Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe
Resource
win10v2004-20240802-en
General
-
Target
8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe
-
Size
1.1MB
-
MD5
f1424e5b9810a4a9c33506aa784fca89
-
SHA1
4ad6287fe149832551afbcb1113db50cd133777b
-
SHA256
8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed
-
SHA512
e03432137a7c12c03d34302fe4e1774a3a08935d39f665e4086fd8637f4ea961a645e2a8bb3cd85dd24c54861e4f01b0500a70641e2fa3a4a09e2e89a3b77380
-
SSDEEP
12288:JYYjzzONcuuIYsYNeaCbU6sKySaVQ4pBgncu7EKHCBbsCU/hpgmxCBbsCUXEGnF9:eg9uurUngnBU97EniCUppoiCUXfF9
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.252.232.158:7812
64.23.232.116:7812
vsvf
-
delay
1
-
install
true
-
install_file
Windows Security Health Service.exe
-
install_folder
%AppData%
Extracted
quasar
2.1.0.0
Office04
146.190.29.250:7812
VNM_MUTEX_h1gQxrpyccCFZq7JPS
-
encryption_key
V5fWyT4tQqXFouaUUxe2
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir34
Extracted
xworm
5.0
146.190.29.250:7812
165.227.91.90:7812
167.99.94.206:7812
4chIqEbR5Rq6U6EI
-
Install_directory
%AppData%
-
install_file
Windows Defender Service Host.exe
-
telegram
https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x00080000000174cc-36.dat disable_win_def behavioral1/memory/2748-38-0x0000000001330000-0x00000000013BC000-memory.dmp disable_win_def behavioral1/memory/1820-50-0x00000000001B0000-0x000000000023C000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2776-37-0x0000000000B90000-0x0000000000BA2000-memory.dmp family_xworm behavioral1/files/0x0006000000018683-35.dat family_xworm -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Window Security.exe -
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x00080000000174cc-36.dat family_quasar behavioral1/memory/2748-38-0x0000000001330000-0x00000000013BC000-memory.dmp family_quasar behavioral1/memory/1820-50-0x00000000001B0000-0x000000000023C000-memory.dmp family_quasar -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/files/0x0008000000017488-19.dat family_stormkitty behavioral1/files/0x0008000000017492-25.dat family_stormkitty behavioral1/memory/2304-41-0x0000000001110000-0x0000000001140000-memory.dmp family_stormkitty behavioral1/memory/2712-39-0x0000000001300000-0x000000000133E000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000017488-19.dat family_asyncrat behavioral1/files/0x00080000000173a9-15.dat family_asyncrat behavioral1/files/0x0008000000017492-25.dat family_asyncrat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes itself 1 IoCs
pid Process 2704 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk Windows Defender Service Host.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk Windows Defender Service Host.exe -
Executes dropped EXE 9 IoCs
pid Process 2396 crack.exe 1156 Cracked.exe 2304 svchost.exe 2712 update.exe 2776 Windows Defender Service Host.exe 2748 Window Security.exe 1820 Windows Security.exe 2272 Windows Security Health Service.exe 2588 Window Security.exe -
Loads dropped DLL 1 IoCs
pid Process 2748 Window Security.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features Window Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Window Security.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Service Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Service Host.exe" Windows Defender Service Host.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini update.exe File created C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini update.exe File opened for modification C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini update.exe File opened for modification C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com 22 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Window Security.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Window Security.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Security.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2016 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2408 netsh.exe 3060 cmd.exe 1612 cmd.exe 1300 netsh.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier update.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1972 timeout.exe 1640 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2016 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2120 schtasks.exe 1456 schtasks.exe 2340 schtasks.exe 2588 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2776 Windows Defender Service Host.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1156 Cracked.exe 1156 Cracked.exe 1156 Cracked.exe 1156 Cracked.exe 1156 Cracked.exe 1156 Cracked.exe 1156 Cracked.exe 288 powershell.exe 2776 Windows Defender Service Host.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2748 Window Security.exe 2748 Window Security.exe 2748 Window Security.exe 2748 Window Security.exe 2748 Window Security.exe 2748 Window Security.exe 2748 Window Security.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2712 update.exe 2272 Windows Security Health Service.exe 2712 update.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2304 svchost.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2304 svchost.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2712 update.exe 2712 update.exe 2272 Windows Security Health Service.exe 2304 svchost.exe 2304 svchost.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2712 update.exe 2304 svchost.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe 2272 Windows Security Health Service.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2776 Windows Defender Service Host.exe Token: SeDebugPrivilege 1156 Cracked.exe Token: SeDebugPrivilege 2304 svchost.exe Token: SeDebugPrivilege 2712 update.exe Token: SeDebugPrivilege 2748 Window Security.exe Token: SeDebugPrivilege 2396 crack.exe Token: SeDebugPrivilege 1156 Cracked.exe Token: SeDebugPrivilege 1820 Windows Security.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 1820 Windows Security.exe Token: SeDebugPrivilege 2272 Windows Security Health Service.exe Token: SeDebugPrivilege 2272 Windows Security Health Service.exe Token: SeDebugPrivilege 2588 Window Security.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1820 Windows Security.exe 2776 Windows Defender Service Host.exe 2272 Windows Security Health Service.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2396 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 30 PID 2240 wrote to memory of 2396 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 30 PID 2240 wrote to memory of 2396 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 30 PID 2240 wrote to memory of 2396 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 30 PID 2240 wrote to memory of 1156 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 31 PID 2240 wrote to memory of 1156 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 31 PID 2240 wrote to memory of 1156 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 31 PID 2240 wrote to memory of 2304 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 32 PID 2240 wrote to memory of 2304 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 32 PID 2240 wrote to memory of 2304 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 32 PID 2240 wrote to memory of 2304 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 32 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2712 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 33 PID 2240 wrote to memory of 2748 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 34 PID 2240 wrote to memory of 2748 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 34 PID 2240 wrote to memory of 2748 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 34 PID 2240 wrote to memory of 2748 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 34 PID 2240 wrote to memory of 2776 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 35 PID 2240 wrote to memory of 2776 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 35 PID 2240 wrote to memory of 2776 2240 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe 35 PID 2748 wrote to memory of 2120 2748 Window Security.exe 37 PID 2748 wrote to memory of 2120 2748 Window Security.exe 37 PID 2748 wrote to memory of 2120 2748 Window Security.exe 37 PID 2748 wrote to memory of 2120 2748 Window Security.exe 37 PID 2748 wrote to memory of 1820 2748 Window Security.exe 39 PID 2748 wrote to memory of 1820 2748 Window Security.exe 39 PID 2748 wrote to memory of 1820 2748 Window Security.exe 39 PID 2748 wrote to memory of 1820 2748 Window Security.exe 39 PID 2748 wrote to memory of 288 2748 Window Security.exe 40 PID 2748 wrote to memory of 288 2748 Window Security.exe 40 PID 2748 wrote to memory of 288 2748 Window Security.exe 40 PID 2748 wrote to memory of 288 2748 Window Security.exe 40 PID 1156 wrote to memory of 1600 1156 Cracked.exe 42 PID 1156 wrote to memory of 1600 1156 Cracked.exe 42 PID 1156 wrote to memory of 1600 1156 Cracked.exe 42 PID 1156 wrote to memory of 1160 1156 Cracked.exe 43 PID 1156 wrote to memory of 1160 1156 Cracked.exe 43 PID 1156 wrote to memory of 1160 1156 Cracked.exe 43 PID 1600 wrote to memory of 1456 1600 cmd.exe 46 PID 1600 wrote to memory of 1456 1600 cmd.exe 46 PID 1600 wrote to memory of 1456 1600 cmd.exe 46 PID 1160 wrote to memory of 1972 1160 cmd.exe 47 PID 1160 wrote to memory of 1972 1160 cmd.exe 47 PID 1160 wrote to memory of 1972 1160 cmd.exe 47 PID 1820 wrote to memory of 2340 1820 Windows Security.exe 48 PID 1820 wrote to memory of 2340 1820 Windows Security.exe 48 PID 1820 wrote to memory of 2340 1820 Windows Security.exe 48 PID 1820 wrote to memory of 2340 1820 Windows Security.exe 48 PID 2776 wrote to memory of 2588 2776 Windows Defender Service Host.exe 50 PID 2776 wrote to memory of 2588 2776 Windows Defender Service Host.exe 50 PID 2776 wrote to memory of 2588 2776 Windows Defender Service Host.exe 50 PID 2396 wrote to memory of 2044 2396 crack.exe 52 PID 2396 wrote to memory of 2044 2396 crack.exe 52 PID 2396 wrote to memory of 2044 2396 crack.exe 52 PID 2396 wrote to memory of 2044 2396 crack.exe 52 PID 2044 wrote to memory of 1640 2044 cmd.exe 54 PID 2044 wrote to memory of 1640 2044 cmd.exe 54 PID 2044 wrote to memory of 1640 2044 cmd.exe 54 PID 2044 wrote to memory of 1640 2044 cmd.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe"C:\Users\Admin\AppData\Local\Temp\8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB4FD.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1640
-
-
-
-
C:\Users\Admin\AppData\Roaming\Cracked.exe"C:\Users\Admin\AppData\Roaming\Cracked.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:1456
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACD3.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1972
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3060 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2408
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2284
-
-
-
-
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1612 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1300
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
-
C:\Users\Admin\AppData\Roaming\Window Security.exe"C:\Users\Admin\AppData\Roaming\Window Security.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Window Security.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2120
-
-
C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2340
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XevkspqRwEFi.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:576
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\Window Security.exe"C:\Users\Admin\AppData\Roaming\Window Security.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2588
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5B10290-ED76-48B9-838D-2AC9CF178CC1} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵PID:964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
209B
MD52d47e45da96782f8f7357928006fe9a6
SHA1c88abf2912687b24934f305233f803ee8d223729
SHA256256418fabd1e86cfe078fa4b42ffae3b1fb9529c88d575b7e1684c7d579c1017
SHA51218ff2128eee25bcdc82d3fa980cafd73a053a23f2ee0e6150743ed2abe14fcf6a45e133ba48b2c83233f08c045603bae61924eb90eb0360e44319c6ef7cc1cd5
-
Filesize
5.0MB
MD5c5ec8e3a3ac8a0b4def250704fadbe97
SHA10673f991bef6c568e04e37ae93567ab6369b8b46
SHA256d72959f1ac7ba38109198851384bac6b086b0b4d859334719d8898b81ce4ca70
SHA5122094ed53e365418bfc58ea71947280e71f712a20a28c1f49c44b3128032796a3066323a717dc74e4240fd03187c007660b285a5a300d5603d68ae61847e562d0
-
Filesize
175B
MD5316f7fe699793e3c1c14e39b6a090f6d
SHA19cb8e4f0fb3ee6f6451f8fac8922217ee446919f
SHA2561a1bce2d960e535d974bc9f10a7420e30fda4e80f1271cc9d7d78a32527e3e20
SHA5123a7dac5f3996cc7d7c188bc908b3fc03962ac267bbe8827a7c7c88e96d76b622cdfd0bcb28371b9edc1d00562b3d0d9c65c51d2895af531c9bece0d8f8965ea9
-
Filesize
151B
MD59aade17858bcf5b0491be8840c5f3378
SHA1081ca036fac3dc14544ffe22443aa4da0937a780
SHA2562f305fc0415d152d94a8c3d4b76520edaffa87186dfd53ef2e2472bacbb3a3d9
SHA512a7f9c77a54606ec4b7e5571b8a7f1724f63f5e7a832fd0a4c523dd9ec5c1e80d8ef15b98db94331be189e4ea6bdfc0299ca5703a97a311d660e5a626550aad67
-
Filesize
92KB
MD5102841a614a648b375e94e751611b38f
SHA11368e0d6d73fa3cee946bdbf474f577afffe2a43
SHA256c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264
SHA512ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
74KB
MD50dfa83a82f6418c73406d78296de61be
SHA1dd7eceef8a434c43e0751e180bf714e08771d336
SHA2568d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e
SHA5129a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
534KB
MD581b2c5c64951b603480d40d321540ff2
SHA1314199ad92baeb203f5555ff3814e9b7a4f226f8
SHA256b893220d33f9b8a0f98702bb577e4459792253ae651bdc18a93145ccd008af54
SHA5123a57655bf7aa18a34364659553aad26a3d5b8946b957441f5fedebab5936b6bb2c71c6337837ead486a001b6a9227437cc5c4ec4a5de627f0e2db10dc6afdea6
-
Filesize
43KB
MD55322a12cb24e83bfa9746fbde06d07e7
SHA15263a4f26bda073e9f82dd4fa612eb494dd771c7
SHA2564957d607c2984f94a258dba088fa1ab85e508bfaabe9279bf8b6bf6f4b97a9bb
SHA51267bfaef1ddf4ad44218c82c5634e7f726304845fab1d5361353fdacd8d8d767fec32c871fa304f4199dde3f6224be76c67560a64c1d72bbe20e134c50d1bf058
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
170KB
MD596014694a042d8344b910bc47d79337b
SHA19d19ab2f110ae58f30965a5a3d608cbf51986edb
SHA2564950eb74909bd6e739e38e57d8c6465c76ef108d65cac9f130d3f5c6d2fe943f
SHA512fe308c42b3ad2c3d73a834399aa12ea23f336103389181dface80a81da8be1ffd9a950cac802dc8a806ad318eb90a6bb6021d1acd9206a07749f83f2bb6cd03d
-
Filesize
225KB
MD5b8df7316cc35a0fb6fe3a326b4283010
SHA1d49c11f5a95f72e37d6194df41178f2b7faa01ee
SHA256f243df692ee7552286d52b23e4993e07a27877aa86c63b84903a8e6cbd0d19f3
SHA5123ef92be29123695820970a003fd0561a57f87c8c6adae86781729027ce40ede4b63da30d0b0cc75376bd9ae90accaf674fc7ff799a8b73ab4bb45b2ca65ff120