Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe
Resource
win7-20240215-en
General
-
Target
cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe
-
Size
346KB
-
MD5
268c62a4b45d08a0639ead11b2feebd8
-
SHA1
c1d9237230acc994067fdc1d6502b6a84afd1b9a
-
SHA256
cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293
-
SHA512
176becae59d443d15e81f09dd87baaeca282c5f2b9dbcb18b93952b08c62cce10eff73b8742d6f2da514130cc573467d1246507097d2d5675c9690fd9d02dc38
-
SSDEEP
6144:ICkDWiKIWcFbFwH5kZW7zy7nzo1NmN8a4jpxE5qrwbja1:ICkDWiKIBwZkZW7zy7nzo1NmN8a4jpxK
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe -
SaintBot payload 5 IoCs
resource yara_rule behavioral2/memory/1872-70-0x0000000000400000-0x000000000040B000-memory.dmp family_saintbot behavioral2/memory/4228-133-0x0000000000400000-0x000000000040B000-memory.dmp family_saintbot behavioral2/memory/864-139-0x00000000005C0000-0x00000000005CB000-memory.dmp family_saintbot behavioral2/memory/864-140-0x00000000005C0000-0x00000000005CB000-memory.dmp family_saintbot behavioral2/memory/864-141-0x00000000005C0000-0x00000000005CB000-memory.dmp family_saintbot -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe = "0" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe = "0" 11519.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe -
Nirsoft 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023215-10.dat Nirsoft -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 11519.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe 11519.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe -
Executes dropped EXE 5 IoCs
pid Process 4600 AdvancedRun.exe 4992 AdvancedRun.exe 2360 11519.exe 3508 AdvancedRun.exe 4228 11519.exe -
Loads dropped DLL 2 IoCs
pid Process 4228 11519.exe 864 dfrgui.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe = "0" 11519.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe = "0" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\zzAdmin\\Admin.vbs" dfrgui.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b 11519.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum dfrgui.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b dfrgui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 11519.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dfrgui.exe dfrgui.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4168 set thread context of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 2360 set thread context of 4228 2360 11519.exe 135 -
Launches sc.exe 22 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4764 sc.exe 4352 sc.exe 2136 sc.exe 4504 sc.exe 5088 sc.exe 4460 sc.exe 4876 sc.exe 2340 sc.exe 2392 sc.exe 2908 sc.exe 3560 sc.exe 4408 sc.exe 3684 sc.exe 3532 sc.exe 4432 sc.exe 4296 sc.exe 3116 sc.exe 4792 sc.exe 4472 sc.exe 4916 sc.exe 3260 sc.exe 3380 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfrgui.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dfrgui.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3420 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1764 PING.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4600 AdvancedRun.exe 4600 AdvancedRun.exe 4600 AdvancedRun.exe 4600 AdvancedRun.exe 4992 AdvancedRun.exe 4992 AdvancedRun.exe 4992 AdvancedRun.exe 4992 AdvancedRun.exe 864 powershell.exe 864 powershell.exe 3508 AdvancedRun.exe 3508 AdvancedRun.exe 3508 AdvancedRun.exe 3508 AdvancedRun.exe 4788 powershell.exe 4788 powershell.exe 4228 11519.exe 4228 11519.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4600 AdvancedRun.exe Token: SeImpersonatePrivilege 4600 AdvancedRun.exe Token: SeDebugPrivilege 4992 AdvancedRun.exe Token: SeImpersonatePrivilege 4992 AdvancedRun.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 3508 AdvancedRun.exe Token: SeImpersonatePrivilege 3508 AdvancedRun.exe Token: SeDebugPrivilege 4788 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4168 wrote to memory of 4600 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 89 PID 4168 wrote to memory of 4600 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 89 PID 4168 wrote to memory of 4600 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 89 PID 4600 wrote to memory of 4992 4600 AdvancedRun.exe 90 PID 4600 wrote to memory of 4992 4600 AdvancedRun.exe 90 PID 4600 wrote to memory of 4992 4600 AdvancedRun.exe 90 PID 4168 wrote to memory of 864 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 92 PID 4168 wrote to memory of 864 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 92 PID 4168 wrote to memory of 864 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 92 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 4168 wrote to memory of 1872 4168 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 98 PID 1872 wrote to memory of 2360 1872 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 100 PID 1872 wrote to memory of 2360 1872 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 100 PID 1872 wrote to memory of 2360 1872 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 100 PID 1872 wrote to memory of 4684 1872 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 101 PID 1872 wrote to memory of 4684 1872 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 101 PID 1872 wrote to memory of 4684 1872 cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe 101 PID 4684 wrote to memory of 1764 4684 cmd.exe 103 PID 4684 wrote to memory of 1764 4684 cmd.exe 103 PID 4684 wrote to memory of 1764 4684 cmd.exe 103 PID 2360 wrote to memory of 3508 2360 11519.exe 104 PID 2360 wrote to memory of 3508 2360 11519.exe 104 PID 2360 wrote to memory of 3508 2360 11519.exe 104 PID 2420 wrote to memory of 3380 2420 cmd.exe 108 PID 2420 wrote to memory of 3380 2420 cmd.exe 108 PID 2420 wrote to memory of 2136 2420 cmd.exe 109 PID 2420 wrote to memory of 2136 2420 cmd.exe 109 PID 2420 wrote to memory of 4916 2420 cmd.exe 110 PID 2420 wrote to memory of 4916 2420 cmd.exe 110 PID 2420 wrote to memory of 2908 2420 cmd.exe 111 PID 2420 wrote to memory of 2908 2420 cmd.exe 111 PID 2420 wrote to memory of 4764 2420 cmd.exe 112 PID 2420 wrote to memory of 4764 2420 cmd.exe 112 PID 2420 wrote to memory of 4504 2420 cmd.exe 113 PID 2420 wrote to memory of 4504 2420 cmd.exe 113 PID 2420 wrote to memory of 5088 2420 cmd.exe 114 PID 2420 wrote to memory of 5088 2420 cmd.exe 114 PID 2420 wrote to memory of 4792 2420 cmd.exe 115 PID 2420 wrote to memory of 4792 2420 cmd.exe 115 PID 2420 wrote to memory of 4352 2420 cmd.exe 116 PID 2420 wrote to memory of 4352 2420 cmd.exe 116 PID 2420 wrote to memory of 4460 2420 cmd.exe 117 PID 2420 wrote to memory of 4460 2420 cmd.exe 117 PID 2420 wrote to memory of 3560 2420 cmd.exe 118 PID 2420 wrote to memory of 3560 2420 cmd.exe 118 PID 2420 wrote to memory of 3260 2420 cmd.exe 119 PID 2420 wrote to memory of 3260 2420 cmd.exe 119 PID 2420 wrote to memory of 4408 2420 cmd.exe 120 PID 2420 wrote to memory of 4408 2420 cmd.exe 120 PID 2420 wrote to memory of 3684 2420 cmd.exe 121 PID 2420 wrote to memory of 3684 2420 cmd.exe 121 PID 2420 wrote to memory of 4876 2420 cmd.exe 122 PID 2420 wrote to memory of 4876 2420 cmd.exe 122 PID 2420 wrote to memory of 2340 2420 cmd.exe 123 PID 2420 wrote to memory of 2340 2420 cmd.exe 123 PID 2420 wrote to memory of 2392 2420 cmd.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe" /SpecialRun 4101d8 46003⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"2⤵
- Checks computer location settings
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"3⤵
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
PID:3380
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled6⤵
- Launches sc.exe
PID:2136
-
-
C:\Windows\system32\sc.exesc stop Sense6⤵
- Launches sc.exe
PID:4916
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled6⤵
- Launches sc.exe
PID:2908
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:4764
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
- Launches sc.exe
PID:4504
-
-
C:\Windows\system32\sc.exesc stop usosvc6⤵
- Launches sc.exe
PID:5088
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled6⤵
- Launches sc.exe
PID:4792
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc6⤵
- Launches sc.exe
PID:4352
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled6⤵
- Launches sc.exe
PID:4460
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService6⤵
- Launches sc.exe
PID:3560
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled6⤵
- Launches sc.exe
PID:3260
-
-
C:\Windows\system32\sc.exesc stop SDRSVC6⤵
- Launches sc.exe
PID:4408
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled6⤵
- Launches sc.exe
PID:3684
-
-
C:\Windows\system32\sc.exesc stop wscsvc6⤵
- Launches sc.exe
PID:4876
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled6⤵
- Launches sc.exe
PID:2340
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost6⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled6⤵
- Launches sc.exe
PID:4432
-
-
C:\Windows\system32\sc.exesc stop WdiSystemHost6⤵
- Launches sc.exe
PID:3532
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled6⤵
- Launches sc.exe
PID:4296
-
-
C:\Windows\system32\sc.exesc stop InstallService6⤵
- Launches sc.exe
PID:3116
-
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled6⤵
- Launches sc.exe
PID:4472
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4228 -
C:\Windows\SysWOW64\dfrgui.exe"C:\Windows\system32\dfrgui.exe"5⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
PID:864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F6⤵
- Creates scheduled task(s)
PID:3420
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- Runs ping.exe
PID:1764
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"4⤵PID:3456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5aa3ea3159875b1013e0e01bd1e7f8dfd
SHA1037b554bfe444f7fca9770baabbec6becb187d3a
SHA256181518c4561e88a05a94504325af99d928e8cd41a94160ea9e4cd6030652435b
SHA512e6bd4db6cf3d393c1278b36a10db0a80fbaa6e7dfa448f9f02e752fbd8125b55f364c2c1ee9e31b5efa1e9cc865c7d76cafa8853c04cc2e9e998f007119eb631
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
8KB
MD5b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
346KB
MD5268c62a4b45d08a0639ead11b2feebd8
SHA1c1d9237230acc994067fdc1d6502b6a84afd1b9a
SHA256cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293
SHA512176becae59d443d15e81f09dd87baaeca282c5f2b9dbcb18b93952b08c62cce10eff73b8742d6f2da514130cc573467d1246507097d2d5675c9690fd9d02dc38
-
Filesize
169B
MD5600dcbbcae1744d5f4cd1cccd1fefd22
SHA1fde7a4c86e1f4444fd135e81d6efa88fab349e93
SHA25626025f90b439bed43d3c90977105b59d5b4451e06f40cccb54ba86e05ec99d0c
SHA512507c814de0ebc9ed6f9cda75785fb238208d2e6e66334d3712fc5f69e44abe0ab4ebaa5e754f4fe4eecbd19bf22bd8f7fac52b2391a0d05d5645dfa0e5e62681