Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
d7d26e52666b2a4633daf1255b15f967.exe
Resource
win7-20240221-en
General
-
Target
d7d26e52666b2a4633daf1255b15f967.exe
-
Size
505KB
-
MD5
d7d26e52666b2a4633daf1255b15f967
-
SHA1
07e603c3ae9f2e876acb2e35791f810b22621aff
-
SHA256
b5783b1d56cb32dfd50a16fd41c70c72cef40ff6c3389242ff4e5bb4a2905413
-
SHA512
2dc43bc611da3bed3404f8a91b76f4570f45992bda58798231c7aeaae4f8f87038556f0431d5a5de2724aeaaad48dae696637a7ff9ae8f37ce2d4d6e8f46c90d
-
SSDEEP
12288:cppem0FZJWq+s4Kp6MssRN1j0PNeQXOEleiSMd2ZliWqmn:AYFZJWqCK0gRfj0PshQj22sn
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/916-172-0x0000000006330000-0x000000000639E000-memory.dmp family_zgrat_v1 behavioral2/memory/916-173-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-174-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-176-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-178-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-182-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-180-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-184-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-188-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-186-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-190-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-192-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-194-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-196-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-198-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-200-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-202-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-204-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-206-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-208-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-210-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-212-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-214-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-216-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-218-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-220-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-222-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-224-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-226-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-228-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-230-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-232-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-234-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 behavioral2/memory/916-236-0x0000000006330000-0x0000000006399000-memory.dmp family_zgrat_v1 -
Nirsoft 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d7d26e52666b2a4633daf1255b15f967.exed7d26e52666b2a4633daf1255b15f967.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation d7d26e52666b2a4633daf1255b15f967.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation d7d26e52666b2a4633daf1255b15f967.exe -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 2732 AdvancedRun.exe 4532 AdvancedRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription ioc process File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File opened for modification C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File created C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe File opened for modification C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini d7d26e52666b2a4633daf1255b15f967.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 73 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription pid process target process PID 916 set thread context of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4292 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d7d26e52666b2a4633daf1255b15f967.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 d7d26e52666b2a4633daf1255b15f967.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d7d26e52666b2a4633daf1255b15f967.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exed7d26e52666b2a4633daf1255b15f967.exed7d26e52666b2a4633daf1255b15f967.exepid process 2864 powershell.exe 2864 powershell.exe 3232 powershell.exe 3232 powershell.exe 3232 powershell.exe 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 3752 powershell.exe 3752 powershell.exe 3752 powershell.exe 3600 powershell.exe 3600 powershell.exe 3600 powershell.exe 3964 powershell.exe 3964 powershell.exe 3964 powershell.exe 1904 powershell.exe 1904 powershell.exe 1904 powershell.exe 2492 powershell.exe 2492 powershell.exe 2072 powershell.exe 2072 powershell.exe 3952 powershell.exe 3952 powershell.exe 2732 AdvancedRun.exe 2732 AdvancedRun.exe 2732 AdvancedRun.exe 2732 AdvancedRun.exe 4532 AdvancedRun.exe 4532 AdvancedRun.exe 4532 AdvancedRun.exe 4532 AdvancedRun.exe 3712 powershell.exe 3712 powershell.exe 916 d7d26e52666b2a4633daf1255b15f967.exe 916 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe 1696 d7d26e52666b2a4633daf1255b15f967.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2864 powershell.exe Token: SeIncreaseQuotaPrivilege 2864 powershell.exe Token: SeSecurityPrivilege 2864 powershell.exe Token: SeTakeOwnershipPrivilege 2864 powershell.exe Token: SeLoadDriverPrivilege 2864 powershell.exe Token: SeSystemProfilePrivilege 2864 powershell.exe Token: SeSystemtimePrivilege 2864 powershell.exe Token: SeProfSingleProcessPrivilege 2864 powershell.exe Token: SeIncBasePriorityPrivilege 2864 powershell.exe Token: SeCreatePagefilePrivilege 2864 powershell.exe Token: SeBackupPrivilege 2864 powershell.exe Token: SeRestorePrivilege 2864 powershell.exe Token: SeShutdownPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeSystemEnvironmentPrivilege 2864 powershell.exe Token: SeRemoteShutdownPrivilege 2864 powershell.exe Token: SeUndockPrivilege 2864 powershell.exe Token: SeManageVolumePrivilege 2864 powershell.exe Token: 33 2864 powershell.exe Token: 34 2864 powershell.exe Token: 35 2864 powershell.exe Token: 36 2864 powershell.exe Token: SeIncreaseQuotaPrivilege 2864 powershell.exe Token: SeSecurityPrivilege 2864 powershell.exe Token: SeTakeOwnershipPrivilege 2864 powershell.exe Token: SeLoadDriverPrivilege 2864 powershell.exe Token: SeSystemProfilePrivilege 2864 powershell.exe Token: SeSystemtimePrivilege 2864 powershell.exe Token: SeProfSingleProcessPrivilege 2864 powershell.exe Token: SeIncBasePriorityPrivilege 2864 powershell.exe Token: SeCreatePagefilePrivilege 2864 powershell.exe Token: SeBackupPrivilege 2864 powershell.exe Token: SeRestorePrivilege 2864 powershell.exe Token: SeShutdownPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeSystemEnvironmentPrivilege 2864 powershell.exe Token: SeRemoteShutdownPrivilege 2864 powershell.exe Token: SeUndockPrivilege 2864 powershell.exe Token: SeManageVolumePrivilege 2864 powershell.exe Token: 33 2864 powershell.exe Token: 34 2864 powershell.exe Token: 35 2864 powershell.exe Token: 36 2864 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeIncreaseQuotaPrivilege 3232 powershell.exe Token: SeSecurityPrivilege 3232 powershell.exe Token: SeTakeOwnershipPrivilege 3232 powershell.exe Token: SeLoadDriverPrivilege 3232 powershell.exe Token: SeSystemProfilePrivilege 3232 powershell.exe Token: SeSystemtimePrivilege 3232 powershell.exe Token: SeProfSingleProcessPrivilege 3232 powershell.exe Token: SeIncBasePriorityPrivilege 3232 powershell.exe Token: SeCreatePagefilePrivilege 3232 powershell.exe Token: SeBackupPrivilege 3232 powershell.exe Token: SeRestorePrivilege 3232 powershell.exe Token: SeShutdownPrivilege 3232 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeSystemEnvironmentPrivilege 3232 powershell.exe Token: SeRemoteShutdownPrivilege 3232 powershell.exe Token: SeUndockPrivilege 3232 powershell.exe Token: SeManageVolumePrivilege 3232 powershell.exe Token: 33 3232 powershell.exe Token: 34 3232 powershell.exe Token: 35 3232 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d7d26e52666b2a4633daf1255b15f967.exed7d26e52666b2a4633daf1255b15f967.execmd.execmd.exedescription pid process target process PID 916 wrote to memory of 2864 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2864 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2864 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3232 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3232 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3232 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 5116 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 5116 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 5116 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3752 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3752 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3752 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3600 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3600 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3600 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3964 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3964 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3964 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 1904 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 1904 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 1904 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2492 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2492 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2492 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2072 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2072 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2072 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3952 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3952 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 3952 916 d7d26e52666b2a4633daf1255b15f967.exe powershell.exe PID 916 wrote to memory of 2732 916 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 916 wrote to memory of 2732 916 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 916 wrote to memory of 2732 916 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 916 wrote to memory of 4532 916 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 916 wrote to memory of 4532 916 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 916 wrote to memory of 4532 916 d7d26e52666b2a4633daf1255b15f967.exe AdvancedRun.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 916 wrote to memory of 1696 916 d7d26e52666b2a4633daf1255b15f967.exe d7d26e52666b2a4633daf1255b15f967.exe PID 1696 wrote to memory of 2956 1696 d7d26e52666b2a4633daf1255b15f967.exe cmd.exe PID 1696 wrote to memory of 2956 1696 d7d26e52666b2a4633daf1255b15f967.exe cmd.exe PID 1696 wrote to memory of 2956 1696 d7d26e52666b2a4633daf1255b15f967.exe cmd.exe PID 2956 wrote to memory of 2012 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2012 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2012 2956 cmd.exe chcp.com PID 2956 wrote to memory of 4316 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 4316 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 4316 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 1660 2956 cmd.exe findstr.exe PID 2956 wrote to memory of 1660 2956 cmd.exe findstr.exe PID 2956 wrote to memory of 1660 2956 cmd.exe findstr.exe PID 1696 wrote to memory of 4504 1696 d7d26e52666b2a4633daf1255b15f967.exe cmd.exe PID 1696 wrote to memory of 4504 1696 d7d26e52666b2a4633daf1255b15f967.exe cmd.exe PID 1696 wrote to memory of 4504 1696 d7d26e52666b2a4633daf1255b15f967.exe cmd.exe PID 4504 wrote to memory of 4868 4504 cmd.exe chcp.com PID 4504 wrote to memory of 4868 4504 cmd.exe chcp.com PID 4504 wrote to memory of 4868 4504 cmd.exe chcp.com PID 4504 wrote to memory of 4600 4504 cmd.exe netsh.exe PID 4504 wrote to memory of 4600 4504 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop WinDefend3⤵
- Launches sc.exe
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exeC:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe2⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2012
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:4316
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4868
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:4600
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\d7d26e52666b2a4633daf1255b15f967.exe"3⤵
- Creates scheduled task(s)
PID:3752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\4eb0e7c05f265bbe8dfb2c61977a599c\Admin@QMWIRSIY_en-US\System\Process.txt
Filesize4KB
MD5b54f543664a9c3f4a1e1a2bee6c85e40
SHA1517ef002b279e78517e202c654887f565c3541a2
SHA2562165f3d3f696bcd6168a5c72a51e861f35443a191bf430f69d1cbdfa25c23a34
SHA512bc788520eab0634811db9fc5768e708d853f09521f876e836114811c1eea7e8574a7eef78f46ba01aaeaf8071a8e0c4b04bbb0e2bdb4ea4fe142eb03ed1b0354
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d7d26e52666b2a4633daf1255b15f967.exe.log
Filesize1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4
-
Filesize
2KB
MD56832ae680e8ddacc9752c84ff4ee94d5
SHA1eba38e3a46f6a27ec29c567c6766ba57fe7954ba
SHA25619c4f3bc855b449022b1baf50569236e2d844e3f323453291495de125f76e632
SHA5129cea7dcd3b0bf6bb6c1fd15aea43312cb52926e2e61455fcb26a6dd82323e352b9960f4afe412891be2aba54230ef354772e5397df8c6100e5aab875247fa1ef
-
Filesize
19KB
MD587ae313e10cb53a28b6e926040896504
SHA165d8ea8795de5f2554bde32982c4645cafce2975
SHA256e65d941cc97de01c223a44d8ed55b046fed49afa8d319fac6a4acafd1550efc1
SHA5125b21e0862f976a6df9c2e16713cfb0eae2278ae6b5a6ebf73d2ebe72203cf6fdd1ff4130f3994ca5a62625d952caac045b1de738e47821c555f16a06b864556e
-
Filesize
19KB
MD5d036a8f3e69e7efa81aecf2d11bee4a9
SHA17c91619a1cb5ec2b2f94baf617c195833881d8cb
SHA256c7bb4c2e9f1f5df7dc77996ed1b9a2f42de3a5bf6824c0dbaffae35da6da7044
SHA51270f8f4ba06a1303cebd4bbb5e7cf4e2c6ac244bd937851c0b04bd1276d9856cbf7bdfce14cff3f541458833f044dc54bb0fe4ad2f84df48b687b92f50496e323
-
Filesize
19KB
MD596e9dc63612cd6ad6c2fe1ef4631eeeb
SHA1302a9e81eb032b53d3c945785647e052b2aea127
SHA2565c3f8d8e4189378d0c1ebb20d8e2fcf6dc4bb1efc0e35496c8dd14652381d14d
SHA5120cecd406713a43f3a33914457c79dcdae2ced6e5c6f3d12b6f923554e7c5a6c0d6cc16b7360c8428c2d9c4da0fac7ad0bb892fd08bf2bb7f1dfc411488f55d4b
-
Filesize
19KB
MD5eb2cda4a7f5b4237155e1db715789180
SHA1445362eaa2ad11aa615fe3f6898c5aca362a88d7
SHA256509a00e7606051c00a624850069d975200fe665748a4b6ec2e26578ec6390a68
SHA5129dedc5c65117965decb89d74d93ee4451f10f397d75d42702d90de6d821a307fa0d01a5617c19512aeb6d3605f0a0d7c6a8f7af260f9f6f7f44a940e5cb4cc91
-
Filesize
19KB
MD528d6b8d8c5b9cf39b1012d3efd7dfe1e
SHA190f095e15c89480de7986f47b34e29063e2d41fd
SHA256aefbd92d5afdf140a5d165ea90153f2df5a1c0107e6b0cc4bb84fb6946d5e5ad
SHA5123c806b4bdb68747f43cab8745409445b88d70a9e8e05898c0b2b01c84b72fb1f3d6c277b59fbd5c49434735ebad99d6b0f742fcf1e86bf10900f0ff66a150808
-
Filesize
19KB
MD5ae6933dd36f2e12239e9156075075711
SHA1168204c33aa0c5db190636fd2a6f0139caa359f6
SHA256656b2f068c8a92fb5472b8db98d56f0b75bc5268da19d948adf844a4ee3500d5
SHA512762482b7741f1bad0b2b2bf945b411cbfed350142b12f6512e1cc99bc6daf696a13713c216a99d57fbd869f3028675a9f670d3b8c951eb5da848efa8a6ee51a2
-
Filesize
19KB
MD5c9e739980cbbe02111adb4730cd87604
SHA1b070e12f91016bcd3ab8c365f10857a7248fff05
SHA25649a7ad33a7abe9571889555749fd4dcbcbffb7e554b012df5028d49381d694c2
SHA5128686e119ad5abc260f69135b3b109a64e79bbffba3e1dfba0b3efe12c46341df4b9b88e70b5f11d26afa5836eae2e73f0b56609a59cf2d41a686f55a3c418e2c
-
Filesize
19KB
MD5bb9443b3374bae20db239c4a3d6b9844
SHA1a025a25b27bc0f48674e6adcbce9531fd5f8ef2d
SHA256102411ccfa52b3cd62ceecb6998f83e3aa590248c47701b236a306c8faf24322
SHA512e37a72693f6bccfdbf26da11acd23b715757b7887a560ce05055c3481e78afda468931063026336ab589b77f412c62bdcf80eb89c40fe3f2690930394b665025
-
Filesize
19KB
MD533edf2fc026eb6b691dffc6de8b63f8b
SHA119be8dc36c38d9326de36294e4958d6cc627b5d2
SHA256da56a8d0ad153c6f9074d04d8378343ae6002a5a917e41f98ff0ef07bbb02ae3
SHA512daff2714ac4f33b683af4b7bd919b72a1f62843b882ff12b2cf31fe58cbcd890bace0b77b9a3f1708251856e1c830ea3d59f7a68cf0fe79bfc752b341a8d538c
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99