Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 04:15
Static task
static1
Behavioral task
behavioral1
Sample
BTC.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
BTC.exe
Resource
win10v2004-20240802-en
General
-
Target
BTC.exe
-
Size
1.1MB
-
MD5
f1424e5b9810a4a9c33506aa784fca89
-
SHA1
4ad6287fe149832551afbcb1113db50cd133777b
-
SHA256
8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed
-
SHA512
e03432137a7c12c03d34302fe4e1774a3a08935d39f665e4086fd8637f4ea961a645e2a8bb3cd85dd24c54861e4f01b0500a70641e2fa3a4a09e2e89a3b77380
-
SSDEEP
12288:JYYjzzONcuuIYsYNeaCbU6sKySaVQ4pBgncu7EKHCBbsCU/hpgmxCBbsCUXEGnF9:eg9uurUngnBU97EniCUppoiCUXfF9
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.252.232.158:7812
64.23.232.116:7812
vsvf
-
delay
1
-
install
true
-
install_file
Windows Security Health Service.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148
https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
2.1.0.0
Office04
146.190.29.250:7812
VNM_MUTEX_h1gQxrpyccCFZq7JPS
-
encryption_key
V5fWyT4tQqXFouaUUxe2
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir34
Extracted
xworm
5.0
146.190.29.250:7812
165.227.91.90:7812
167.99.94.206:7812
4chIqEbR5Rq6U6EI
-
Install_directory
%AppData%
-
install_file
Windows Defender Service Host.exe
-
telegram
https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x000700000002348c-49.dat disable_win_def behavioral2/memory/1824-77-0x0000000000870000-0x00000000008FC000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002348d-60.dat family_xworm behavioral2/memory/4332-72-0x0000000000C70000-0x0000000000C82000-memory.dmp family_xworm -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Window Security.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Window Security.exe -
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002348c-49.dat family_quasar behavioral2/memory/1824-77-0x0000000000870000-0x00000000008FC000-memory.dmp family_quasar -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral2/files/0x000700000002348a-26.dat family_stormkitty behavioral2/files/0x000700000002348b-58.dat family_stormkitty behavioral2/memory/1248-74-0x0000000000890000-0x00000000008CE000-memory.dmp family_stormkitty behavioral2/memory/2696-73-0x0000000000030000-0x0000000000060000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023486-16.dat family_asyncrat behavioral2/files/0x000700000002348a-26.dat family_asyncrat behavioral2/files/0x000700000002348b-58.dat family_asyncrat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Window Security.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation BTC.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Windows Defender Service Host.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk Windows Defender Service Host.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk Windows Defender Service Host.exe -
Executes dropped EXE 11 IoCs
pid Process 1624 crack.exe 2952 Cracked.exe 2696 svchost.exe 1248 update.exe 1824 Window Security.exe 4332 Windows Defender Service Host.exe 2288 Windows Security.exe 4500 Windows Security Health Service.exe 4444 Window Security.exe 4424 Windows Defender Service Host.exe 3036 Windows Defender Service Host.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Window Security.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Service Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Service Host.exe" Windows Defender Service Host.exe -
Drops desktop.ini file(s) 15 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini update.exe File opened for modification C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\530f7b6dda66c37c6ce8d2254fbfa88f\Admin@DSEYXUOD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com 37 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Window Security.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Security.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Window Security.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5004 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 448 cmd.exe 4492 netsh.exe 3976 cmd.exe 2876 netsh.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier update.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1500 timeout.exe 2264 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5004 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 4300 schtasks.exe 4088 schtasks.exe 4244 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4332 Windows Defender Service Host.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 2952 Cracked.exe 3284 powershell.exe 3284 powershell.exe 4332 Windows Defender Service Host.exe 1824 Window Security.exe 1824 Window Security.exe 1824 Window Security.exe 1824 Window Security.exe 1824 Window Security.exe 1824 Window Security.exe 1824 Window Security.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe 4500 Windows Security Health Service.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2952 Cracked.exe Token: SeDebugPrivilege 4332 Windows Defender Service Host.exe Token: SeDebugPrivilege 1248 update.exe Token: SeDebugPrivilege 2696 svchost.exe Token: SeDebugPrivilege 2952 Cracked.exe Token: SeDebugPrivilege 1824 Window Security.exe Token: SeDebugPrivilege 1624 crack.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeDebugPrivilege 2288 Windows Security.exe Token: SeDebugPrivilege 2288 Windows Security.exe Token: SeDebugPrivilege 4500 Windows Security Health Service.exe Token: SeDebugPrivilege 4500 Windows Security Health Service.exe Token: SeDebugPrivilege 4444 Window Security.exe Token: SeDebugPrivilege 4424 Windows Defender Service Host.exe Token: SeDebugPrivilege 3036 Windows Defender Service Host.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4332 Windows Defender Service Host.exe 2288 Windows Security.exe 4500 Windows Security Health Service.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1624 1792 BTC.exe 83 PID 1792 wrote to memory of 1624 1792 BTC.exe 83 PID 1792 wrote to memory of 1624 1792 BTC.exe 83 PID 1792 wrote to memory of 2952 1792 BTC.exe 84 PID 1792 wrote to memory of 2952 1792 BTC.exe 84 PID 1792 wrote to memory of 2696 1792 BTC.exe 85 PID 1792 wrote to memory of 2696 1792 BTC.exe 85 PID 1792 wrote to memory of 2696 1792 BTC.exe 85 PID 1792 wrote to memory of 1248 1792 BTC.exe 86 PID 1792 wrote to memory of 1248 1792 BTC.exe 86 PID 1792 wrote to memory of 1248 1792 BTC.exe 86 PID 1792 wrote to memory of 1824 1792 BTC.exe 87 PID 1792 wrote to memory of 1824 1792 BTC.exe 87 PID 1792 wrote to memory of 1824 1792 BTC.exe 87 PID 1792 wrote to memory of 4332 1792 BTC.exe 88 PID 1792 wrote to memory of 4332 1792 BTC.exe 88 PID 2952 wrote to memory of 4532 2952 Cracked.exe 91 PID 2952 wrote to memory of 4532 2952 Cracked.exe 91 PID 2952 wrote to memory of 4452 2952 Cracked.exe 93 PID 2952 wrote to memory of 4452 2952 Cracked.exe 93 PID 4532 wrote to memory of 3008 4532 cmd.exe 95 PID 4532 wrote to memory of 3008 4532 cmd.exe 95 PID 4452 wrote to memory of 1500 4452 cmd.exe 96 PID 4452 wrote to memory of 1500 4452 cmd.exe 96 PID 1824 wrote to memory of 4300 1824 Window Security.exe 99 PID 1824 wrote to memory of 4300 1824 Window Security.exe 99 PID 1824 wrote to memory of 4300 1824 Window Security.exe 99 PID 1824 wrote to memory of 2288 1824 Window Security.exe 101 PID 1824 wrote to memory of 2288 1824 Window Security.exe 101 PID 1824 wrote to memory of 2288 1824 Window Security.exe 101 PID 1824 wrote to memory of 3284 1824 Window Security.exe 102 PID 1824 wrote to memory of 3284 1824 Window Security.exe 102 PID 1824 wrote to memory of 3284 1824 Window Security.exe 102 PID 4332 wrote to memory of 4088 4332 Windows Defender Service Host.exe 104 PID 4332 wrote to memory of 4088 4332 Windows Defender Service Host.exe 104 PID 1624 wrote to memory of 4200 1624 crack.exe 106 PID 1624 wrote to memory of 4200 1624 crack.exe 106 PID 1624 wrote to memory of 4200 1624 crack.exe 106 PID 4200 wrote to memory of 2264 4200 cmd.exe 108 PID 4200 wrote to memory of 2264 4200 cmd.exe 108 PID 4200 wrote to memory of 2264 4200 cmd.exe 108 PID 2288 wrote to memory of 4244 2288 Windows Security.exe 109 PID 2288 wrote to memory of 4244 2288 Windows Security.exe 109 PID 2288 wrote to memory of 4244 2288 Windows Security.exe 109 PID 4452 wrote to memory of 4500 4452 cmd.exe 111 PID 4452 wrote to memory of 4500 4452 cmd.exe 111 PID 1824 wrote to memory of 1952 1824 Window Security.exe 114 PID 1824 wrote to memory of 1952 1824 Window Security.exe 114 PID 1824 wrote to memory of 1952 1824 Window Security.exe 114 PID 1952 wrote to memory of 4648 1952 cmd.exe 116 PID 1952 wrote to memory of 4648 1952 cmd.exe 116 PID 1952 wrote to memory of 4648 1952 cmd.exe 116 PID 1248 wrote to memory of 3976 1248 update.exe 119 PID 1248 wrote to memory of 3976 1248 update.exe 119 PID 1248 wrote to memory of 3976 1248 update.exe 119 PID 3976 wrote to memory of 64 3976 cmd.exe 121 PID 3976 wrote to memory of 64 3976 cmd.exe 121 PID 3976 wrote to memory of 64 3976 cmd.exe 121 PID 3976 wrote to memory of 2876 3976 cmd.exe 122 PID 3976 wrote to memory of 2876 3976 cmd.exe 122 PID 3976 wrote to memory of 2876 3976 cmd.exe 122 PID 3976 wrote to memory of 2232 3976 cmd.exe 123 PID 3976 wrote to memory of 2232 3976 cmd.exe 123 PID 3976 wrote to memory of 2232 3976 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BTC.exe"C:\Users\Admin\AppData\Local\Temp\BTC.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB72.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2264
-
-
-
-
C:\Users\Admin\AppData\Roaming\Cracked.exe"C:\Users\Admin\AppData\Roaming\Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA587.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4500
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:448 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4492
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:720
-
-
-
-
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:64
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2876
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4076
-
-
-
-
C:\Users\Admin\AppData\Roaming\Window Security.exe"C:\Users\Admin\AppData\Roaming\Window Security.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Window Security.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4300
-
-
C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4244
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- System Location Discovery: System Language Discovery
PID:4648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cT3ylN8laYxS.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:4376
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5004
-
-
C:\Users\Admin\AppData\Roaming\Window Security.exe"C:\Users\Admin\AppData\Roaming\Window Security.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4088
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD51a9dcba2349fef2bb823c39e45dd6c96
SHA11dcb3f78a120bfa11fe5bce08bafcad1db1ec35c
SHA2567c794a709302626ae0f7b3be4ed6da73f9d97d93e784773829d4328542f4f0f7
SHA512713ffd6f39369ead1bf681b9e41c438e8cec418c45691d735b17419fbda139f854616fd7696e72be74b257180ce924e112914293b1c202e789ce5e6da587cfa1
-
C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\541883f9b5f460b2d07aa1b013426214\Admin@DSEYXUOD_en-US\System\Process.txt
Filesize4KB
MD566a676f707ec768559b63a30f79f5507
SHA15797b158b44af9c82bfa5bf40c56f1a4e9943b56
SHA256b0108bc696b6fccf39b439c0d1dcbadb3817ed720aeacb83fc36b15f7b2e7459
SHA512308d1865391a696c2638691bd14a59b0539974eb9015d96723a269f3ef6b811197bf804399a7f507d5e03ab69d84644902e7f1d139555eeac9ab56bc7065a0bf
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
209B
MD5cce083fce298c1fcab8fc21131aabdf3
SHA13db58bb47b784141c756cebb64756fdbb9cb70cd
SHA2569f95e3a5da4eaff6d272818b9c38738070200c5431c22e157362c6bc6e15697e
SHA512c0746bbb4bb34cac69b11a4a5ab82d837900491d679808dfb3f597f7539b615e2bf7f0ee41b49b4c8038166baccdb05a30874697912d43ced5fdfb5bb07b6c4c
-
Filesize
5.0MB
MD5c822ad3a46e58afab84d23614a08e0bc
SHA1196f257903ccefa439dc673690c6910356bd1d81
SHA256a8dc0fe0bcf7f1553cf0f530f88b38f033b914170d71df05f84093498d82d438
SHA512bc5da3bac510289c47d7c835ae6dd50fe96f64e1f522ac930be451cd9e47c5d395b5ff463f9b4aee33b98785f1bd4eec6a0d321962ecbc60e2eb5a0d66c735d2
-
Filesize
175B
MD531e8b54af0fcd45037d9790476d67065
SHA1d5d7ba2e21538808e23669af57cae92acf8c0f73
SHA25635252513cb1b7884b5a71d6f7538ad15e2b3da3beed69a9cce00d81311fbb7ca
SHA512dea844d72424e73123d6e0fd7db3e20cd0da21477fa7835fa0d8d24c553afbbd4c54d1e8a95b0cb8e6bc30f35f59ba3d92f1ef298267da8d41499ac883986a1e
-
Filesize
151B
MD5946169fc4a5d80ef535ea1e1394153ba
SHA1499486a8844a73d41a1b0e60e1d93bc053ccbc17
SHA256efc94314567b226b36f802fe40e9f45e9f57d08017b9023d55bde5adf396dd0d
SHA512ae031792d0652be94cb370bd4a1080e9f3e2d17610d4404da2dc45c86f058207aa2f06e36de9bf85e3ab0281fdaba555feb142a36fc65035ea702cffebce000d
-
Filesize
114KB
MD5db26309558628fa1ef6a1edd23ab2b09
SHA19bfb0530d0c2dcc6f9b3947bc3ca602943356368
SHA256e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070
SHA5124171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
74KB
MD50dfa83a82f6418c73406d78296de61be
SHA1dd7eceef8a434c43e0751e180bf714e08771d336
SHA2568d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e
SHA5129a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
534KB
MD581b2c5c64951b603480d40d321540ff2
SHA1314199ad92baeb203f5555ff3814e9b7a4f226f8
SHA256b893220d33f9b8a0f98702bb577e4459792253ae651bdc18a93145ccd008af54
SHA5123a57655bf7aa18a34364659553aad26a3d5b8946b957441f5fedebab5936b6bb2c71c6337837ead486a001b6a9227437cc5c4ec4a5de627f0e2db10dc6afdea6
-
Filesize
43KB
MD55322a12cb24e83bfa9746fbde06d07e7
SHA15263a4f26bda073e9f82dd4fa612eb494dd771c7
SHA2564957d607c2984f94a258dba088fa1ab85e508bfaabe9279bf8b6bf6f4b97a9bb
SHA51267bfaef1ddf4ad44218c82c5634e7f726304845fab1d5361353fdacd8d8d767fec32c871fa304f4199dde3f6224be76c67560a64c1d72bbe20e134c50d1bf058
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
170KB
MD596014694a042d8344b910bc47d79337b
SHA19d19ab2f110ae58f30965a5a3d608cbf51986edb
SHA2564950eb74909bd6e739e38e57d8c6465c76ef108d65cac9f130d3f5c6d2fe943f
SHA512fe308c42b3ad2c3d73a834399aa12ea23f336103389181dface80a81da8be1ffd9a950cac802dc8a806ad318eb90a6bb6021d1acd9206a07749f83f2bb6cd03d
-
Filesize
225KB
MD5b8df7316cc35a0fb6fe3a326b4283010
SHA1d49c11f5a95f72e37d6194df41178f2b7faa01ee
SHA256f243df692ee7552286d52b23e4993e07a27877aa86c63b84903a8e6cbd0d19f3
SHA5123ef92be29123695820970a003fd0561a57f87c8c6adae86781729027ce40ede4b63da30d0b0cc75376bd9ae90accaf674fc7ff799a8b73ab4bb45b2ca65ff120