Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Resource
win10v2004-20240412-en
General
-
Target
1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
-
Size
767KB
-
MD5
ae2f422a1ca6558ca6dd723c1b351b7a
-
SHA1
eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad
-
SHA256
1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda
-
SHA512
30a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3
-
SSDEEP
12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ks:WnsJ39LyjbJkQFMhmC+6GD9R
Malware Config
Extracted
C:\Users\Admin\Contacts\Readme.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2380 bcdedit.exe 448 bcdedit.exe -
Renames multiple (456) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1300 wbadmin.exe -
Executes dropped EXE 4 IoCs
pid Process 2556 ._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 2544 Synaptics.exe 2488 ._cache_Synaptics.exe 292 Runtime Broker.exe -
Loads dropped DLL 5 IoCs
pid Process 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 2544 Synaptics.exe 2544 Synaptics.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Readme = "C:\\Users\\Admin\\AppData\\Local\\Runtime Broker.exe" Runtime Broker.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JW1yZTG9I.jpg" Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1268 vssadmin.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1500 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe 292 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2556 ._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe Token: SeDebugPrivilege 292 Runtime Broker.exe Token: SeBackupPrivilege 2120 vssvc.exe Token: SeRestorePrivilege 2120 vssvc.exe Token: SeAuditPrivilege 2120 vssvc.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: SeBackupPrivilege 1332 wbengine.exe Token: SeRestorePrivilege 1332 wbengine.exe Token: SeSecurityPrivilege 1332 wbengine.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2556 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 28 PID 1888 wrote to memory of 2556 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 28 PID 1888 wrote to memory of 2556 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 28 PID 1888 wrote to memory of 2556 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 28 PID 1888 wrote to memory of 2544 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 29 PID 1888 wrote to memory of 2544 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 29 PID 1888 wrote to memory of 2544 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 29 PID 1888 wrote to memory of 2544 1888 1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 29 PID 2544 wrote to memory of 2488 2544 Synaptics.exe 30 PID 2544 wrote to memory of 2488 2544 Synaptics.exe 30 PID 2544 wrote to memory of 2488 2544 Synaptics.exe 30 PID 2544 wrote to memory of 2488 2544 Synaptics.exe 30 PID 2556 wrote to memory of 292 2556 ._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 31 PID 2556 wrote to memory of 292 2556 ._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 31 PID 2556 wrote to memory of 292 2556 ._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe 31 PID 292 wrote to memory of 1340 292 Runtime Broker.exe 34 PID 292 wrote to memory of 1340 292 Runtime Broker.exe 34 PID 292 wrote to memory of 1340 292 Runtime Broker.exe 34 PID 1340 wrote to memory of 1268 1340 cmd.exe 36 PID 1340 wrote to memory of 1268 1340 cmd.exe 36 PID 1340 wrote to memory of 1268 1340 cmd.exe 36 PID 1340 wrote to memory of 1768 1340 cmd.exe 40 PID 1340 wrote to memory of 1768 1340 cmd.exe 40 PID 1340 wrote to memory of 1768 1340 cmd.exe 40 PID 292 wrote to memory of 1636 292 Runtime Broker.exe 42 PID 292 wrote to memory of 1636 292 Runtime Broker.exe 42 PID 292 wrote to memory of 1636 292 Runtime Broker.exe 42 PID 1636 wrote to memory of 2380 1636 cmd.exe 44 PID 1636 wrote to memory of 2380 1636 cmd.exe 44 PID 1636 wrote to memory of 2380 1636 cmd.exe 44 PID 1636 wrote to memory of 448 1636 cmd.exe 45 PID 1636 wrote to memory of 448 1636 cmd.exe 45 PID 1636 wrote to memory of 448 1636 cmd.exe 45 PID 292 wrote to memory of 3064 292 Runtime Broker.exe 46 PID 292 wrote to memory of 3064 292 Runtime Broker.exe 46 PID 292 wrote to memory of 3064 292 Runtime Broker.exe 46 PID 3064 wrote to memory of 1300 3064 cmd.exe 48 PID 3064 wrote to memory of 1300 3064 cmd.exe 48 PID 3064 wrote to memory of 1300 3064 cmd.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"C:\Users\Admin\AppData\Local\Temp\1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1268
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2380
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:1300
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2488
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1500
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:320
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
767KB
MD5ae2f422a1ca6558ca6dd723c1b351b7a
SHA1eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad
SHA2561d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda
SHA51230a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3
-
Filesize
1KB
MD54e5afc973a7d062342a5020e33bf85dc
SHA1345fbfd0fcad94b2975021c802f5345cce10e037
SHA256ce82cff28fa692ed34a2e9076641f2097248412ac990fd1fe59fc1ae6cda7401
SHA512e41f9fb8ce570fdb5b6fe213f9774f639d156f43a10ba18c0c90f528956f8ca1677b9663930132242751bcf26174eaedeb909779c1f4e521b00468647904e5a5
-
\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Filesize22KB
MD5c664f5be59fb3a17761dd2ada9eef228
SHA11f32c2b1aa103c73c9fb9624e53318d5bc8d60f1
SHA2562a567c61c401c4fd6f7a4ae88265d7a0dbd0c14fdcc116f8c5d98da6022066ec
SHA512c24a25237d009715f3b98fdf4489af8a484ab93091dbbd6ab1815946c9af24cff3f026bb3e7bff969348621cc82769b7fd1dde5bdbaba14768b229cac85b2259