a8bee0a8201f9c40c54b442b46c7b2e794e9401dc825f97887713da53d7cba1de6a1b07b183456a325ab28c2f82b8c761b0c75c57
-
Filesize
468KB
MD5a37df78b6d7563d9743cba9648d84795
SHA1c829f4591b4f748a92db4b49f2b1a2fa3d33c675
SHA25687c47284b340901d82c08c59094040c6e2f39be420893aedc080a16bb11be6a8
SHA5121407168740250b3126acd9633b330a14dcfdace0aa8b1f06f13c45e6fdfdd6836e87b2dd32ffecbbc5c490e74e8103a4399b2ef87ed147062d5f3535a1c7f118
-
Filesize
76B
MD54c5219e9f08372b225eb835b6b55237e
SHA19266c1757a89a5f9ce0c957b7aaf1ad2e1aa6c9a
SHA256e7f6186b6d7e84a845339f0fc3c1786fa346dff658e24fd60bb6117cea853713
SHA512b07d312bb67ec6a46aaacca7593687405d67fcce62dd6fde5df498140b5c19eb1db85b9555f327a0c462840e0fe02e4e369a846af11ae5fb24bf1a616005d2f5
-
Filesize
99KB
MD502d8cdf5b433519504e40ecc9083d574
SHA12a431d1ed3bb5e4c37d0c0dc12ae8853aaae54f8
SHA256987c04546d5293b2d70e52d63f32492043081c2041eec5c89ba38d52b1dbf5c8
SHA512fcbcb637fc4ff57aa9cd957874921430a5c22033eabb7300cc31012823a81c009991aa271708fa67bca25551ebdc21dcf2ca045fe6e5fbf0423d5b564c2481b0
-
Filesize
257KB
MD53537e1a8e05276bf8a47d9428b6204d4
SHA18aa6600740ac66d2fef17501e7db5aba209dd840
SHA256ace7432810b35a7a04376d2040d782ee798fc187b13076cb626c858a560c92f0
SHA5125b113d27d3022113671d92ac1e8035a0be2d6597a73a8b1c163c23eaaeb20ba0535838da4be95c6aee85c809923305b940d4c026f1a0671018e9cc7843b9af9f