Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b60b21674eeee2add6bd34efab834267.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b60b21674eeee2add6bd34efab834267.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b60b21674eeee2add6bd34efab834267.exe
-
Size
3.6MB
-
MD5
b60b21674eeee2add6bd34efab834267
-
SHA1
30c69ca4db3afde7fbb28d5dde0b4491a7737d83
-
SHA256
a7343943efa8ecdba7d0afdfebd183db6ddc423595d1b9fd7b8f999444db1013
-
SHA512
f21f4cbd06c2b8cdb6da3341f33a92bf85fe4e42b055e4f5300b6d62a24396112ff792f0dc51c9f65ff14ba6703cd721e08923c4b7a558620af3495b88a87f17
-
SSDEEP
49152:znBV7uNRXNxvnBV7uNRXNxIHzrOO53RTqtiOwnNTBYqnstLet3Ly:r4R9xH4R9xArOO53tKqnstLE
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" b60b21674eeee2add6bd34efab834267.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b60b21674eeee2add6bd34efab834267.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fsutil.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\ReAgentc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\clip.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\winrs.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\InstallShield\_isdel.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\diskpart.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\MigAutoPlay.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\expand.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\mshta.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\print.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\sbunattend.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\SetIEInstalledDate.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\svchost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\syskey.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\migwiz\mighost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\label.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\MRINFO.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\netsh.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\PING.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\userinit.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\makecab.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\LocationNotifications.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\PushPrinterConnections.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\user.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\diantz.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\resmon.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\calc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\help.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\icacls.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\net.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\takeown.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\dialer.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\TRACERT.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\dvdupgrd.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\setupSNK.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\migwiz\migwiz.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\cscript.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\logagent.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe b60b21674eeee2add6bd34efab834267.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\GroupRestart.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe$ b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jre7\bin\javaw.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE$ b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe$ b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\Java\jre7\bin\java-rmi.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe$ b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe$ b60b21674eeee2add6bd34efab834267.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe b60b21674eeee2add6bd34efab834267.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_6.1.7600.16385_none_4befc8eb38093bb1\cttunesvr.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPUEX.EXE b60b21674eeee2add6bd34efab834267.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_wcf-smsvchost_b03f5f7f11d50a3a_6.1.7600.16385_none_c7f13af70ac77b22\SMSvcHost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496_wowreg32.exe_94fc2d06 b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-telnet-server-tlntsess_31bf3856ad364e35_6.1.7600.16385_none_05ebf19ca2304436\tlntsess.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ehsched.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_5cbb962a4f0d58c1\comp.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpr.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-calc_31bf3856ad364e35_6.1.7600.16385_none_05b2f2e2346cfea4\calc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_6.1.7600.16385_none_b65cdbcf116dd7c5\WMSvc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\ROUTE.EXE b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSUNATD.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds.exe_cb461c29 b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636_winlogon.exe_ac37d0c5 b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\msil_dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_3a54952b454a8916\dfsvc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ageengine-utilities_31bf3856ad364e35_6.1.7600.16385_none_3580dea4def227d4\esentutl.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\dialer.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-where_31bf3856ad364e35_6.1.7600.16385_none_b9c82ac6f7db99ae\where.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_msbuild_b03f5f7f11d50a3a_3.5.7601.17514_none_ea8ca0c25e350957\MSBuild.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_bf7bea0454c3f0cf\bcdboot.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dpapi-keys_31bf3856ad364e35_6.1.7600.16385_none_d9c7c4a2e721da7e\dpapimig.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgeunattend.exe_60b7e340 b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_4afdc98b09e3cfe8\PkgMgr.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wrp-integrity-client_31bf3856ad364e35_6.1.7600.16385_none_8733bee404f7386c\sfc.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchProtocolHost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-irftp_31bf3856ad364e35_6.1.7600.16385_none_b2af329397f29f60\irftp.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\poqexec.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-servicepackcoordinator_31bf3856ad364e35_6.1.7601.17514_none_92e727843e307e1b\spinstall.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe b60b21674eeee2add6bd34efab834267.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\mshta.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_e8cd1f348648ebd1\ielowutil.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_6.1.7600.16385_none_9d299157e03ce00f\klist.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\query.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-takeown_31bf3856ad364e35_6.1.7601.17514_none_58116b392c3da43c\takeown.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_6.1.7601.17514_none_113aea0e8374286d\djoin.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$ b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_3471a890d8284f57\spoolsv.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_32a601ad2b7a554f\PDMSetup.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_50ecc9ae1d642aa9\eventvwr.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..frameworks-usermode_31bf3856ad364e35_6.1.7601.17514_none_fb3795fb0be32033\WUDFHost.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_6.1.7600.16385_none_63df9c242588e5fc\rekeywiz.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_8.0.7600.16385_none_d009281f9a108e04\mshta.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\sdchange.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe b60b21674eeee2add6bd34efab834267.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcalua.exe b60b21674eeee2add6bd34efab834267.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b60b21674eeee2add6bd34efab834267.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2108 b60b21674eeee2add6bd34efab834267.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b60b21674eeee2add6bd34efab834267.exe"C:\Users\Admin\AppData\Local\Temp\b60b21674eeee2add6bd34efab834267.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b60b21674eeee2add6bd34efab834267
SHA130c69ca4db3afde7fbb28d5dde0b4491a7737d83
SHA256a7343943efa8ecdba7d0afdfebd183db6ddc423595d1b9fd7b8f999444db1013
SHA512f21f4cbd06c2b8cdb6da3341f33a92bf85fe4e42b055e4f5300b6d62a24396112ff792f0dc51c9f65ff14ba6703cd721e08923c4b7a558620af3495b88a87f17