Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 01:48
Behavioral task
behavioral1
Sample
8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe
Resource
win10v2004-20240802-en
General
-
Target
8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe
-
Size
18KB
-
MD5
3e7dee8d4908f3f20f266a87e82539e2
-
SHA1
9861058f25fcbd2f9e2f8761788ecbe4a0096293
-
SHA256
8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d
-
SHA512
4ed758887fa6d4ce60b4cd5434c1e97f7fcb3ff586239b17b0760fda28b73f75ff4a06187366a4436ad51281937d456dd451bd22a56a94997c31259b9da0d5a3
-
SSDEEP
384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh58psLvC8:g5BOFKksO1mE9B77777J77c77c77c71R
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\180DB.exe\"" 180DBQRUZQQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\180DB.exe\"" 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\180DB.exe\"" 180DB.exe -
Executes dropped EXE 5 IoCs
pid Process 1620 180DB.exe 2124 180DBQRUZQQ.exe 1996 180DBQRUZQQ.exe 2660 180DB.exe 2088 180DB.exe -
resource yara_rule behavioral1/memory/2708-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x0008000000017070-6.dat upx behavioral1/memory/1620-14-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x000800000001711a-18.dat upx behavioral1/memory/1996-22-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1996-28-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2660-33-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2708-41-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2088-40-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-42-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-43-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-44-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-45-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-46-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-47-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-48-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-49-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-50-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-51-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-52-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-53-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-54-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-55-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-56-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-57-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-58-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-59-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-60-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-61-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-63-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-62-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-65-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-64-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-67-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-66-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-69-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-68-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2124-71-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1620-70-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\180DB.exe = "C:\\Windows\\180DB.exe" 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\180DB.exe = "C:\\Windows\\180DB.exe" 180DB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\180DB.exe = "C:\\Windows\\180DB.exe" 180DBQRUZQQ.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\180DB.exe 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe File opened for modification C:\Windows\180DBQRUZQQ.exe 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe -
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180DB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180DBQRUZQQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180DB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180DBQRUZQQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180DB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe -
Kills process with taskkill 42 IoCs
pid Process 1764 TASKKILL.exe 2756 TASKKILL.exe 2968 TASKKILL.exe 1484 TASKKILL.exe 1416 TASKKILL.exe 2804 TASKKILL.exe 2632 TASKKILL.exe 1636 TASKKILL.exe 2524 TASKKILL.exe 2816 TASKKILL.exe 332 TASKKILL.exe 1448 TASKKILL.exe 2764 TASKKILL.exe 2600 TASKKILL.exe 1532 TASKKILL.exe 2068 TASKKILL.exe 2892 TASKKILL.exe 1000 TASKKILL.exe 2040 TASKKILL.exe 2720 TASKKILL.exe 2840 TASKKILL.exe 2680 TASKKILL.exe 808 TASKKILL.exe 1932 TASKKILL.exe 2352 TASKKILL.exe 2196 TASKKILL.exe 2688 TASKKILL.exe 1292 TASKKILL.exe 2876 TASKKILL.exe 788 TASKKILL.exe 1800 TASKKILL.exe 608 TASKKILL.exe 2036 TASKKILL.exe 2572 TASKKILL.exe 1688 TASKKILL.exe 1664 TASKKILL.exe 2868 TASKKILL.exe 1188 TASKKILL.exe 2780 TASKKILL.exe 2812 TASKKILL.exe 1972 TASKKILL.exe 1160 TASKKILL.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2764 TASKKILL.exe Token: SeDebugPrivilege 2840 TASKKILL.exe Token: SeDebugPrivilege 2600 TASKKILL.exe Token: SeDebugPrivilege 2968 TASKKILL.exe Token: SeDebugPrivilege 2816 TASKKILL.exe Token: SeDebugPrivilege 2680 TASKKILL.exe Token: SeDebugPrivilege 2688 TASKKILL.exe Token: SeDebugPrivilege 2804 TASKKILL.exe Token: SeDebugPrivilege 1688 TASKKILL.exe Token: SeDebugPrivilege 2572 TASKKILL.exe Token: SeDebugPrivilege 2720 TASKKILL.exe Token: SeDebugPrivilege 2780 TASKKILL.exe Token: SeDebugPrivilege 2812 TASKKILL.exe Token: SeDebugPrivilege 2632 TASKKILL.exe Token: SeDebugPrivilege 2756 TASKKILL.exe Token: SeDebugPrivilege 2068 TASKKILL.exe Token: SeDebugPrivilege 1636 TASKKILL.exe Token: SeDebugPrivilege 332 TASKKILL.exe Token: SeDebugPrivilege 1292 TASKKILL.exe Token: SeDebugPrivilege 1800 TASKKILL.exe Token: SeDebugPrivilege 2892 TASKKILL.exe Token: SeDebugPrivilege 2868 TASKKILL.exe Token: SeDebugPrivilege 1664 TASKKILL.exe Token: SeDebugPrivilege 808 TASKKILL.exe Token: SeDebugPrivilege 2876 TASKKILL.exe Token: SeDebugPrivilege 1932 TASKKILL.exe Token: SeDebugPrivilege 788 TASKKILL.exe Token: SeDebugPrivilege 1484 TASKKILL.exe Token: SeDebugPrivilege 1972 TASKKILL.exe Token: SeDebugPrivilege 1160 TASKKILL.exe Token: SeDebugPrivilege 608 TASKKILL.exe Token: SeDebugPrivilege 2524 TASKKILL.exe Token: SeDebugPrivilege 1448 TASKKILL.exe Token: SeDebugPrivilege 1416 TASKKILL.exe Token: SeDebugPrivilege 2036 TASKKILL.exe Token: SeDebugPrivilege 2352 TASKKILL.exe Token: SeDebugPrivilege 1764 TASKKILL.exe Token: SeDebugPrivilege 2040 TASKKILL.exe Token: SeDebugPrivilege 1000 TASKKILL.exe Token: SeDebugPrivilege 1188 TASKKILL.exe Token: SeDebugPrivilege 1532 TASKKILL.exe Token: SeDebugPrivilege 2196 TASKKILL.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 1620 180DB.exe 2124 180DBQRUZQQ.exe 1996 180DBQRUZQQ.exe 2660 180DB.exe 2088 180DB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2780 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 31 PID 2708 wrote to memory of 2780 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 31 PID 2708 wrote to memory of 2780 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 31 PID 2708 wrote to memory of 2780 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 31 PID 2708 wrote to memory of 2816 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 32 PID 2708 wrote to memory of 2816 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 32 PID 2708 wrote to memory of 2816 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 32 PID 2708 wrote to memory of 2816 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 32 PID 2708 wrote to memory of 2812 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 33 PID 2708 wrote to memory of 2812 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 33 PID 2708 wrote to memory of 2812 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 33 PID 2708 wrote to memory of 2812 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 33 PID 2708 wrote to memory of 2764 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 34 PID 2708 wrote to memory of 2764 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 34 PID 2708 wrote to memory of 2764 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 34 PID 2708 wrote to memory of 2764 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 34 PID 2708 wrote to memory of 2720 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 35 PID 2708 wrote to memory of 2720 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 35 PID 2708 wrote to memory of 2720 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 35 PID 2708 wrote to memory of 2720 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 35 PID 2708 wrote to memory of 2840 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 36 PID 2708 wrote to memory of 2840 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 36 PID 2708 wrote to memory of 2840 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 36 PID 2708 wrote to memory of 2840 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 36 PID 2708 wrote to memory of 2688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 37 PID 2708 wrote to memory of 2688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 37 PID 2708 wrote to memory of 2688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 37 PID 2708 wrote to memory of 2688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 37 PID 2708 wrote to memory of 2572 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 39 PID 2708 wrote to memory of 2572 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 39 PID 2708 wrote to memory of 2572 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 39 PID 2708 wrote to memory of 2572 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 39 PID 2708 wrote to memory of 2756 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 41 PID 2708 wrote to memory of 2756 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 41 PID 2708 wrote to memory of 2756 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 41 PID 2708 wrote to memory of 2756 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 41 PID 2708 wrote to memory of 2680 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 42 PID 2708 wrote to memory of 2680 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 42 PID 2708 wrote to memory of 2680 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 42 PID 2708 wrote to memory of 2680 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 42 PID 2708 wrote to memory of 2600 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 44 PID 2708 wrote to memory of 2600 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 44 PID 2708 wrote to memory of 2600 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 44 PID 2708 wrote to memory of 2600 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 44 PID 2708 wrote to memory of 2968 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 46 PID 2708 wrote to memory of 2968 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 46 PID 2708 wrote to memory of 2968 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 46 PID 2708 wrote to memory of 2968 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 46 PID 2708 wrote to memory of 1688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 49 PID 2708 wrote to memory of 1688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 49 PID 2708 wrote to memory of 1688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 49 PID 2708 wrote to memory of 1688 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 49 PID 2708 wrote to memory of 2804 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 50 PID 2708 wrote to memory of 2804 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 50 PID 2708 wrote to memory of 2804 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 50 PID 2708 wrote to memory of 2804 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 50 PID 2708 wrote to memory of 1620 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 59 PID 2708 wrote to memory of 1620 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 59 PID 2708 wrote to memory of 1620 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 59 PID 2708 wrote to memory of 1620 2708 8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe 59 PID 1620 wrote to memory of 1636 1620 180DB.exe 60 PID 1620 wrote to memory of 1636 1620 180DB.exe 60 PID 1620 wrote to memory of 1636 1620 180DB.exe 60 PID 1620 wrote to memory of 1636 1620 180DB.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe"C:\Users\Admin\AppData\Local\Temp\8b3b1dc601a84cf6a705060f236a65eed14ba83f910fc62623c3518e5529bc3d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\180DB.exeC:\Windows\180DB.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Windows\180DBQRUZQQ.exeC:\Windows\180DBQRUZQQ.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\180DBQRUZQQ.exeC:\Windows\180DBQRUZQQ.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
C:\Windows\180DB.exeC:\Windows\180DB.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
-
C:\Windows\180DB.exeC:\Windows\180DB.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD51d8a975d5f38a39b0706649b74023842
SHA1386e718997c79d46ec15820f253ba23918b5fd89
SHA256137ef44c32d8da230ddbfe55ed37064bba84c2fd562863f309ce3825848aed74
SHA512f749ff15e4e1da7946b1b94978cbe07425c871816d3ac639b263673ff18a7417b8b3d25fb28bb64641d6e8b4c8e201abc041751278ea05053e65005fa79fe157
-
Filesize
42KB
MD505715b633751607de86f0287ab468d8a
SHA1da35736aa021881a1ddc9f2ec2dc22c05f8a20e8
SHA256357668afe51b84141e39aa173e5411859f565777c5ff9d435aed16a1cdf93da1
SHA512c84ae2e6cdc466572b63aac8a35a9916ebd69cce571da2dce21631432fcc16234a2c7dab5ed471f0179905cce297d07255be53a9a1584174d920295f88f2475e