Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe
Resource
win10v2004-20231215-en
General
-
Target
4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe
-
Size
1.8MB
-
MD5
50a992ea9dd26394d22fb62cb5e81945
-
SHA1
209d1dd77dc602c66ebca38e42d3cf6b06e669a4
-
SHA256
4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b
-
SHA512
bd79b798c7677db1214a9e0053c93c0c236ee9acb143c17e5ae7acb744b46daa06cdc1bc095de5f202ddf45f7552c9457cea81738159d5e29977777864c77ec8
-
SSDEEP
49152:Gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAMzzNG4QjJOL:GvbjVkjjCAzJNxG4k6
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exeGROOVE.EXEmscorsvw.exemaintenanceservice.exeOSE.EXEmscorsvw.exemscorsvw.exeOSPPSVC.EXEmscorsvw.exepid process 480 2172 alg.exe 1612 aspnet_state.exe 2540 mscorsvw.exe 1512 mscorsvw.exe 1032 mscorsvw.exe 1408 mscorsvw.exe 2768 ehRecvr.exe 488 ehsched.exe 1460 elevation_service.exe 744 mscorsvw.exe 2500 mscorsvw.exe 2552 mscorsvw.exe 1028 mscorsvw.exe 1284 dllhost.exe 2428 mscorsvw.exe 1316 GROOVE.EXE 1600 mscorsvw.exe 2780 maintenanceservice.exe 2716 OSE.EXE 2580 mscorsvw.exe 1468 mscorsvw.exe 1516 OSPPSVC.EXE 660 mscorsvw.exe -
Loads dropped DLL 5 IoCs
Processes:
pid process 480 480 480 480 480 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 7 IoCs
Processes:
GROOVE.EXE4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exealg.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\alg.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\de208eacaad3ae89.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Windows\system32\fxssvc.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_ro.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_pl.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_fr.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\GoogleUpdateComRegisterShell64.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\GoogleUpdateSetup.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\psmachine_64.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_am.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_bn.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_en.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_bg.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_de.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_hr.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_id.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_es-419.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_vi.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_nl.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_zh-TW.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM1FA1.tmp\goopdateres_th.dll 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe -
Drops file in Windows directory 31 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exe4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exealg.exedescription ioc process File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{813B91A3-058F-4641-89BC-308BA6BEFF4C}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{813B91A3-058F-4641-89BC-308BA6BEFF4C}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe -
Modifies data under HKEY_USERS 30 IoCs
Processes:
ehRec.exeGROOVE.EXEOSPPSVC.EXEehRecvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ehRec.exepid process 1544 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1688 4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1032 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1032 mscorsvw.exe Token: 33 1288 EhTray.exe Token: SeIncBasePriorityPrivilege 1288 EhTray.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1032 mscorsvw.exe Token: SeShutdownPrivilege 1032 mscorsvw.exe Token: SeDebugPrivilege 1544 ehRec.exe Token: 33 1288 EhTray.exe Token: SeIncBasePriorityPrivilege 1288 EhTray.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeDebugPrivilege 2172 alg.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe Token: SeShutdownPrivilege 1408 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 1288 EhTray.exe 1288 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 1288 EhTray.exe 1288 EhTray.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
mscorsvw.exemscorsvw.exedescription pid process target process PID 1408 wrote to memory of 744 1408 mscorsvw.exe mscorsvw.exe PID 1408 wrote to memory of 744 1408 mscorsvw.exe mscorsvw.exe PID 1408 wrote to memory of 744 1408 mscorsvw.exe mscorsvw.exe PID 1408 wrote to memory of 2500 1408 mscorsvw.exe mscorsvw.exe PID 1408 wrote to memory of 2500 1408 mscorsvw.exe mscorsvw.exe PID 1408 wrote to memory of 2500 1408 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2552 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2552 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2552 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2552 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1028 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1028 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1028 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1028 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2428 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2428 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2428 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2428 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1600 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1600 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1600 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1600 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2580 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2580 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2580 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 2580 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1468 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1468 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1468 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 1468 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 660 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 660 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 660 1032 mscorsvw.exe mscorsvw.exe PID 1032 wrote to memory of 660 1032 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe"C:\Users\Admin\AppData\Local\Temp\4f069274cbda8e32401c5c9715e4d52fb292f25380d066dec1b34c90c08ff85b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2540
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:660
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:744 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2768
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:488
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1460
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1284
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2780
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2716
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5da88b29361e911330a4b347b5395ca84
SHA1c11a45178d23ce49f9ae6b223f31559d6136d656
SHA256be531bdc1def8f2c2e2bc2456e351633c180c1bb91b8efab9af9056224ed5f92
SHA5123a344fcd761eec60642db4551ccc3cc4c9390cfcc727f3c1474066c885352948ad009d4a7081eba5ca17e8731e33572e106be435d96db411c344a8ae8832619f
-
Filesize
30.1MB
MD5e47d7614b7bd9d9f71c9744e0387560f
SHA155b80dc123e6b07b831e047f6360cef594bf4694
SHA256acd3883418e72939ef7a7482fdd3a6c43158423f73c12804cab0360ff34168ef
SHA51298f816a07f107a1cbfc2dc9f59fab860dc1a11ed9b8c1f2f39fd3ac0971a3d9a16f86cf422e8046fbfe6485a1df02d28a286c9ecc96e2dd39b12dc7badde7261
-
Filesize
1.7MB
MD58cb7b0e44e8ebf16e2bc15c1dcabb605
SHA1335c98843c7b579c40c2692360136eef0f51f129
SHA25684b3111500332f45679c64479d31809293f167b25df37325713724a2e41150f0
SHA51227f6540c6492b68ad294554e56d2909250b4cf283fbde186ca8b7c3cf1c28409e838a00d0c955adc9162d77b2fbb3b9d7f00402cb5db7becbd062134d137ff56
-
Filesize
5.2MB
MD592ccd06a4b2e43872f0b2b0dfc90d528
SHA1a4faad5eecf91fc3201ab90d5c8fbcad78e021fb
SHA256d58f052de6d285b823324819552034975da1df2c3c7d9893f57b3b551149fae8
SHA512d2335c31d8ee92a03ba87a2125cb21a17e1d65c9ee306006aa1cf200c90dae538b64bcc824aa85d7b407c9b23a32da5dc7eb2fa3454ea58a8b089fc9df9305f2
-
Filesize
2.1MB
MD557c069f8fc0b254ea4513a0c1f9b2845
SHA1f75956e1b7bdc4020157fe1379fea6cf7ea62325
SHA2565dec75dfe39b34c05f6032028a04447f8f6632831b9cdb35c70e61f41ae38adb
SHA512e7572cef648bcc2668da93d812e24291a31f9ccc3c8e81c1e57b1a756743f148397dccac56bb65523596c778a0ec439dee94325f16e5c0e80c24232034c52800
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.5MB
MD513cf2a44e88c250086e0b9b75334e069
SHA1486eba83b6482f3407e1e22419808f7b40faf616
SHA256b0608220d5e7f8d33d2860cdc21014f481a7593300622935f09582502a7d2a3b
SHA512c44612fca646b73a682adcddffd8a8e3ad47e4074f93269a4933eeafd9bbf3c758809c86e736492e651f7f80e27d15e00e3faaa3393b7c19f880313870dc4c96
-
Filesize
872KB
MD578cd264e35c9e415ec40be9f2e431c79
SHA1bbf44efc08101898cd1ac8603fa88e3d5e48f0db
SHA256694ecc4ce520143fbfbe9bf2198b88548790f65ef8c0fd123f03c90cff90573e
SHA512a224eaf594b1ab57e5dc27e5df995694f36c453aba70a404eeed8f9c205ece60688db61eb82a70ea30f7f1d0a01767bce7dd610efe293395d99eaf062cf5a6c6
-
Filesize
1.6MB
MD541a5670930e57d39c842cffc5d108add
SHA15a8e6a765d8a297df64282b2c3f757a633357ac6
SHA256acc6ef48546c04d8bb72319c217365110beb4e638ecdd1ebc8c2ecdc799bd9d8
SHA5129e3691668b00c37f21f9d731e121cde6ffd06effa1b64ccc96d1514e966f01a4c2332dd936cd996a3abeb438f3d68e8f134ddb8e21319415ac7929f212adf5e0
-
Filesize
1.5MB
MD5298d934c3bd6c72e32b236f4d7a1a457
SHA1bc628d3576b89815c2e8d4609a5ce6813f8b67ee
SHA25687cbafd3cded0c01add4a7b7100635c676488742f25d2e1edc0b98038f1f7274
SHA5128a68333811941d693c071a24f393244178d50386a2512a9227562297e87642e31a6e25bb29b5653a42674073e88ad38ab3ac0ffab4b00559bc803d5a10294c8b
-
Filesize
1003KB
MD5d49cb2f6ff88b6537f1c1ffbd6ebf12d
SHA13102823ef27f61346fa94912f3f67e66ebfdf1bd
SHA2568a2b165be7c5bc67438ca4011c17f9a58c89206eab548a85e23fc92fa1577439
SHA51227305438a21b43e5954ac7ba0891c92aa838ff4dcbe6d244651b3488dec865fdea785a2efe4b35ab336bb6886c36f318b2c5e7be74746d65838c28ed35b516a7
-
Filesize
1.5MB
MD53d82440480f3a0b082d39575d29a53e5
SHA121b6abf1b03d2be1b474a1766eb4d6533bb1ab77
SHA2566968260fb4f5830e63964bc29ba77f40396580f1c5e6ea45d0f781946493b9eb
SHA512c77c5431dfe49c5fe35c7aa07ad3d055c96d8cd165fa08ab7f6632518af5e10341457c9413ed37070a6b230c9411759edcba33c9531d4cdda49bcdc6b8901aa3
-
Filesize
1.5MB
MD581349d8fb3d131db56a5af455470ade7
SHA13261d12bdf15e4235ff154823ec9ff0f08828926
SHA256b703e81b83a86f0aee36e2073e9d40683c96aeca30d14de6d449ba7856b9fef9
SHA51265957ecf30b089d448b8aceaa4c7bf9eb053f76249d336623205f6b246949cb2f78e701bc8de664cd1ecb81fabcaba63ecd79c5bf7da53f0553795fd9dc43e62
-
Filesize
1.2MB
MD58435100289ad9c5b8b6fbcf07e39f9b5
SHA1236f3e270a1b6412e0640f2213d0a4c0e94efa30
SHA256c40c98f0e57a8b63b5d6068cb6b913d6102040e59487f2776d19d0f10f0940cb
SHA512857fcdda6f7c8e4e2f2e16337ec197c2e346f758fed9d6a076de0ac21fc7e53bb2e3c08e19246fa650e7921ffcac370d9f905eeed9e0be20fad7758cee5f09fe
-
Filesize
1.5MB
MD5a72ecd810cd5ea78d84512ea7c2fbf16
SHA18618043d305c61cace58c63eb6799be83c1e74d6
SHA256a7edd3ec7633f938d0cba7d0841051fb83a96f4d7e0115ccfa599abe4e5a2076
SHA512f7789150a147b28aa3394501a802aa289d5f22345c3494d490289b62102aac619afc4757776cee13f4b1846b14fac4f3e6e36bc7165e4529f4923b7bd4de9890
-
Filesize
1.5MB
MD5e12b61da24e6b3bb92a4092ab5e4e6a6
SHA16ee4bdc95c58c8877c1bd1b497d1f143bdfbc009
SHA2565bf88a11cd78e8177d6d90a32f1b2b2920ac33c0188928a0e4a071c6baa152a4
SHA512aaf8c43164ebd79e0799ff9f9087666d0fb7430394662c74dedc521d88f9130515db2c5afa7dda6506247d3ba7d3087776803188cae7d4e6f3803f43e01f3fb7
-
Filesize
1.2MB
MD588f72595181689004835456047bf6d9c
SHA1f52d34588b6136bcff140914aa59084e7d016771
SHA256d383be7a26b86a78a545f7b84155b88c93d42e895ea703217d8c8745c7f8c8ec
SHA5127392f67c48576093ca4370f69e59f28a201c2a99bdefc848e67d2951113f2e6cb3327e1c63fd39b1d34196eef1648924680671748fb0d99e4e955147a9f6f870
-
Filesize
1.6MB
MD5058f3010c6f6dacd8c889e86d8804ab1
SHA1528a0dd521e06c941e11c5c78ad4261d1eb13958
SHA25675c0431994a6817890f887243473732f61794d2e9aa83fadf7b3cb533f22e696
SHA512ebe8ec0dfe9e2cf8f9475e9b41704966208dc56601caff3124da68457de9666a0161c21a4e8b7be2c6d2bb06554857e7d481a5aab21dd347c88b0e75e23b150b