Analysis
-
max time kernel
167s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe
Resource
win7-20240221-en
General
-
Target
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe
-
Size
625KB
-
MD5
c187dd731b94a59eb14fc6352c928033
-
SHA1
59406fa0d92dd1fbc36b61679347c5b654928430
-
SHA256
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7
-
SHA512
566eb474ed084892c2e9ac7e67c217b3b1dc4d8f7685b37e1c28189a4c9f1e9b8ebdeb0e84bf7456298b319ff7fb10b895810f80473a60583e7124d914bd2e7d
-
SSDEEP
12288:r29y3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:69yHofe3y1sInB2COzRq8DvFqt
Malware Config
Signatures
-
Executes dropped EXE 40 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exepid process 476 2736 alg.exe 2072 aspnet_state.exe 3068 mscorsvw.exe 2664 mscorsvw.exe 1832 elevation_service.exe 2332 GROOVE.EXE 1876 maintenanceservice.exe 1588 OSE.EXE 2248 OSPPSVC.EXE 2480 mscorsvw.exe 2108 mscorsvw.exe 1776 mscorsvw.exe 2096 mscorsvw.exe 324 mscorsvw.exe 320 mscorsvw.exe 1176 mscorsvw.exe 904 mscorsvw.exe 1484 mscorsvw.exe 1080 mscorsvw.exe 996 mscorsvw.exe 2444 mscorsvw.exe 2760 mscorsvw.exe 1224 mscorsvw.exe 1876 mscorsvw.exe 1632 mscorsvw.exe 1192 mscorsvw.exe 1544 mscorsvw.exe 3028 mscorsvw.exe 2372 mscorsvw.exe 2260 mscorsvw.exe 2628 mscorsvw.exe 1648 mscorsvw.exe 1700 mscorsvw.exe 1120 mscorsvw.exe 1900 mscorsvw.exe 1624 mscorsvw.exe 1400 dllhost.exe 2700 ehRecvr.exe 2412 ehsched.exe -
Loads dropped DLL 5 IoCs
Processes:
pid process 476 476 476 476 476 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 4 IoCs
Processes:
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exealg.exeGROOVE.EXEaspnet_state.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dad6511c4501ed38.bin alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe -
Drops file in Windows directory 27 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exemscorsvw.exe25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
OSPPSVC.EXEehRecvr.exeGROOVE.EXEdescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exedescription pid process Token: SeTakeOwnershipPrivilege 2904 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeDebugPrivilege 2736 alg.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2072 aspnet_state.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe Token: SeShutdownPrivilege 2664 mscorsvw.exe Token: SeShutdownPrivilege 3068 mscorsvw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 3068 wrote to memory of 2480 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2480 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2480 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2480 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2108 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2108 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2108 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2108 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1776 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1776 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1776 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1776 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2096 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2096 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2096 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2096 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 324 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 324 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 324 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 324 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 320 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 320 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 320 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 320 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1176 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1176 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1176 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1176 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 904 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 904 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 904 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 904 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1484 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1484 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1484 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1484 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1080 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1080 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1080 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1080 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 996 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 996 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 996 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 996 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2444 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2444 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2444 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2444 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2760 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2760 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2760 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 2760 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1224 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1224 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1224 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1224 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1876 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1876 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1876 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1876 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1632 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1632 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1632 3068 mscorsvw.exe mscorsvw.exe PID 3068 wrote to memory of 1632 3068 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 234 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 254 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 24c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 294 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 294 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1120
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1832
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2332
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1876
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1588
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2248
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1900
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1624
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
PID:1400
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2700
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5b8dad6b9ac95001ff082040d79f56480
SHA1313fed93e5aec60a0f03295242bdf0295ad4fe6d
SHA256b8edd01d57b811664b306629b5cec704e0f52024fbcebdb1428b7f102a90e583
SHA512bc882dc2f10997351589da41b9f8844d889f29abcf4d6e568234f903a1af7a523347eff61a70091b06486a899f78ac401b90d6ae87103d4172f1b8b864fa20d5
-
Filesize
30.1MB
MD5a90b0837b3bf629e3dbde1bb082fc45d
SHA1636624ab6221a860c99eaa5a004ace3a454ae384
SHA25609dc5941125830cf05c86cf67ac55d5f391547aab5d8990355867a9d32aac266
SHA5123bc8bc8a4974c1ce9b862b8356da08a4b5771c6864e3d738e2de591b1920fce9a0b97c648d1b27e0f062eac2b5c6d5ccf77974700fee389f51243e0a0c838612
-
Filesize
781KB
MD5ea98f544f96ba5c43ea88ca9a949b8b7
SHA1613aec83766981e996198627040af7d9302018ff
SHA25623310ab4fae5396dcb8919a0793f017fbc647f65b3c1c5bb7511387087ec7736
SHA512f9b979a6af5ecf2a6388ad44eff41602994a4d3d2533a5e01e68a14ef2f8def922b8cc81723b823947e2e6658ba2c976a713072ac3cd2183d6fca117a7248f3a
-
Filesize
5.2MB
MD5034c46e8b28c083856862312c686cab9
SHA1f0d7ee6308b0231f55e68bf80a846e77f705a17f
SHA256d5146ca466597f3e3252fc600466ecfe2080eb429b82f75b4989d2c54eac62e0
SHA5124a386ff248ab7e3fa05d581f75046c3ff5afa1a298a2eb29c09b22c89cdfba8cc3287f2d9622f51c4e620adb20a2ba2d447c8524dcb7722c3d1a65477c105613
-
Filesize
2.1MB
MD5a1b63aa95dd958008e015f3f9bd91121
SHA141739c8df4cd823689b940f162880a31d2707f28
SHA2562d03552070cd61b01bfd960a8a82e780a489bb10354bc17c2cf4fbfc6c739e32
SHA512799cde20076a63bb5bda6f4136bd3a7228a89f404fb2fe8739bc7b52fe25c3cf24b7eb74bbcc4ad743123ecc4fc611863207e01615850c1d8f8c18b9a79bc10a
-
Filesize
648KB
MD5443503439d4ee819ce740671cb519097
SHA117d055a1b6ee99a209eb8fe72f7d18738a7be9fc
SHA256bc519bda87abad6d6bfaa1e76db7fcf6bdcc78ffd50699da63d6f4924bfa144d
SHA5125e9f1f8db5c2c597d9a016baa0dd97aafe933354ff4097a5f295973c4bcb13cfe360df6a2f01e0fd9962d3d84f226bf9acba2c19c374b6379eb0fed6cd9f095c
-
Filesize
872KB
MD5425f196e4b670a1197c1a35150597bbe
SHA1382516d21e2620687b8e2bcfa2e005fc5ddbb9d1
SHA2560303e122a81e57c5c08b7b8d7c31ae244f3d4bd5da343f79c84031ed1211185c
SHA512e3cbee3c94fc6af1acdb91b1f5ea0be42c919cbc9555f3d0c8f29e5f6bb1a6000769ad8b89c52cdcfcc04222d303ab8f6635bde999ca64088b483a3eb04cb06e
-
Filesize
678KB
MD5dce71130823509535fb172c8716741d1
SHA1185f63c1dd71943b333307479209c1d79a5f59bf
SHA2567cf2cbe3c28b2f74138dffd40fdc1d9d08c4f5ae08e3de5b289d9209c36c06a1
SHA5128d7190409189196e1ef315b948d83f7c808e26c20a4bdcffb5b72381a592778f1ebe4cdfe79a2a15bc26b2822d0ee20d4578a7cc862311fceeec2484672ec4cf
-
Filesize
625KB
MD5030b8432027b2370b383fcc26663ac27
SHA1ad6f7ea72df7bbe2a2ea952d1718c40d7810e79d
SHA2566958d368e82b911fc9a472a06d7cdc64835e8825930afc8293ebd2052425fdcb
SHA51266c12760ef4ebcdd5045cafaea8a7aa15213ba41fda068103bfbb8bfaa2a13b214cebf79a7235ee15b9c59dff09852c1083b6cabff5044c651f1d1febbb15b71
-
Filesize
1003KB
MD572f6609361071ab999cd2a34b2f0f06a
SHA17eef2c43900e4ea5b6b0c8836d27ad2af6542471
SHA2564c2b92249d6207a4b36c54f2f5698099b78043151f214c947f2e7fb2deb66f0e
SHA512e2daf1f5c217f5d8d27e5d38e99fb4f09e973ac6eb953c6e9ac531bb51cd19f8641649ada132384c3f78d892dbdb74363382ea270ca54cccec0be5bf1cee3a78
-
Filesize
656KB
MD5975000daacb3770721819657fb56748d
SHA1f355e8c9b77075a0debd56046c6640dc278c496a
SHA25698224ec2b5c831d96e96eb06c6abfb29b5a8bd59fa83da9fd9a3bff331dd2b48
SHA5120915676f98b67e7efcfb5eb4ed1517df8f173fb0ccf9f2cffee49c0dd7f4d5bf1e7325099d474b0cb6f68eeefcf748e2931002d72674463ed849840ffc315dc1
-
Filesize
577KB
MD5f2edea24a45532561c69dd0452b108db
SHA10818fd42f4d2d115fbe5680118e561fcf9b9e93c
SHA256ff66969c1f9b3389dfead477f44e4e6b66bbcaa5e69be3f81b9ee05649de670b
SHA512da61126052f50719a2d111c70a56a830e7b96a6e14bf350d180facfdeb285cabb3658d8dbaf90feab5ca0aa204114bb28badbdda37a1e5a5ed72c5027b5fd039
-
Filesize
691KB
MD55adc76928e50735dd9a43f1f912653d3
SHA1f24707bc7c4ba2f04fc6f498cdf15e2eebec4f5f
SHA256c2ddd3e62c6cc53bb548b2078015fafc778b2e553f93e16272a3b6132036b63d
SHA5125d81c3464d73e7c87b011777c294baed920c393c53c2b15b5c0efd8e6b899f4d28a626592c5804494cb67b1eb5aba685b0000ef157726defa3f19d5c11a159c9
-
Filesize
603KB
MD563834e18c875146928bfc86ac3206369
SHA17c56da1a9c53d13cf5174674b2b56c1df1343f63
SHA256c4791a174cfcdac3a7b1f6aacec5b03c754b4573863c5b07c6d4d430e6fd1b4b
SHA512d6fe5582ac41ffffaad3eafc0e62d7ef5ee2841c160b1d0e11354eaa8dc41f47e9ec8bdad6160e7aa636a099bdf979b74d9eedba08d03ca6a26b115913014025
-
Filesize
644KB
MD5fd61964a758a249cb05a3e33dd766478
SHA138f69938ae89dc270cf9e377bfd465c639a67c33
SHA256f118e8d500c9c2879b8f2006eed1bb55b3ede7a673c98f858cee056fa5b25d4f
SHA512701c0107ddcef5fe7c660f880332f9d7e0177cbf2c47f2bb683c332ade5ab738835d166e1acb66f5edae2c2d657ab1819eed479053faec57bf19938954792fa7
-
Filesize
1.2MB
MD5301b56dbb8760e15763fb05526358a37
SHA13d9dc0a256187ebf7426c4693cfc06b28f805fd5
SHA256b48d145f8ea7c0171e7ef8d493ebf772f672b1210041ed41fa65141efad84bb7
SHA512651f005275aab93115649d12d89d0d89acf22574d8993bba59c06d2a27c892c6b3f28e7053f9e93240f50ddbd53f263d1b3dbbdf5c9e4246442a6d9dffdfcbf0