Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/08/2024, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
Resource
win10v2004-20240730-en
General
-
Target
273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
-
Size
1.2MB
-
MD5
9c00a98791d68b0c6a6de0b54c5fb2a4
-
SHA1
1323ac73e31ca0ab98bf5282be089920544031a1
-
SHA256
273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e
-
SHA512
d598b7bba1cc0eb562d382d9d43e127d68ec10d7ae048c432e8d765a9e4d2a991da0b0699184cb57f9fc0ec651a3bf99b01dd2a78aae8a28b10d20bf3061c1b2
-
SSDEEP
24576:GyzHgPQArY3MY5jdCtv3GhERG7Qnr7lth7sMukjdC6:GyzfArY3MY1d+OhERGsnrJth7fHdv
Malware Config
Extracted
redline
Newlogs
204.14.75.2:16383
Extracted
agenttesla
https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2948-46-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2948-43-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2948-41-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2948-48-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2948-50-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2948-46-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2948-43-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2948-41-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2948-48-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2948-50-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1784 powershell.exe 2928 powershell.exe 700 powershell.exe 1676 powershell.exe -
Deletes itself 1 IoCs
pid Process 3012 cmd.exe -
Executes dropped EXE 5 IoCs
pid Process 2776 qRAxe4BVi4w4QAu.exe 2860 bcZ6UEHjq9RUQie.exe 2400 qRAxe4BVi4w4QAu.exe 2948 qRAxe4BVi4w4QAu.exe 1076 bcZ6UEHjq9RUQie.exe -
Loads dropped DLL 3 IoCs
pid Process 2776 qRAxe4BVi4w4QAu.exe 2776 qRAxe4BVi4w4QAu.exe 2860 bcZ6UEHjq9RUQie.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2776 set thread context of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2860 set thread context of 1076 2860 bcZ6UEHjq9RUQie.exe 55 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qRAxe4BVi4w4QAu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qRAxe4BVi4w4QAu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcZ6UEHjq9RUQie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcZ6UEHjq9RUQie.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2632 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2984 schtasks.exe 568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 2860 bcZ6UEHjq9RUQie.exe 2776 qRAxe4BVi4w4QAu.exe 2860 bcZ6UEHjq9RUQie.exe 2776 qRAxe4BVi4w4QAu.exe 2776 qRAxe4BVi4w4QAu.exe 2860 bcZ6UEHjq9RUQie.exe 2860 bcZ6UEHjq9RUQie.exe 2776 qRAxe4BVi4w4QAu.exe 2776 qRAxe4BVi4w4QAu.exe 2776 qRAxe4BVi4w4QAu.exe 2776 qRAxe4BVi4w4QAu.exe 2928 powershell.exe 1784 powershell.exe 2860 bcZ6UEHjq9RUQie.exe 2860 bcZ6UEHjq9RUQie.exe 2860 bcZ6UEHjq9RUQie.exe 700 powershell.exe 1676 powershell.exe 2860 bcZ6UEHjq9RUQie.exe 1076 bcZ6UEHjq9RUQie.exe 1076 bcZ6UEHjq9RUQie.exe 2948 qRAxe4BVi4w4QAu.exe 2948 qRAxe4BVi4w4QAu.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe Token: SeIncreaseQuotaPrivilege 3060 WMIC.exe Token: SeSecurityPrivilege 3060 WMIC.exe Token: SeTakeOwnershipPrivilege 3060 WMIC.exe Token: SeLoadDriverPrivilege 3060 WMIC.exe Token: SeSystemProfilePrivilege 3060 WMIC.exe Token: SeSystemtimePrivilege 3060 WMIC.exe Token: SeProfSingleProcessPrivilege 3060 WMIC.exe Token: SeIncBasePriorityPrivilege 3060 WMIC.exe Token: SeCreatePagefilePrivilege 3060 WMIC.exe Token: SeBackupPrivilege 3060 WMIC.exe Token: SeRestorePrivilege 3060 WMIC.exe Token: SeShutdownPrivilege 3060 WMIC.exe Token: SeDebugPrivilege 3060 WMIC.exe Token: SeSystemEnvironmentPrivilege 3060 WMIC.exe Token: SeRemoteShutdownPrivilege 3060 WMIC.exe Token: SeUndockPrivilege 3060 WMIC.exe Token: SeManageVolumePrivilege 3060 WMIC.exe Token: 33 3060 WMIC.exe Token: 34 3060 WMIC.exe Token: 35 3060 WMIC.exe Token: SeIncreaseQuotaPrivilege 3060 WMIC.exe Token: SeSecurityPrivilege 3060 WMIC.exe Token: SeTakeOwnershipPrivilege 3060 WMIC.exe Token: SeLoadDriverPrivilege 3060 WMIC.exe Token: SeSystemProfilePrivilege 3060 WMIC.exe Token: SeSystemtimePrivilege 3060 WMIC.exe Token: SeProfSingleProcessPrivilege 3060 WMIC.exe Token: SeIncBasePriorityPrivilege 3060 WMIC.exe Token: SeCreatePagefilePrivilege 3060 WMIC.exe Token: SeBackupPrivilege 3060 WMIC.exe Token: SeRestorePrivilege 3060 WMIC.exe Token: SeShutdownPrivilege 3060 WMIC.exe Token: SeDebugPrivilege 3060 WMIC.exe Token: SeSystemEnvironmentPrivilege 3060 WMIC.exe Token: SeRemoteShutdownPrivilege 3060 WMIC.exe Token: SeUndockPrivilege 3060 WMIC.exe Token: SeManageVolumePrivilege 3060 WMIC.exe Token: 33 3060 WMIC.exe Token: 34 3060 WMIC.exe Token: 35 3060 WMIC.exe Token: SeDebugPrivilege 2860 bcZ6UEHjq9RUQie.exe Token: SeDebugPrivilege 2776 qRAxe4BVi4w4QAu.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2948 qRAxe4BVi4w4QAu.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1076 bcZ6UEHjq9RUQie.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1076 bcZ6UEHjq9RUQie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1448 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 30 PID 1380 wrote to memory of 1448 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 30 PID 1380 wrote to memory of 1448 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 30 PID 1448 wrote to memory of 3060 1448 cmd.exe 32 PID 1448 wrote to memory of 3060 1448 cmd.exe 32 PID 1448 wrote to memory of 3060 1448 cmd.exe 32 PID 1380 wrote to memory of 2776 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 34 PID 1380 wrote to memory of 2776 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 34 PID 1380 wrote to memory of 2776 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 34 PID 1380 wrote to memory of 2776 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 34 PID 1380 wrote to memory of 2860 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 35 PID 1380 wrote to memory of 2860 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 35 PID 1380 wrote to memory of 2860 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 35 PID 1380 wrote to memory of 2860 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 35 PID 1380 wrote to memory of 3012 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 36 PID 1380 wrote to memory of 3012 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 36 PID 1380 wrote to memory of 3012 1380 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe 36 PID 3012 wrote to memory of 2632 3012 cmd.exe 38 PID 3012 wrote to memory of 2632 3012 cmd.exe 38 PID 3012 wrote to memory of 2632 3012 cmd.exe 38 PID 2776 wrote to memory of 1784 2776 qRAxe4BVi4w4QAu.exe 40 PID 2776 wrote to memory of 1784 2776 qRAxe4BVi4w4QAu.exe 40 PID 2776 wrote to memory of 1784 2776 qRAxe4BVi4w4QAu.exe 40 PID 2776 wrote to memory of 1784 2776 qRAxe4BVi4w4QAu.exe 40 PID 2776 wrote to memory of 2928 2776 qRAxe4BVi4w4QAu.exe 42 PID 2776 wrote to memory of 2928 2776 qRAxe4BVi4w4QAu.exe 42 PID 2776 wrote to memory of 2928 2776 qRAxe4BVi4w4QAu.exe 42 PID 2776 wrote to memory of 2928 2776 qRAxe4BVi4w4QAu.exe 42 PID 2776 wrote to memory of 2984 2776 qRAxe4BVi4w4QAu.exe 44 PID 2776 wrote to memory of 2984 2776 qRAxe4BVi4w4QAu.exe 44 PID 2776 wrote to memory of 2984 2776 qRAxe4BVi4w4QAu.exe 44 PID 2776 wrote to memory of 2984 2776 qRAxe4BVi4w4QAu.exe 44 PID 2776 wrote to memory of 2400 2776 qRAxe4BVi4w4QAu.exe 46 PID 2776 wrote to memory of 2400 2776 qRAxe4BVi4w4QAu.exe 46 PID 2776 wrote to memory of 2400 2776 qRAxe4BVi4w4QAu.exe 46 PID 2776 wrote to memory of 2400 2776 qRAxe4BVi4w4QAu.exe 46 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2776 wrote to memory of 2948 2776 qRAxe4BVi4w4QAu.exe 47 PID 2860 wrote to memory of 700 2860 bcZ6UEHjq9RUQie.exe 49 PID 2860 wrote to memory of 700 2860 bcZ6UEHjq9RUQie.exe 49 PID 2860 wrote to memory of 700 2860 bcZ6UEHjq9RUQie.exe 49 PID 2860 wrote to memory of 700 2860 bcZ6UEHjq9RUQie.exe 49 PID 2860 wrote to memory of 1676 2860 bcZ6UEHjq9RUQie.exe 51 PID 2860 wrote to memory of 1676 2860 bcZ6UEHjq9RUQie.exe 51 PID 2860 wrote to memory of 1676 2860 bcZ6UEHjq9RUQie.exe 51 PID 2860 wrote to memory of 1676 2860 bcZ6UEHjq9RUQie.exe 51 PID 2860 wrote to memory of 568 2860 bcZ6UEHjq9RUQie.exe 52 PID 2860 wrote to memory of 568 2860 bcZ6UEHjq9RUQie.exe 52 PID 2860 wrote to memory of 568 2860 bcZ6UEHjq9RUQie.exe 52 PID 2860 wrote to memory of 568 2860 bcZ6UEHjq9RUQie.exe 52 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55 PID 2860 wrote to memory of 1076 2860 bcZ6UEHjq9RUQie.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe"C:\Users\Admin\AppData\Local\Temp\273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\cmd.exe"cmd" /C wmic path win32_ComputerSystem get model2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_ComputerSystem get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\myGzDa.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myGzDa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"3⤵
- Executes dropped EXE
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wZQfmZuDNV.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZQfmZuDNV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC60.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\timeout.exeTIMEOUT /T 33⤵
- Delays execution with timeout.exe
PID:2632
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD52f861fda2a090853f86410f0ff8d30dc
SHA1060753fa5cca333b921038e442e68da378b24f3b
SHA2565db136630ffb44706b82b763fed5f4ad055aa1f23105ec6f3a2705247efec2ef
SHA5127bccda358f835157e2ba65c315ed8fa2c3f1a65114e659bfb16c147f590a3c443c0a1371c4d72b3a266357aa3d96883905aa5e379467253844f0ca58d33e819d
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD5cf00cf5b059b43e29cbde1a36c6209f3
SHA19df2f8ef60997e3934fef0d88f9770fb9d19769f
SHA2569f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a
SHA51216e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399
-
Filesize
1KB
MD5c1ed209a79e528e0a432fdcd9e23c1cb
SHA1f3209dba2fe2476f4ecf380b872c2eb1e8ebdbd2
SHA2568868e73dffac127d929b79db693a5d1b150dce09c97ade498687fed8df8cd18e
SHA512ab1be2df4d6c101fd62720d856c1fdb0516ac5d96fc87b6aab45b8300da097d08a64ef1df290c168bb9e6091203e166c0e61441a8e7eb4e9328a93e4ea925ff1
-
Filesize
1KB
MD5a360a70e3aefa07a66b847ab3c498b54
SHA127b5aac78b221321aa21197529a501a850cab8b5
SHA256c7a8002c3945a962144232e8203d7a08c00f957c8bb3e642b9203fa16e2449f3
SHA512616e7180bca83842709940a0f4611396ec9b9fad90feb64dcb8eb3ecae14805d84cd46510d012f82ab0a905d93f1d214d068c7ba45bdb5e8ee3175da4d20cdd3
-
Filesize
675KB
MD5bbad7a6fee03dcde2ecfd6461f628851
SHA17536405200aef02a38bd0d59bbc7920bfb474e53
SHA256874d65e5a417c725c846a9af3380a3c77442afa50c20929eda3ff715c5b61676
SHA5121ab1b17295c25e6ac6c74c34fd23904ec10457cfe07d54e5b74f15ba7029689dae1802236f6c09ebdd26bf4d4c91df7620bbe07198057fa5be53c5f5af89255b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5e8a7ed1ff2387979ee8f7e46868aaf7f
SHA175e401f9770eb82330758e4561b5e4447d15455d
SHA256c5b8c792cdec6d89be26848cd2eb8053f4b51889415ae3f1737539862f45d4cc
SHA5127455e17d057755342563a60ae06bbb45bdcfe5c2efd215e0a43083db0d1caa524cc58f777c389122e5e73eb96cc65cd220ad52b16667eff5a99969d074ff849c