Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1SA_2.7.0.7z
windows7-x64
3SA_2.7.0.7z
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...aze.js
windows7-x64
3soshimeead...aze.js
windows10-2004-x64
3soshimeead...ers.js
windows7-x64
3soshimeead...ers.js
windows10-2004-x64
3soshimeead...dex.js
windows7-x64
3soshimeead...dex.js
windows10-2004-x64
3soshimeead...fig.js
windows7-x64
3soshimeead...fig.js
windows10-2004-x64
3soshimeead...dow.js
windows7-x64
3soshimeead...dow.js
windows10-2004-x64
3soshimeead...oom.js
windows7-x64
3soshimeead...oom.js
windows10-2004-x64
3soshimeead...nge.js
windows7-x64
3soshimeead...nge.js
windows10-2004-x64
3soshimeead...hat.js
windows7-x64
3soshimeead...hat.js
windows10-2004-x64
3soshimeead...nge.js
windows7-x64
3soshimeead...nge.js
windows10-2004-x64
3Resubmissions
05/09/2024, 10:59
240905-m3c8vsygpn 805/09/2024, 10:58
240905-m272vazelg 305/09/2024, 10:55
240905-mz8wcszeja 305/09/2024, 10:54
240905-mzj71azdra 305/09/2024, 10:52
240905-mysgzszdqb 305/09/2024, 10:50
240905-mw9cqayfnk 305/09/2024, 10:37
240905-mn29fazbpg 405/09/2024, 10:34
240905-mmbebsydml 3Analysis
-
max time kernel
105s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
SA_2.7.0.7z
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
SA_2.7.0.7z
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
soshimeeaddons/commands/fps/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
soshimeeaddons/commands/fps/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
soshimeeaddons/commands/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
soshimeeaddons/commands/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
soshimeeaddons/commands/ping/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
soshimeeaddons/commands/ping/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
soshimeeaddons/commands/sa/help/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
soshimeeaddons/commands/sa/help/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
soshimeeaddons/commands/sa/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
soshimeeaddons/commands/sa/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
soshimeeaddons/commands/sa/termsim/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
soshimeeaddons/commands/sa/termsim/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
soshimeeaddons/commands/sa/termsim/maze.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
soshimeeaddons/commands/sa/termsim/maze.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
soshimeeaddons/commands/sa/termsim/numbers.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
soshimeeaddons/commands/sa/termsim/numbers.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
soshimeeaddons/commands/tps/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
soshimeeaddons/commands/tps/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
soshimeeaddons/config.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
soshimeeaddons/config.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
soshimeeaddons/events/closeWindow.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
soshimeeaddons/events/closeWindow.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
soshimeeaddons/events/dungeonRoom.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
soshimeeaddons/events/dungeonRoom.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
soshimeeaddons/events/packetBlockChange.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
soshimeeaddons/events/packetBlockChange.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
soshimeeaddons/events/packetChat.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
soshimeeaddons/events/packetChat.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
soshimeeaddons/events/packetMultiBlockChange.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
soshimeeaddons/events/packetMultiBlockChange.js
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
SA_2.7.0.7z
-
Size
26KB
-
MD5
6382ade525c3fd49d50e34b181de9d55
-
SHA1
1c0d0f762b0aee467ea18ed06da5631b4dab678d
-
SHA256
aca1a9c9b8902d00d582f58d6293c75cdf9eebd7dcc39e16921a97a1b2dbbd8f
-
SHA512
db15cb2a7f60ef768335cf294a593849f42347a282c3e9446ec6b2f9d44d1aa94ce32c52bcebd4904869f39266351b8d722a90e1b2fbeb6aa030dc42dc02633e
-
SSDEEP
768:WaJhRqiUS5rrWN+Zg/eoZlVu8qVh5JTGr2Q:FJhRBU3NNdu9j5JiV
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\7z.exe\shell\open rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\7z.exe rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000002359962a1000372d5a697000380008000400efbe2359962a2359962a2a000000f7f6000000000900000000000000000000000000000037002d005a0069007000000014000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\7z.exe\shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 880031000000000023590d2d110050524f4752417e310000700008000400efbeee3a851a23590d2d2a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\7z.exe\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 924 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2832 rundll32.exe 956 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2780 7z.exe Token: 35 2780 7z.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 576 wrote to memory of 2876 576 cmd.exe 32 PID 576 wrote to memory of 2876 576 cmd.exe 32 PID 576 wrote to memory of 2876 576 cmd.exe 32 PID 2876 wrote to memory of 2832 2876 rundll32.exe 33 PID 2876 wrote to memory of 2832 2876 rundll32.exe 33 PID 2876 wrote to memory of 2832 2876 rundll32.exe 33 PID 2832 wrote to memory of 2780 2832 rundll32.exe 35 PID 2832 wrote to memory of 2780 2832 rundll32.exe 35 PID 2832 wrote to memory of 2780 2832 rundll32.exe 35 PID 956 wrote to memory of 924 956 rundll32.exe 42 PID 956 wrote to memory of 924 956 rundll32.exe 42 PID 956 wrote to memory of 924 956 rundll32.exe 42
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z1⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:600
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\FindUnblock.dxf1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\FindUnblock.dxf2⤵
- Opens file in notepad (likely ransom note)
PID:924
-