Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
a4045703e0b9a134174c1c1ced434530N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a4045703e0b9a134174c1c1ced434530N.exe
Resource
win10v2004-20240802-en
General
-
Target
a4045703e0b9a134174c1c1ced434530N.exe
-
Size
77KB
-
MD5
a4045703e0b9a134174c1c1ced434530
-
SHA1
a80562871a961cb6756c570e9fc5850cf6a61ca2
-
SHA256
a1573a07561f46923c863dc86574c95d198f114baeae431a59b35d1185d26798
-
SHA512
05c5afa696d01cb1f93b45f4ddd583b3e51366d4fb33505b243280c030ae46dcf637b38a34564ab1a9294c02d07422b98b09dd31095bef0fb83a053f3c2f3dfc
-
SSDEEP
1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK0:FD40Dmx7y9DZ/Z2hGVkK0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a4045703e0b9a134174c1c1ced434530N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a4045703e0b9a134174c1c1ced434530N.exe -
Executes dropped EXE 12 IoCs
pid Process 2268 SVCHOST.EXE 2912 SVCHOST.EXE 2808 SVCHOST.EXE 2868 SVCHOST.EXE 2844 SVCHOST.EXE 2852 SPOOLSV.EXE 1536 SVCHOST.EXE 2488 SVCHOST.EXE 1272 SPOOLSV.EXE 2504 SPOOLSV.EXE 584 SVCHOST.EXE 1640 SPOOLSV.EXE -
Loads dropped DLL 21 IoCs
pid Process 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini a4045703e0b9a134174c1c1ced434530N.exe File opened for modification F:\Recycled\desktop.ini a4045703e0b9a134174c1c1ced434530N.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\O: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\E: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\J: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\K: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\P: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\Q: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\Z: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\H: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\R: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\X: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\N: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\V: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\G: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\S: a4045703e0b9a134174c1c1ced434530N.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe a4045703e0b9a134174c1c1ced434530N.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4045703e0b9a134174c1c1ced434530N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 28 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" a4045703e0b9a134174c1c1ced434530N.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" a4045703e0b9a134174c1c1ced434530N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2268 SVCHOST.EXE 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2024 a4045703e0b9a134174c1c1ced434530N.exe 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2808 SVCHOST.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE 2852 SPOOLSV.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2024 a4045703e0b9a134174c1c1ced434530N.exe 2268 SVCHOST.EXE 2912 SVCHOST.EXE 2808 SVCHOST.EXE 2868 SVCHOST.EXE 2844 SVCHOST.EXE 2852 SPOOLSV.EXE 1536 SVCHOST.EXE 2488 SVCHOST.EXE 1272 SPOOLSV.EXE 2504 SPOOLSV.EXE 584 SVCHOST.EXE 1640 SPOOLSV.EXE 2960 WINWORD.EXE 2960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2268 2024 a4045703e0b9a134174c1c1ced434530N.exe 30 PID 2024 wrote to memory of 2268 2024 a4045703e0b9a134174c1c1ced434530N.exe 30 PID 2024 wrote to memory of 2268 2024 a4045703e0b9a134174c1c1ced434530N.exe 30 PID 2024 wrote to memory of 2268 2024 a4045703e0b9a134174c1c1ced434530N.exe 30 PID 2268 wrote to memory of 2912 2268 SVCHOST.EXE 31 PID 2268 wrote to memory of 2912 2268 SVCHOST.EXE 31 PID 2268 wrote to memory of 2912 2268 SVCHOST.EXE 31 PID 2268 wrote to memory of 2912 2268 SVCHOST.EXE 31 PID 2268 wrote to memory of 2808 2268 SVCHOST.EXE 32 PID 2268 wrote to memory of 2808 2268 SVCHOST.EXE 32 PID 2268 wrote to memory of 2808 2268 SVCHOST.EXE 32 PID 2268 wrote to memory of 2808 2268 SVCHOST.EXE 32 PID 2808 wrote to memory of 2868 2808 SVCHOST.EXE 33 PID 2808 wrote to memory of 2868 2808 SVCHOST.EXE 33 PID 2808 wrote to memory of 2868 2808 SVCHOST.EXE 33 PID 2808 wrote to memory of 2868 2808 SVCHOST.EXE 33 PID 2808 wrote to memory of 2844 2808 SVCHOST.EXE 34 PID 2808 wrote to memory of 2844 2808 SVCHOST.EXE 34 PID 2808 wrote to memory of 2844 2808 SVCHOST.EXE 34 PID 2808 wrote to memory of 2844 2808 SVCHOST.EXE 34 PID 2808 wrote to memory of 2852 2808 SVCHOST.EXE 35 PID 2808 wrote to memory of 2852 2808 SVCHOST.EXE 35 PID 2808 wrote to memory of 2852 2808 SVCHOST.EXE 35 PID 2808 wrote to memory of 2852 2808 SVCHOST.EXE 35 PID 2852 wrote to memory of 1536 2852 SPOOLSV.EXE 36 PID 2852 wrote to memory of 1536 2852 SPOOLSV.EXE 36 PID 2852 wrote to memory of 1536 2852 SPOOLSV.EXE 36 PID 2852 wrote to memory of 1536 2852 SPOOLSV.EXE 36 PID 2852 wrote to memory of 2488 2852 SPOOLSV.EXE 37 PID 2852 wrote to memory of 2488 2852 SPOOLSV.EXE 37 PID 2852 wrote to memory of 2488 2852 SPOOLSV.EXE 37 PID 2852 wrote to memory of 2488 2852 SPOOLSV.EXE 37 PID 2852 wrote to memory of 1272 2852 SPOOLSV.EXE 38 PID 2852 wrote to memory of 1272 2852 SPOOLSV.EXE 38 PID 2852 wrote to memory of 1272 2852 SPOOLSV.EXE 38 PID 2852 wrote to memory of 1272 2852 SPOOLSV.EXE 38 PID 2268 wrote to memory of 2504 2268 SVCHOST.EXE 39 PID 2268 wrote to memory of 2504 2268 SVCHOST.EXE 39 PID 2268 wrote to memory of 2504 2268 SVCHOST.EXE 39 PID 2268 wrote to memory of 2504 2268 SVCHOST.EXE 39 PID 2268 wrote to memory of 1744 2268 SVCHOST.EXE 40 PID 2268 wrote to memory of 1744 2268 SVCHOST.EXE 40 PID 2268 wrote to memory of 1744 2268 SVCHOST.EXE 40 PID 2268 wrote to memory of 1744 2268 SVCHOST.EXE 40 PID 2024 wrote to memory of 584 2024 a4045703e0b9a134174c1c1ced434530N.exe 41 PID 2024 wrote to memory of 584 2024 a4045703e0b9a134174c1c1ced434530N.exe 41 PID 2024 wrote to memory of 584 2024 a4045703e0b9a134174c1c1ced434530N.exe 41 PID 2024 wrote to memory of 584 2024 a4045703e0b9a134174c1c1ced434530N.exe 41 PID 2024 wrote to memory of 1640 2024 a4045703e0b9a134174c1c1ced434530N.exe 42 PID 2024 wrote to memory of 1640 2024 a4045703e0b9a134174c1c1ced434530N.exe 42 PID 2024 wrote to memory of 1640 2024 a4045703e0b9a134174c1c1ced434530N.exe 42 PID 2024 wrote to memory of 1640 2024 a4045703e0b9a134174c1c1ced434530N.exe 42 PID 2024 wrote to memory of 2960 2024 a4045703e0b9a134174c1c1ced434530N.exe 43 PID 2024 wrote to memory of 2960 2024 a4045703e0b9a134174c1c1ced434530N.exe 43 PID 2024 wrote to memory of 2960 2024 a4045703e0b9a134174c1c1ced434530N.exe 43 PID 2024 wrote to memory of 2960 2024 a4045703e0b9a134174c1c1ced434530N.exe 43 PID 1744 wrote to memory of 2948 1744 userinit.exe 44 PID 1744 wrote to memory of 2948 1744 userinit.exe 44 PID 1744 wrote to memory of 2948 1744 userinit.exe 44 PID 1744 wrote to memory of 2948 1744 userinit.exe 44 PID 2960 wrote to memory of 860 2960 WINWORD.EXE 47 PID 2960 wrote to memory of 860 2960 WINWORD.EXE 47 PID 2960 wrote to memory of 860 2960 WINWORD.EXE 47 PID 2960 wrote to memory of 860 2960 WINWORD.EXE 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.exe"C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:584
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.doc"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:860
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
77KB
MD5f108c519183d984f51d9615025f4a7f9
SHA1a76f9acc250701703527aafb5f2427eb686cacce
SHA2565898e1017da2d40ec3ac95446ccd26040086b828c12322dd778248690652ad51
SHA512d65a47108fdf89ebddc3f15625bfd4a944c9e933a85b9e29180a7bd661260989434d255448868f6e089153a78b0d8e747de4305aeb9d119756d07ef9b90ea4fc
-
Filesize
77KB
MD5729664a09200aa5e5cbd3e9901b35a40
SHA10a9b3757da33d0ad7f599e39aa2ccd43db5c456c
SHA25657199aa7591614f779822bd624b1166419a3727f30fd6cebcffb1c28de9fb211
SHA51223fd534437b30657643b6dd7a75b45e45f475e1c08c1d1185b913bf281a62400f35b7cf178ffa34815f7ed1653339da49a719cfb87d4de1c24793ae6623edd7d
-
Filesize
77KB
MD5af4cd1f7851422a26a7d3afa85598263
SHA1b11324f8f707aa6f0a522b648b628eb4ab1d2ba8
SHA25602372bc22e9d003fc466dfb0199d0e3e81b069e3fb95d5603ec78e67313fc2e4
SHA512e545458dbfda0491b74fcab596c3d4a3d04724aa98e1cff8d76722e9c5382d9d66a6590e32c8cb09fa561fa5a18f770375842d6456e86779db87ffbcc3d199be