Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe
Resource
win10v2004-20240802-en
General
-
Target
44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe
-
Size
292KB
-
MD5
26e1bcdecaa337ee8e8b3694603c803f
-
SHA1
4d489fc1eb967acc177cdc5ff7cdd77dac3020d4
-
SHA256
44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147
-
SHA512
7c606989961c028555e27bb85658f7bc94d362f20b17702675eb24cb8a05ba0d52fa525e28ea74265d437ec3d09799481882fedbb987fc04edd5aafbfcdf623f
-
SSDEEP
6144:O/U+c8P+Iwx+Sp66wGPJJNwK0LTyib+2VvW5EO:Os/9Jp6SBw7LTyiLW5EO
Malware Config
Extracted
vidar
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Signatures
-
Detect Vidar Stealer 22 IoCs
resource yara_rule behavioral1/memory/2932-13-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-15-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-10-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-9-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-8-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-18-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-159-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-178-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-208-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-227-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-358-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-377-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-420-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2932-439-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-630-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-636-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-634-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-633-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-628-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-626-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-777-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2516-800-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2252 ECAKECAEGD.exe 2556 CGDBGCBGID.exe -
Loads dropped DLL 10 IoCs
pid Process 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2280 set thread context of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2252 set thread context of 1508 2252 ECAKECAEGD.exe 40 PID 2556 set thread context of 2516 2556 CGDBGCBGID.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1936 1508 WerFault.exe 40 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ECAKECAEGD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CGDBGCBGID.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2528 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe 2932 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2816 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 31 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2876 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 32 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2924 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 33 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2280 wrote to memory of 2932 2280 44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe 34 PID 2932 wrote to memory of 2252 2932 RegAsm.exe 38 PID 2932 wrote to memory of 2252 2932 RegAsm.exe 38 PID 2932 wrote to memory of 2252 2932 RegAsm.exe 38 PID 2932 wrote to memory of 2252 2932 RegAsm.exe 38 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 2252 wrote to memory of 1508 2252 ECAKECAEGD.exe 40 PID 1508 wrote to memory of 1936 1508 RegAsm.exe 41 PID 1508 wrote to memory of 1936 1508 RegAsm.exe 41 PID 1508 wrote to memory of 1936 1508 RegAsm.exe 41 PID 1508 wrote to memory of 1936 1508 RegAsm.exe 41 PID 2932 wrote to memory of 2556 2932 RegAsm.exe 42 PID 2932 wrote to memory of 2556 2932 RegAsm.exe 42 PID 2932 wrote to memory of 2556 2932 RegAsm.exe 42 PID 2932 wrote to memory of 2556 2932 RegAsm.exe 42 PID 2556 wrote to memory of 2696 2556 CGDBGCBGID.exe 44 PID 2556 wrote to memory of 2696 2556 CGDBGCBGID.exe 44 PID 2556 wrote to memory of 2696 2556 CGDBGCBGID.exe 44 PID 2556 wrote to memory of 2696 2556 CGDBGCBGID.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe"C:\Users\Admin\AppData\Local\Temp\44408030fc2d6ab0d35a060e03f750a4d53dd9045debd1c189da636d07e86147.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\ProgramData\ECAKECAEGD.exe"C:\ProgramData\ECAKECAEGD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 2525⤵
- Program crash
PID:1936
-
-
-
-
C:\ProgramData\CGDBGCBGID.exe"C:\ProgramData\CGDBGCBGID.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECBAEBGHDAEC" & exit3⤵PID:3040
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:2528
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize471B
MD5a9a1372a0439df0204e4d41c403fa5f8
SHA1c587388167e8347ba675ec5006699faeec23f488
SHA256e26cfb5aee36722884618870d3516be88350fdc6683162d31ae8eb3c170febce
SHA51252ae09aab02fbce6d88ad8a97f8ec73b99076ac32b8b7f6a3bbf35b6e631e2b7818dd3b7d88efa66987ad5475d01f414cb85963b8c3343a526d610f3c43a3c0c
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab7f133503119c09a1a8c48b03c2f022
SHA1b532b281cfc9960a36bf5479549fa88cdcf8158d
SHA256a84f5010d8c79eb783c621a1e7baafde8d17f087e39efbda105ae04aa6477dac
SHA512fd41720bdac3f1cac4d15f4ee9f93bc7cfb8c5ce2d81de017ac8654d3ee4769f556d6993605106b1dd2900462f4441822fdae34e8c6a5580fad26be0f3a8b9e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57810c105b6252e2ce2728cdf7ce63eab
SHA1ae4c132dab8ff64062dc0ee0baf28142b1f56596
SHA256ff843eee2b5d851a9ffce405b160897b74a47355145239975f47ddbb5718f830
SHA5121b45fd3761600b53b68f3fe87977b6a898849889921d3d304a1c7c23147f513629565c391b9fd68d3d134b0ee5dfaae44dc1937c5c7c70dd43da25a1a80438fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize400B
MD5cadcde394509343e451afa72d0025daf
SHA17135027925e23a69543a531a69bff1dd415a33dd
SHA25654b6ccff2cd052306ec50cbe2794de8f36d308e4a5e9c7444110ac9652507619
SHA512e4ab27977bd267c90168ee4e00a836df0ceff091db799e5adcdd1456a1ac1d6e212e05a02edcf925df7eda6ed402e17f1547a9bc8b0435d45ec836f1f78b6e6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5bc685177e79f362ec8b6f4697562e72b
SHA155c809f9c6c3eeedc5f1e56c0314b618bebbe96b
SHA256791be148e5e27bffa351f679a82cb08309103e98ae7d8a4575c5596284526e49
SHA512fd91e95891f7ba084f2dbe07af6074dc80d09a86edfdbba37ebb24403f0bc8b4866dd393cb93304310bd62f7ebfbae775903db206c7513de44526b7e8233c540
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\76561199768374681[1].htm
Filesize33KB
MD5552b9d2124baec79ebccb697431fa636
SHA19ae1bf9ba96a529a4b4fe38eaaf89762b762f676
SHA2566304c5489bdb1524ca55ac6ec4c915624a028dab16499942b0faceb125854b0b
SHA512884e3371fb1e36459acb796629450e2d9f514b992e7bdae52f44d5d225498e27b5c10020ee99a8af18f9bd82262c97cc2e642ef606aa1c7a3b2449fb57b8e510
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
292KB
MD59d0327bd2962fd98512fb4ad5fc9ad19
SHA137fd2898d15b6e4e4be596c11120649e374a091b
SHA25686d1e9372127505a6200e134641390297bd255de3b742d874108cbf5670d3d9c
SHA5129a768adcd08acc5766d2b7a46e1360c2a2551405248bf774bc736b196d902bbeee56e472bd8f94a8c993f54e6e2402a9a14d6131500cf7979b89ccdbdd6ecc15
-
Filesize
338KB
MD57abd5004d90827227cb77ecebc6c0aba
SHA139c7f736d4041cb246b31d34f455460cdc3a071e
SHA25613d8eb0461863ad7a6f2cd6c20133e6141b7ee60c2cfa16be07b050a1702b5ad
SHA5127d95b29386c7a42da65be1888ce33d1e6e323da9e667cd72def869da3dfd60209b023d03e5258fcf52a71d7d2dd9a98e620cd1a44bc0e68da6d9567041a5e616
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571