Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 12:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura2024
Resource
win10v2004-20240226-en
Errors
General
-
Target
https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura2024
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FADD6450-14F1-BE12-032C-1C54A58F85D6.lnk MsiExec.exe -
Executes dropped EXE 1 IoCs
pid Process 3624 Rar.exe -
Loads dropped DLL 5 IoCs
pid Process 4548 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 134 4548 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIECC7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF14D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF2A5.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF8C3.tmp msiexec.exe File created C:\Windows\Installer\e59eb9e.msi msiexec.exe File opened for modification C:\Windows\Installer\e59eb9e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{5AB980DF-34A1-41CE-B67E-A44DA81E86AA} msiexec.exe File opened for modification C:\Windows\Installer\MSIF5F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF391.tmp msiexec.exe File created C:\Windows\Installer\e59eba2.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{D6435C00-826D-4516-AB2C-9C3EE8659D29} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1480 NOTEPAD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 134 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 msiexec.exe 2780 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2300 msiexec.exe Token: SeIncreaseQuotaPrivilege 2300 msiexec.exe Token: SeSecurityPrivilege 2780 msiexec.exe Token: SeCreateTokenPrivilege 2300 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2300 msiexec.exe Token: SeLockMemoryPrivilege 2300 msiexec.exe Token: SeIncreaseQuotaPrivilege 2300 msiexec.exe Token: SeMachineAccountPrivilege 2300 msiexec.exe Token: SeTcbPrivilege 2300 msiexec.exe Token: SeSecurityPrivilege 2300 msiexec.exe Token: SeTakeOwnershipPrivilege 2300 msiexec.exe Token: SeLoadDriverPrivilege 2300 msiexec.exe Token: SeSystemProfilePrivilege 2300 msiexec.exe Token: SeSystemtimePrivilege 2300 msiexec.exe Token: SeProfSingleProcessPrivilege 2300 msiexec.exe Token: SeIncBasePriorityPrivilege 2300 msiexec.exe Token: SeCreatePagefilePrivilege 2300 msiexec.exe Token: SeCreatePermanentPrivilege 2300 msiexec.exe Token: SeBackupPrivilege 2300 msiexec.exe Token: SeRestorePrivilege 2300 msiexec.exe Token: SeShutdownPrivilege 2300 msiexec.exe Token: SeDebugPrivilege 2300 msiexec.exe Token: SeAuditPrivilege 2300 msiexec.exe Token: SeSystemEnvironmentPrivilege 2300 msiexec.exe Token: SeChangeNotifyPrivilege 2300 msiexec.exe Token: SeRemoteShutdownPrivilege 2300 msiexec.exe Token: SeUndockPrivilege 2300 msiexec.exe Token: SeSyncAgentPrivilege 2300 msiexec.exe Token: SeEnableDelegationPrivilege 2300 msiexec.exe Token: SeManageVolumePrivilege 2300 msiexec.exe Token: SeImpersonatePrivilege 2300 msiexec.exe Token: SeCreateGlobalPrivilege 2300 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe Token: SeRestorePrivilege 2780 msiexec.exe Token: SeTakeOwnershipPrivilege 2780 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2300 msiexec.exe 2300 msiexec.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4028 OpenWith.exe 4180 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 1480 4028 OpenWith.exe 115 PID 4028 wrote to memory of 1480 4028 OpenWith.exe 115 PID 2780 wrote to memory of 4548 2780 msiexec.exe 119 PID 2780 wrote to memory of 4548 2780 msiexec.exe 119 PID 2780 wrote to memory of 4548 2780 msiexec.exe 119 PID 4548 wrote to memory of 3624 4548 MsiExec.exe 121 PID 4548 wrote to memory of 3624 4548 MsiExec.exe 121 PID 4548 wrote to memory of 860 4548 MsiExec.exe 123 PID 4548 wrote to memory of 860 4548 MsiExec.exe 123 PID 4548 wrote to memory of 860 4548 MsiExec.exe 123 PID 4924 wrote to memory of 2476 4924 msedge.exe 127 PID 4924 wrote to memory of 2476 4924 msedge.exe 127 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 4632 4924 msedge.exe 128 PID 4924 wrote to memory of 3260 4924 msedge.exe 129
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kl-ap1.com/k/6666e900d3f0be16a3e1c819?lid=&url=https%3A%2F%2Ffacura.myvnc.com%2FFactura20241⤵PID:4452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5680 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵PID:1108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3912 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:1972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3876 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵PID:4464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5488 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=1232 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:11⤵PID:3828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5276 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:2512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6412 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:3872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6460 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6296 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4664
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x5001⤵PID:4188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:2304
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1056
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Factura_6666eb127972f.zip\--2⤵
- Opens file in notepad (likely ransom note)
PID:1480
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Factura_6666eb127972f\Factura.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2300
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 18E6DD42406367B6484DE5C79758AD892⤵
- Drops startup file
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Public\Downloads\Rar.exe"C:\Users\Public\Downloads\Rar.exe" x -df -y "C:\Users\Public\Downloads\7828C5B4-62EE-20FF-A7DA-E1E97FAFB094.rar" "C:\Users\Public\Downloads\"3⤵
- Executes dropped EXE
PID:3624
-
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\SysWOW64\shutdown.exe" -r -t 153⤵PID:860
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ff88d9a2e98,0x7ff88d9a2ea4,0x7ff88d9a2eb02⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2304 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:22⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2528 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:32⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2668 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:82⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:82⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2308,i,6128220781471657172,215672124689953768,262144 --variations-seed-version /prefetch:82⤵PID:2904
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5f3f451b8920a5ae19daa92a83696b229
SHA14505adc31806470d8d2efb840cf4d0a5645e9e06
SHA2566b32a6fab1391f70a57028066d086efd795f70ba157ad2107d716fb1baa8c74b
SHA5123b0cf6a8ac33dbfe8d425763bdedeeb7745da6c319ebfe3509dba8fac67745320065adca9176492e0c188650d9b54e326ca0fbf841315b042e8fd87aa220f887
-
Filesize
280B
MD52dfa02f087cb368f70e45fd442678c11
SHA10c0bb29b9d48d714634426efec1b7033589f1199
SHA256f0521821cdd0c5727c9a3451dc51bdab6a6e997dd5fd4c8f327217ec5ba9aca7
SHA512ac9cb00b935ebab619beb73aaff173444fdd101d6d39c2021a98d6db51234a16c2a69fa013f89bd699f75b4bb1425e6122457654ecdfa722ceed4c5c879f72df
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
11KB
MD5040b2a8ecb88b92721ecc96cee9e93cc
SHA178aafe701c4371afd85a6a62852306ce14deaa2c
SHA2560b4602f64cacceb875c82d54c04d15648b1a8fa5526336d842d8b5f3e72aa84c
SHA512596971175a1cabf7ee18a61a4e3358be3437b3ecf1468188395931f2aef94076d66fa412fabfc85437985d4078fdf7d3512707fb54551245e04f8bd5afedecdb
-
Filesize
30KB
MD5d59ba4909d110da5f17714abb33d506b
SHA1c26dcc53fcfd3d9d91cea60c8e963887d3e360b9
SHA256f21130f4f12e7f6f12d10edeaf616c4baccca9db67e25fe51024aa38244abb5f
SHA512b418358120cda74b9af7cfb3c4fcca5c5f9ddbcdc08d964fe34491ded0084d8a75eb90f83a7e988c9967f4d55bcc92095f56dd8c01e020100cc923f573baf345
-
Filesize
64KB
MD5a74394a7bc48e02e6e387d5de314bbd6
SHA160b9170fdf508aacc9aaa2117a969fe0260d4bf2
SHA256045a5e58eab15e468e4729a7074d197a27d2ab7a1866b59c3b0cf1484ff9c32e
SHA512d341cb77d15235957a56b9e40da45b3cca47832bf488da1663d8521c0585477c99154185f3c153434ebe18d6c573a23975f0989f880eb29ff45d52223bd0fabd
-
Filesize
74KB
MD56e1b27c4887cd9a4e99a6a4b35a3625d
SHA11e231ac6039eb5cc497037e07ed53183a8ee36ee
SHA256cf5ac5177ea433cd01931c3a61ad045ba5cbf353b3d2f2ff216427bf48b1c55d
SHA512cdec267939b9a125ba2f026d80884713c7bd40da8b283d275330e30d613d8ad94406c9cd15c4dfe9d02ddb8df846d475cb9709fc5790e35de2a30b41f643ce26
-
Filesize
257KB
MD5e2aa16dea2984fee5657f54ae620d9aa
SHA1ab66151bdd2a31ae406cf2651215675d9be7d251
SHA25683ca041a6467b5596b8b77610e194cdf6963035f1863c9a96cef38eb80e25069
SHA512e0f2cc2146b205a4259cc871d2113bedc7b62c335de806a8adef5ea6ff5754c3b646eedf872a42e9aa9c637433825ecd86a771eb02182b0db6798fa0fa69504b
-
Filesize
2.0MB
MD5a1af079a1b77f777db103e8a1f20eb79
SHA19e19884b953f3f344cfea572fc59cd4e89af1111
SHA256ea9c863ae314a2bb70f6ae41d0c42a41e51b9cc84f9fef7da12ba2a8ab2878d2
SHA5120823646eb9b04632dde36edebf93c83eadd7811cbf46ccc80c6ec541bd34abe77081c6b6fa777bf1a24e9c2c69bcbe3d9ed94dbaf0235c3e5c256642b03e649c
-
Filesize
737KB
MD5e7e3b05028ee28e5e968f77c2931cd4d
SHA1632e78cb1c9caa091d4d657e44d576f208f75f8c
SHA256c30bbd342e068425c8433e17a4d8c0965e3f48a9b0e0fe983321e92b7a2df08c
SHA5122bc2746b89972adc380048a84a514faaad5930d33eb42c2866e8b35dff84483bc704e06a3ae5584ad28a210df05b31bf348defadf40c90e4b636fff2ade114bc
-
Filesize
744KB
MD516659ae52ce03889ad19db1f5710c6aa
SHA166b814fe3be64229e2cc19f0a4460e123ba74971
SHA2560b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
SHA512f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519