Overview
overview
10Static
static
10174ac08f7f...83.exe
windows7-x64
121697ff9c9...27.dll
windows7-x64
1299baa160c...88.exe
windows7-x64
10390f8ea304...a2.exe
windows7-x64
13d26ddb0a9...05.exe
windows7-x64
1051308678ff...54.exe
windows7-x64
10600db89be8...7f.exe
windows7-x64
16860173ca5...b1.dll
windows7-x64
16fd5bdcc62...34.exe
windows7-x64
1087cee50a81...c7.exe
windows7-x64
1093564e681c...ca.exe
windows7-x64
109c109b79da...97.exe
windows7-x64
109c8685a98f...7f.exe
windows7-x64
10CrypMod.exe
windows7-x64
10Fuck.exe
windows7-x64
10Generic_Ransom_1.exe
windows7-x64
8Genericcc.exe
windows7-x64
10Gneeirc2.exe
windows7-x64
10MyxaH.exe
windows7-x64
10a1e86fc6cf...c2.exe
windows7-x64
1add230a2e7...10.exe
windows7-x64
10ae3a9c9cf9...b7.exe
windows7-x64
10b878926219...be.exe
windows7-x64
7c28384feb8...1a.exe
windows7-x64
10cryptmod2.exe
windows7-x64
10d041a11a04...a7.exe
windows7-x64
10db3f0b9d66...0f.exe
windows7-x64
6dcb283e040...ea.exe
windows7-x64
7e54de5d857...f3.exe
windows7-x64
7f14fd49537...19.exe
windows7-x64
1f7ee55f157...ed.exe
windows7-x64
3genenenrnenr.exe
windows7-x64
5Analysis
-
max time kernel
1800s -
max time network
1554s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 13:44
Behavioral task
behavioral1
Sample
174ac08f7fd9c8486511122f2b8c730018c68d4492bf58840f7dbe5338072883.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
21697ff9c9b2ad4fb91d805cd139175a4ff8fbddf1fdff52c9dd8eee78612b27.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral3
Sample
299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
390f8ea3044007611ebadad5352708aa3d0df0872b4550100f439a0aad7213a2.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral5
Sample
3d26ddb0a96c825ff98a6b6456bf52dab1a896da2a8690a041524a6c82213a05.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral7
Sample
600db89be8dbd50e60c620ea147688cea7d512b1dc545a6b95fe41f0dfeca57f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
6860173ca54b7e763cc667ac54435f1a18a821e09453b9e41556b6c2e9323eb1.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral9
Sample
6fd5bdcc625d735f67f0ad4cacd06feb2ae20a2ec7626ff91fbd1848d1173d34.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
87cee50a81408e14f015d7507a87950e678742ba78015fd65d24f9934d22c9c7.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral11
Sample
93564e681c3b63f14bfb67df98f5461917c447f343770a3a944ab251c4dac5ca.exe
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral12
Sample
9c109b79dae8527b370cc0b91d5822f4a69b3acda284c361b310e18738ec5a97.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral13
Sample
9c8685a98f9be3a699ea95314449fd90fbaeac3e587efdfcb0c495621e7b087f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
CrypMod.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral15
Sample
Fuck.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
Generic_Ransom_1.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral17
Sample
Genericcc.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
Gneeirc2.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral19
Sample
MyxaH.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
a1e86fc6cfb129a978b7de1f8b773f766640e50874d8989999be2c55c6d022c2.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
b878926219059096382653b807efb9476435cc6d3401667c502d2c7bb2f6d7be.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral25
Sample
cryptmod2.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
d041a11a04bba9142ee44712a53c8e94bccefeefe1d382ac35171518cd6b64a7.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
dcb283e040d84bf1a86b381bfb0ce6b8dc070b58ba5d3150eed9cb7becf769ea.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral30
Sample
f14fd49537695f6e33bd102633b0737a2713df3197e36b7cdb176bc8683f6919.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral31
Sample
f7ee55f1571b1a082a8e61811811009b02e5b0d651bd7c3f8d29ca16ef1e14ed.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
genenenrnenr.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe
-
Size
8KB
-
MD5
5ebcd7121459a0fe3155f9f6f63a1a6a
-
SHA1
edb50b9de18115b11dabe9941f5b8becf36c9999
-
SHA256
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7
-
SHA512
c8994370f6af18855851879ced2456f9c87b6c6c5f4e7bee048fafea5cbbcc17b8f91ad06c8617b7a04ecad70eb9d22babdd8a3fe0fae7269490a0beac714a00
-
SSDEEP
96:WQ48k/t9wUnsggfHGyK0/Dia4QJT9hHKwCSJAPVj3BiiZD43EXYUHvh/F:z4p/t9/UuyrL54QdAPfdGle5F
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
resource yara_rule behavioral22/memory/3028-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral22/memory/3028-5-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\ctfmon.exe" REG.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe File opened for modification C:\Windows\SysWOW64\taskmgr.exe ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe File opened for modification C:\Windows\SysWOW64\cmd.exe ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ctfmon.exe ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe File opened for modification C:\Windows\ctfmon.exe ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe File opened for modification C:\Windows\explorer.exe ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3004 REG.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 924 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2844 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 28 PID 3028 wrote to memory of 2844 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 28 PID 3028 wrote to memory of 2844 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 28 PID 3028 wrote to memory of 2844 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 28 PID 3028 wrote to memory of 2196 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 29 PID 3028 wrote to memory of 2196 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 29 PID 3028 wrote to memory of 2196 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 29 PID 3028 wrote to memory of 2196 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 29 PID 3028 wrote to memory of 2000 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 31 PID 3028 wrote to memory of 2000 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 31 PID 3028 wrote to memory of 2000 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 31 PID 3028 wrote to memory of 2000 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 31 PID 3028 wrote to memory of 2176 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 33 PID 3028 wrote to memory of 2176 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 33 PID 3028 wrote to memory of 2176 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 33 PID 3028 wrote to memory of 2176 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 33 PID 3028 wrote to memory of 2188 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 35 PID 3028 wrote to memory of 2188 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 35 PID 3028 wrote to memory of 2188 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 35 PID 3028 wrote to memory of 2188 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 35 PID 3028 wrote to memory of 3004 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 36 PID 3028 wrote to memory of 3004 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 36 PID 3028 wrote to memory of 3004 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 36 PID 3028 wrote to memory of 3004 3028 ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe 36 PID 2844 wrote to memory of 2868 2844 cmd.exe 41 PID 2844 wrote to memory of 2868 2844 cmd.exe 41 PID 2844 wrote to memory of 2868 2844 cmd.exe 41 PID 2844 wrote to memory of 2868 2844 cmd.exe 41 PID 2196 wrote to memory of 2716 2196 cmd.exe 40 PID 2196 wrote to memory of 2716 2196 cmd.exe 40 PID 2196 wrote to memory of 2716 2196 cmd.exe 40 PID 2196 wrote to memory of 2716 2196 cmd.exe 40 PID 2188 wrote to memory of 2588 2188 cmd.exe 42 PID 2188 wrote to memory of 2588 2188 cmd.exe 42 PID 2188 wrote to memory of 2588 2188 cmd.exe 42 PID 2188 wrote to memory of 2588 2188 cmd.exe 42 PID 2176 wrote to memory of 2544 2176 cmd.exe 43 PID 2176 wrote to memory of 2544 2176 cmd.exe 43 PID 2176 wrote to memory of 2544 2176 cmd.exe 43 PID 2176 wrote to memory of 2544 2176 cmd.exe 43 PID 2868 wrote to memory of 3060 2868 net.exe 44 PID 2868 wrote to memory of 3060 2868 net.exe 44 PID 2868 wrote to memory of 3060 2868 net.exe 44 PID 2868 wrote to memory of 3060 2868 net.exe 44 PID 2716 wrote to memory of 2564 2716 net.exe 45 PID 2716 wrote to memory of 2564 2716 net.exe 45 PID 2716 wrote to memory of 2564 2716 net.exe 45 PID 2716 wrote to memory of 2564 2716 net.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe"C:\Users\Admin\AppData\Local\Temp\ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:3060
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:2564
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f2⤵PID:2000
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
PID:2588
-
-
-
C:\Windows\SysWOW64\REG.exeREG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ctfmon.exe /d "C:\Windows\ctfmon.exe" /t REG_SZ2⤵
- Adds Run key to start application
- Modifies registry key
PID:3004
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:924
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1