Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:47
Behavioral task
behavioral1
Sample
b2483ad0a449f083de08dfc3f6ea52d5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b2483ad0a449f083de08dfc3f6ea52d5.exe
Resource
win10v2004-20240226-en
General
-
Target
b2483ad0a449f083de08dfc3f6ea52d5.exe
-
Size
88KB
-
MD5
b2483ad0a449f083de08dfc3f6ea52d5
-
SHA1
b2564a83daff947b6cd8bd991c3c97da2b486cc5
-
SHA256
2fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
-
SHA512
c20e9df0cb777326e0b4f1864562e324f9d888977331197479bc3b50b27643b55796f621168c5f84fdfa22f4de6a555f9e2500e7252945e797b4b9c0769daaf6
-
SSDEEP
1536:n3eNvWRUCl7c2+ca+Kt7Jg129ApRBgaYtRHcVUHTn3UgXxuheC3+9nnlhBg:3qWRdpc2+Ya7K0SpRBgaYtRHcVUHD3U/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" sysa.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winsystem.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sysb.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sysa.exe -
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" winsystem.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" sysb.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" sysa.exe -
Executes dropped EXE 4 IoCs
pid Process 1940 winsystem.exe 1556 sysa.exe 836 sysb.exe 2180 sysa.exe -
resource yara_rule behavioral1/memory/2604-0-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/files/0x000900000001752f-8.dat upx behavioral1/memory/1940-74-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2604-117-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-119-0x0000000002670000-0x00000000026C7000-memory.dmp upx behavioral1/memory/1556-169-0x0000000002AD0000-0x0000000002B27000-memory.dmp upx behavioral1/memory/836-173-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1556-216-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-275-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-276-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/836-282-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2180-296-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-305-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-381-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-439-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2180-459-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/836-477-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-501-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-571-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-632-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-661-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1940-690-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" winsystem.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" sysa.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: winsystem.exe File opened (read-only) \??\X: winsystem.exe File opened (read-only) \??\Y: winsystem.exe File opened (read-only) \??\H: winsystem.exe File opened (read-only) \??\I: winsystem.exe File opened (read-only) \??\J: winsystem.exe File opened (read-only) \??\Z: winsystem.exe File opened (read-only) \??\E: winsystem.exe File opened (read-only) \??\G: winsystem.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\oeminfo.ini b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp winsystem.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe sysa.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini sysb.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini winsystem.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini sysa.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp sysa.exe File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini sysa.exe File created \??\c:\windows\SysWOW64\WindowsProtection.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe winsystem.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe sysa.exe File created \??\c:\windows\SysWOW64\oemlogo.bmp b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe sysb.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp sysb.exe File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp sysa.exe -
Drops file in Windows directory 63 IoCs
description ioc Process File opened for modification \??\c:\windows\WinSys32.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\MonitorMission.run winsystem.exe File opened for modification \??\c:\windows\MonitorMission.run sysa.exe File created \??\c:\windows\system\oeminfo.ini b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\MonitorSetup.exe winsystem.exe File opened for modification \??\c:\windows\MonitorSetup.exe sysb.exe File opened for modification \??\c:\windows\system\oemlogo.bmp sysb.exe File opened for modification \??\c:\windows\MonitorSetup.exe sysa.exe File created \??\c:\windows\sysa.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File created \??\c:\windows\WinSystem.exe sysa.exe File opened for modification \??\c:\windows\WinSys32.exe sysa.exe File opened for modification \??\c:\windows\SystemMonitor64.exe sysa.exe File opened for modification \??\c:\windows\windows.exe sysb.exe File opened for modification \??\c:\windows\windows.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\SystemMonitor64.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\system\oeminfo.ini winsystem.exe File opened for modification \??\c:\windows\system\oeminfo.ini sysb.exe File opened for modification \??\c:\windows\WinSys32.exe sysa.exe File created \??\c:\windows\WinSystem.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\WinSystem.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File created \??\c:\windows\system\oemlogo.bmp b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\winsystem.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File created \??\c:\windows\WinSystem.exe winsystem.exe File opened for modification \??\c:\windows\sysb.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\system\oemlogo.bmp winsystem.exe File opened for modification \??\c:\windows\system\oeminfo.ini sysa.exe File created \??\c:\windows\sysb.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\Win System.exe sysa.exe File opened for modification \??\c:\windows\runrunrun.exe sysa.exe File opened for modification \??\c:\windows\MonitorMission.run sysb.exe File created \??\c:\windows\WinSystem.exe sysa.exe File opened for modification \??\c:\windows\MonitorMission.run sysa.exe File created \??\c:\windows\MonitorSetup.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\sysa.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\windows.exe winsystem.exe File opened for modification \??\c:\windows\runrunrun.exe winsystem.exe File opened for modification \??\c:\windows\windows.exe sysa.exe File created \??\c:\windows\runrunrun.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\system\oeminfo.ini sysa.exe File opened for modification \??\c:\windows\WinSys32.exe sysb.exe File created \??\c:\windows\windows.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\MonitorMission.run b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\runrunrun.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\Win System.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File created \??\c:\windows\WinSys32.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\WinSys32.exe winsystem.exe File opened for modification \??\c:\windows\SystemMonitor64.exe winsystem.exe File opened for modification \??\c:\windows\runrunrun.exe sysb.exe File opened for modification \??\c:\windows\Win System.exe sysa.exe File created \??\c:\windows\SystemMonitor64.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File created \??\c:\windows\WinSystem.exe sysb.exe File opened for modification \??\c:\windows\windows.exe sysa.exe File opened for modification \??\c:\windows\SystemMonitor64.exe sysa.exe File opened for modification \??\c:\windows\system\oemlogo.bmp sysa.exe File created \??\c:\windows\Win System.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\MonitorSetup.exe sysa.exe File opened for modification \??\c:\windows\system\oemlogo.bmp sysa.exe File opened for modification \??\c:\windows\Win System.exe sysb.exe File opened for modification \??\c:\windows\runrunrun.exe sysa.exe File opened for modification \??\c:\windows\MonitorSetup.exe b2483ad0a449f083de08dfc3f6ea52d5.exe File created \??\c:\windows\MonitorMission.run b2483ad0a449f083de08dfc3f6ea52d5.exe File opened for modification \??\c:\windows\Win System.exe winsystem.exe File opened for modification \??\c:\windows\SystemMonitor64.exe sysb.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "Application" winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "Application" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\NeverShowExt sysb.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\ = "Open" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\ = "Open" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysa.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 520031000000000055587379122041707044617461003c0008000400efbe55587379555873792a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open\command\ = "c:\\windows\\windows.exe" winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dat sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exed\ = "exedfile" sysa.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000006458fc6d102054656d700000360008000400efbe555873796458fc6d2a00000001020000000002000000000000000000000000000000540065006d007000000014000000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\NeverShowExt sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysb.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.8\ = "Application" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ttffile\ = "Application" sysa.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "Application" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open\command winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\ = "application" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd\ = "cfgFile" sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon\ = "C:\\windows\\windows.exe" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd\ = "cfgFile" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ttffile\ = "Application" winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bin sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "cfgFile" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\Command\ = "\"%1\" %*" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus\Command\ = "C:\\windows\\MonitorMission.run" winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" winsystem.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "Application" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "Application" sysb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus\Command sysa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exc\ = "excfile" sysa.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exed winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd sysb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" sysa.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As\Command sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" sysa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\ = "application" sysa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon winsystem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exc sysb.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 1940 winsystem.exe 1556 sysa.exe 836 sysb.exe 2180 sysa.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2640 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 28 PID 2604 wrote to memory of 2640 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 28 PID 2604 wrote to memory of 2640 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 28 PID 2604 wrote to memory of 2640 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 28 PID 2604 wrote to memory of 1940 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 30 PID 2604 wrote to memory of 1940 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 30 PID 2604 wrote to memory of 1940 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 30 PID 2604 wrote to memory of 1940 2604 b2483ad0a449f083de08dfc3f6ea52d5.exe 30 PID 1940 wrote to memory of 1556 1940 winsystem.exe 31 PID 1940 wrote to memory of 1556 1940 winsystem.exe 31 PID 1940 wrote to memory of 1556 1940 winsystem.exe 31 PID 1940 wrote to memory of 1556 1940 winsystem.exe 31 PID 1556 wrote to memory of 836 1556 sysa.exe 32 PID 1556 wrote to memory of 836 1556 sysa.exe 32 PID 1556 wrote to memory of 836 1556 sysa.exe 32 PID 1556 wrote to memory of 836 1556 sysa.exe 32 PID 1940 wrote to memory of 2180 1940 winsystem.exe 33 PID 1940 wrote to memory of 2180 1940 winsystem.exe 33 PID 1940 wrote to memory of 2180 1940 winsystem.exe 33 PID 1940 wrote to memory of 2180 1940 winsystem.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe"C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\windows\explorer.exec:\windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d52⤵PID:2640
-
-
\??\c:\windows\winsystem.exec:\windows\winsystem.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\windows\sysa.exec:\windows\sysa.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\windows\sysb.exec:\windows\sysb.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:836
-
-
-
\??\c:\windows\sysa.exec:\windows\sysa.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2180
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5b2483ad0a449f083de08dfc3f6ea52d5
SHA1b2564a83daff947b6cd8bd991c3c97da2b486cc5
SHA2562fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
SHA512c20e9df0cb777326e0b4f1864562e324f9d888977331197479bc3b50b27643b55796f621168c5f84fdfa22f4de6a555f9e2500e7252945e797b4b9c0769daaf6
-
Filesize
577B
MD5b3b020c4b060bfe84fbbb424221f1073
SHA1eb9e62232504b9180f8a3f718b64cb68e4149b2c
SHA256c13cda99ef7b0a48b7829d4a586483a0c09d0bc2400bf44dbb9efe2fb9c4f2fc
SHA51257c216c612b2c8069a7f3dc8f61f8076d0f1c03dd933699f7fcd9a792e3c907e301575af6021f370809f6f2e0d2efa2ddcf4b6411d056890c728aabb5436a708
-
Filesize
622B
MD5d7f66fc25609ee73edc3fd6b255ff55e
SHA19a7dd2784e53f4a55d0d26d24ca20ec1c937cc7b
SHA256d23bc4f30a9e5f0fedd7688435045bfe6c961c9fea4878b493d15e98aae0446c
SHA512e67612ac8822765e51b071b3f264175527a34378e5eca05196f76d2685be3ad36dae8e5d178890cedbc1ac3364eb875b01ba632332a8c68057ca094d3385f876
-
Filesize
38KB
MD5be6708e2d2b827b96986be51f0fe3c49
SHA1b2ac649475b1561ce74416ca12187e688c2c82ba
SHA256ace4b11d1720f686532407398bf8de75f32dda63cf237d50dd7fbc25612e0af0
SHA512a3f7f06c95eee2cb828ea060e2b618746c8b423602e257a360961744b8b8d57e37e9ba575162be8c8fc3eed9b7792911211ac71eb5c63a57eee42e14a9e09312
-
Filesize
685B
MD51426be8632f29a0c2c879c8c533b0aa8
SHA108b8b741ed94a760afd6995695aa5fa3fe0bbd6d
SHA256341c01d668bdcbe49dabce3bc5a18b85b773f0ad9dca12bceb73b0d29cd32707
SHA512168be384a3826c6e74bb606da4f607b9d4b3f5cc28c383f7e1bf455ba8f915906c3295416c005e3de1757ef379a610cbcb35e6dbcc3cf5154cb973055ef19bdd