Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
7Neuer Ordn...iy.exe
windows7-x64
10Neuer Ordn...iy.exe
windows10-2004-x64
10Neuer Ordn...64.dll
windows7-x64
1Neuer Ordn...64.dll
windows10-2004-x64
1Neuer Ordn...rl.dll
windows7-x64
1Neuer Ordn...rl.dll
windows10-2004-x64
1Neuer Ordn...b1.dll
windows7-x64
1Neuer Ordn...b1.dll
windows10-2004-x64
1Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 20:19
Behavioral task
behavioral1
Sample
Neuer Ordner/Arxvestiy.exe
Resource
win7-20231129-en
windows7-x64
21 signatures
300 seconds
Behavioral task
behavioral2
Sample
Neuer Ordner/Arxvestiy.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
19 signatures
300 seconds
Behavioral task
behavioral3
Sample
Neuer Ordner/SecureEngineSDK64.dll
Resource
win7-20240221-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral4
Sample
Neuer Ordner/SecureEngineSDK64.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
0 signatures
300 seconds
Behavioral task
behavioral5
Sample
Neuer Ordner/libcurl.dll
Resource
win7-20240221-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral6
Sample
Neuer Ordner/libcurl.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
0 signatures
300 seconds
Behavioral task
behavioral7
Sample
Neuer Ordner/zlib1.dll
Resource
win7-20240220-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral8
Sample
Neuer Ordner/zlib1.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
300 seconds
General
-
Target
Neuer Ordner/Arxvestiy.exe
-
Size
24.1MB
-
MD5
422d34314b11f0c3fcc01384a1aa2cfa
-
SHA1
879686ece371c0db4a1c7a4411fe9759785debdb
-
SHA256
1032b5ba7302a7bd466427dac1c6c2339e4d8901370417bb265779be95462cd5
-
SHA512
78cd4c64cde2567e0b8639c22cdf17bff795c9946c7de21360f77b2c5f17810a2fc3447103d05bbc7bbe97c6a8dc1253fdead14f65188d47fd8b15279eaefac5
-
SSDEEP
786432:aGnDa8TnMExrvJ4FMW/wNPsgb1kI0vXOiqIz4k3OUqq/:aQcENvyYNEgbVq+hIzZqq/
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Arxvestiy.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions arxvestiy.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Arxvestiy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion arxvestiy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion arxvestiy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Arxvestiy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 2372 arxvestiy.exe 2336 icsys.icn.exe 2596 explorer.exe 2444 spoolsv.exe 2944 svchost.exe 1652 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2356 Arxvestiy.exe 2352 Process not Found 2356 Arxvestiy.exe 2336 icsys.icn.exe 2596 explorer.exe 2444 spoolsv.exe 2944 svchost.exe 1556 taskmgr.exe -
resource yara_rule behavioral1/memory/2356-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x000a000000014390-14.dat themida behavioral1/memory/2336-16-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000014af6-21.dat themida behavioral1/memory/2596-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0007000000014b70-40.dat themida behavioral1/files/0x00070000000155ed-50.dat themida behavioral1/memory/1652-73-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2444-74-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2356-79-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2336-80-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2596-83-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2944-84-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2596-100-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2596-133-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2944-137-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2944-152-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Arxvestiy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2356 Arxvestiy.exe 2336 icsys.icn.exe 2596 explorer.exe 2444 spoolsv.exe 2944 svchost.exe 1652 spoolsv.exe 2372 arxvestiy.exe 2372 arxvestiy.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN arxvestiy.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Arxvestiy.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1308 schtasks.exe 2344 schtasks.exe 1996 schtasks.exe 1448 schtasks.exe 2912 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe 2944 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2596 explorer.exe 2944 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1556 taskmgr.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2356 Arxvestiy.exe 2356 Arxvestiy.exe 2336 icsys.icn.exe 2336 icsys.icn.exe 2596 explorer.exe 2596 explorer.exe 2444 spoolsv.exe 2444 spoolsv.exe 2944 svchost.exe 2944 svchost.exe 1652 spoolsv.exe 1652 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2372 2356 Arxvestiy.exe 28 PID 2356 wrote to memory of 2372 2356 Arxvestiy.exe 28 PID 2356 wrote to memory of 2372 2356 Arxvestiy.exe 28 PID 2356 wrote to memory of 2372 2356 Arxvestiy.exe 28 PID 2356 wrote to memory of 2336 2356 Arxvestiy.exe 30 PID 2356 wrote to memory of 2336 2356 Arxvestiy.exe 30 PID 2356 wrote to memory of 2336 2356 Arxvestiy.exe 30 PID 2356 wrote to memory of 2336 2356 Arxvestiy.exe 30 PID 2336 wrote to memory of 2596 2336 icsys.icn.exe 31 PID 2336 wrote to memory of 2596 2336 icsys.icn.exe 31 PID 2336 wrote to memory of 2596 2336 icsys.icn.exe 31 PID 2336 wrote to memory of 2596 2336 icsys.icn.exe 31 PID 2596 wrote to memory of 2444 2596 explorer.exe 32 PID 2596 wrote to memory of 2444 2596 explorer.exe 32 PID 2596 wrote to memory of 2444 2596 explorer.exe 32 PID 2596 wrote to memory of 2444 2596 explorer.exe 32 PID 2444 wrote to memory of 2944 2444 spoolsv.exe 33 PID 2444 wrote to memory of 2944 2444 spoolsv.exe 33 PID 2444 wrote to memory of 2944 2444 spoolsv.exe 33 PID 2444 wrote to memory of 2944 2444 spoolsv.exe 33 PID 2944 wrote to memory of 1652 2944 svchost.exe 34 PID 2944 wrote to memory of 1652 2944 svchost.exe 34 PID 2944 wrote to memory of 1652 2944 svchost.exe 34 PID 2944 wrote to memory of 1652 2944 svchost.exe 34 PID 2596 wrote to memory of 1572 2596 explorer.exe 35 PID 2596 wrote to memory of 1572 2596 explorer.exe 35 PID 2596 wrote to memory of 1572 2596 explorer.exe 35 PID 2596 wrote to memory of 1572 2596 explorer.exe 35 PID 2944 wrote to memory of 1308 2944 svchost.exe 36 PID 2944 wrote to memory of 1308 2944 svchost.exe 36 PID 2944 wrote to memory of 1308 2944 svchost.exe 36 PID 2944 wrote to memory of 1308 2944 svchost.exe 36 PID 2372 wrote to memory of 2964 2372 arxvestiy.exe 40 PID 2372 wrote to memory of 2964 2372 arxvestiy.exe 40 PID 2372 wrote to memory of 2964 2372 arxvestiy.exe 40 PID 2372 wrote to memory of 2848 2372 arxvestiy.exe 41 PID 2372 wrote to memory of 2848 2372 arxvestiy.exe 41 PID 2372 wrote to memory of 2848 2372 arxvestiy.exe 41 PID 2372 wrote to memory of 2840 2372 arxvestiy.exe 42 PID 2372 wrote to memory of 2840 2372 arxvestiy.exe 42 PID 2372 wrote to memory of 2840 2372 arxvestiy.exe 42 PID 2840 wrote to memory of 2276 2840 cmd.exe 43 PID 2840 wrote to memory of 2276 2840 cmd.exe 43 PID 2840 wrote to memory of 2276 2840 cmd.exe 43 PID 2840 wrote to memory of 2248 2840 cmd.exe 44 PID 2840 wrote to memory of 2248 2840 cmd.exe 44 PID 2840 wrote to memory of 2248 2840 cmd.exe 44 PID 2840 wrote to memory of 2068 2840 cmd.exe 45 PID 2840 wrote to memory of 2068 2840 cmd.exe 45 PID 2840 wrote to memory of 2068 2840 cmd.exe 45 PID 2944 wrote to memory of 2344 2944 svchost.exe 48 PID 2944 wrote to memory of 2344 2944 svchost.exe 48 PID 2944 wrote to memory of 2344 2944 svchost.exe 48 PID 2944 wrote to memory of 2344 2944 svchost.exe 48 PID 2944 wrote to memory of 1996 2944 svchost.exe 50 PID 2944 wrote to memory of 1996 2944 svchost.exe 50 PID 2944 wrote to memory of 1996 2944 svchost.exe 50 PID 2944 wrote to memory of 1996 2944 svchost.exe 50 PID 2944 wrote to memory of 1448 2944 svchost.exe 52 PID 2944 wrote to memory of 1448 2944 svchost.exe 52 PID 2944 wrote to memory of 1448 2944 svchost.exe 52 PID 2944 wrote to memory of 1448 2944 svchost.exe 52 PID 2944 wrote to memory of 2912 2944 svchost.exe 54 PID 2944 wrote to memory of 2912 2944 svchost.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neuer Ordner\Arxvestiy.exe"C:\Users\Admin\AppData\Local\Temp\Neuer Ordner\Arxvestiy.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\users\admin\appdata\local\temp\neuer ordner\arxvestiy.exe"c:\users\admin\appdata\local\temp\neuer ordner\arxvestiy.exe "2⤵
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color A3⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color3⤵PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\neuer ordner\arxvestiy.exe " MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\certutil.execertutil -hashfile "c:\users\admin\appdata\local\temp\neuer ordner\arxvestiy.exe " MD54⤵PID:2276
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:2248
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:2068
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:21 /f6⤵
- Creates scheduled task(s)
PID:1308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:22 /f6⤵
- Creates scheduled task(s)
PID:2344
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:23 /f6⤵
- Creates scheduled task(s)
PID:1996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:24 /f6⤵
- Creates scheduled task(s)
PID:1448
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:25 /f6⤵
- Creates scheduled task(s)
PID:2912
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:1572
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5d70ac67603986ec28e5bc9593802381a
SHA11588ba1cbdefa7acefa7e61f1180a2603459278f
SHA2569591a0feb8669944c8a89cb090f50a942ae882d5b16b03991c938266ce7a306d
SHA512459144ced2ecfff63b776a7661019fefdbd2978fc4c310770cf503bd1c4a27e91207db6110f687cf9dce4982ba2c938ba2734fc88370a54c06c84335271f11bf
-
Filesize
2.5MB
MD55c3f863d7e4076b549302c0196dd459d
SHA18d8d22eb49a981c963e04476851ffd2a3c242e6c
SHA256457199770a6344c1713a60e303b0972f102b7e1ee79f82c8aecfe980e8102be4
SHA512205f91db2861126813592dd49fbb423555c6009a82db161bccb862b0772c70398729eadfefcae8fe24720f963af24bd9139d9470abdb5084a6942c1d61f5574d
-
Filesize
2.5MB
MD50f7d61837bf14127ff941910e020ab96
SHA178b3891e8b3588b538a3f80b7a24194a93e7a7c4
SHA2560e6127188657d50d1d8feda0002d523e3368006de174f027bc58cbd9c1b4c9cd
SHA5128ca714a071029dc10d3a5f4c6a2ff940143eda83ae48d86055530b37f556c4f60bc92c14deb4bb3a433204626c09e61c271791dbd2be5aabdc8acfc07790c91d
-
Filesize
21.5MB
MD57ea1f5289c64e9ea796344c20d746114
SHA1309cd5f97624c288d6b6eff3b9f2057daf4d015d
SHA256d95ba607da2ed1bd1b378083eb66247e4d9a77f5c5636107c3b7de5f220e5448
SHA512d334430dae108730ac1f802251ce326bffb6a5c81b2783b2cd8d2b217be15a9194154ca4e018c195a900250d68ea11f001f1206150bf816772be5b535f9d5481
-
Filesize
2.5MB
MD565ab210c95a65183c28393ca2a5f359d
SHA1a442767ad0d2a7bc55c60e4847d8a0698bfe5fc9
SHA256d121a42d003bd68cbffa830a8180dd4ea6faa174b4f76178cc2cc63f5772ad1a
SHA512dc0dac05bef86a0ecf670305123b19235a3079c0a7d47283d1660aa9615c4483fa1113d6649a58e87d5e39c37cd43caf3d47d138bcdd2089fe8e28be00c178dc