Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-06-2024 10:33
Behavioral task
behavioral1
Sample
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe
Resource
win10v2004-20240226-en
General
-
Target
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe
-
Size
2.5MB
-
MD5
967ee7ca70ab69ad8297824f19d0cebc
-
SHA1
90bbc5a1172d2b549aa643711fc05b6b30777388
-
SHA256
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4
-
SHA512
3fadbd065a47de14e228a0e3b76d3265dcddcfab4b4e14adffea02387be313aecc22891d432e74334cca4d892ab1467964980d246655babcdfb92efd22573999
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxH:Mxx9NUFkQx753uWuCyyxH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 18 IoCs
Processes:
resource yara_rule behavioral1/memory/2744-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\Themes\explorer.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2744-11-0x0000000003280000-0x000000000388E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2844-12-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\spoolsv.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2844-23-0x0000000003340000-0x000000000394E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2660-24-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\svchost.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2616-35-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2672-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2672-49-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2660-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2744-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2844-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2616-55-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2844-62-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2844-68-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2616-77-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
spoolsv.exed24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2844 explorer.exe 2660 spoolsv.exe 2616 svchost.exe 2672 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exespoolsv.exesvchost.exepid process 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2844 explorer.exe 2660 spoolsv.exe 2616 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2744-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral1/memory/2744-11-0x0000000003280000-0x000000000388E000-memory.dmp themida behavioral1/memory/2844-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/2844-23-0x0000000003340000-0x000000000394E000-memory.dmp themida behavioral1/memory/2660-24-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2616-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2672-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2672-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2660-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2744-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2844-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2616-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2844-62-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2844-68-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2616-77-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
spoolsv.exesvchost.exespoolsv.exed24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2844 explorer.exe 2660 spoolsv.exe 2616 svchost.exe 2672 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
spoolsv.exeexplorer.exed24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exedescription ioc process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2156 schtasks.exe 944 schtasks.exe 3012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exesvchost.exepid process 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2616 svchost.exe 2616 svchost.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe 2844 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2844 explorer.exe 2616 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe 2844 explorer.exe 2844 explorer.exe 2660 spoolsv.exe 2660 spoolsv.exe 2616 svchost.exe 2616 svchost.exe 2672 spoolsv.exe 2672 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2744 wrote to memory of 2844 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe explorer.exe PID 2744 wrote to memory of 2844 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe explorer.exe PID 2744 wrote to memory of 2844 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe explorer.exe PID 2744 wrote to memory of 2844 2744 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe explorer.exe PID 2844 wrote to memory of 2660 2844 explorer.exe spoolsv.exe PID 2844 wrote to memory of 2660 2844 explorer.exe spoolsv.exe PID 2844 wrote to memory of 2660 2844 explorer.exe spoolsv.exe PID 2844 wrote to memory of 2660 2844 explorer.exe spoolsv.exe PID 2660 wrote to memory of 2616 2660 spoolsv.exe svchost.exe PID 2660 wrote to memory of 2616 2660 spoolsv.exe svchost.exe PID 2660 wrote to memory of 2616 2660 spoolsv.exe svchost.exe PID 2660 wrote to memory of 2616 2660 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2672 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2672 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2672 2616 svchost.exe spoolsv.exe PID 2616 wrote to memory of 2672 2616 svchost.exe spoolsv.exe PID 2844 wrote to memory of 2424 2844 explorer.exe Explorer.exe PID 2844 wrote to memory of 2424 2844 explorer.exe Explorer.exe PID 2844 wrote to memory of 2424 2844 explorer.exe Explorer.exe PID 2844 wrote to memory of 2424 2844 explorer.exe Explorer.exe PID 2616 wrote to memory of 3012 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 3012 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 3012 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 3012 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 2156 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 2156 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 2156 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 2156 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 944 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 944 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 944 2616 svchost.exe schtasks.exe PID 2616 wrote to memory of 944 2616 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe"C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:37 /f5⤵
- Creates scheduled task(s)
PID:3012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:38 /f5⤵
- Creates scheduled task(s)
PID:2156 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:39 /f5⤵
- Creates scheduled task(s)
PID:944 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5c28d97f63f8681abe02a7baa90025174
SHA1eeac8135e6d4173dcc4bfd8836e286d9471770f7
SHA256ec6a6d0d42108c88c60c2b6ec7c1d501bb4ac80daa9bf98902475e85fb015344
SHA5128b117487eb5d375bcc0c92c446d7ce9480f397fbb9821822ff1e469b4df398b6dfe3742e0607d698c1c10f0792171b17a98866de34629e3d5d6fd588dfff05b3
-
Filesize
2.5MB
MD56582fc098959c89616a9b041ea9b5785
SHA132a9e396a614601dc81027c6722ff65c75b4f285
SHA256c3b4f52272c6743a00b9d0407b9dd9bc95da9d00c01b458428c2c296122dad24
SHA512ec68ce0bdd42b61e71514bb54c1b5a6bed1f2d09bc6967a211860a0c1abf20ecca297a6792d9f78322f608cfd4a5b5935ddd3d45da11b9758651ad0aa38c6044
-
Filesize
2.5MB
MD51ce15cb36ce125af97710500dbbc0a6e
SHA1166af55740eb98728f61b0304f82f497ddc1de15
SHA256bfed5f932c17308da5670096a1c56edcf44bff3e884e435d932a96aa81c855cb
SHA512033a6efb1f5e680f5c1a4853e481a908a4450a1589e02c20535eac39488ceb66983e8ba69ada6fb552a684e197b58fde82a8bde2ab7182b381cc60bd792662d0