Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe
Resource
win10v2004-20240802-en
General
-
Target
87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe
-
Size
45KB
-
MD5
06102d862a4a1aad9e0cc4972065a3b0
-
SHA1
9197edb6b32290f31276b39a2af162efa7a65327
-
SHA256
87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793
-
SHA512
280ee6f811c8d2e9b153f17874fe56d18b4760fb20edcefffd04ae2428b35947205ecf890de64f59eb0f1f11fe488dee4f36dc7a7e31cc7071e72422e386ae23
-
SSDEEP
768:5qt/WXwCXV/aNOFi5XOCmg9TgEqxZihrWS9ybsvw+I9D88888888888JXl:5UWXaMU5Xvp3FrbCEnl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Executes dropped EXE 12 IoCs
pid Process 1216 SVCHOST.EXE 3056 SVCHOST.EXE 2876 SVCHOST.EXE 3316 SVCHOST.EXE 3972 SVCHOST.EXE 512 SPOOLSV.EXE 1268 SVCHOST.EXE 4476 SVCHOST.EXE 5048 SPOOLSV.EXE 2428 SPOOLSV.EXE 2676 SVCHOST.EXE 4436 SPOOLSV.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened for modification F:\Recycled\desktop.ini 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\M: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\P: SPOOLSV.EXE File opened (read-only) \??\T: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\E: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\G: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\S: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\P: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\Y: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\J: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\V: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\I: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\O: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\H: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\W: 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe File opened (read-only) \??\X: SVCHOST.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOLSV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOST.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\TileInfo = "prop:Type;Size" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SPOOLSV.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\InfoTip = "prop:Type;Write;Size" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\QuickTip = "prop:Type;Size" 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings Explorer.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\*\TileInfo = "prop:Type;Size" SPOOLSV.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2068 WINWORD.EXE 2068 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 512 SPOOLSV.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 2876 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 1216 SVCHOST.EXE 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 1216 SVCHOST.EXE 3056 SVCHOST.EXE 2876 SVCHOST.EXE 3316 SVCHOST.EXE 3972 SVCHOST.EXE 512 SPOOLSV.EXE 1268 SVCHOST.EXE 4476 SVCHOST.EXE 5048 SPOOLSV.EXE 2428 SPOOLSV.EXE 2676 SVCHOST.EXE 4436 SPOOLSV.EXE 2068 WINWORD.EXE 2068 WINWORD.EXE 2068 WINWORD.EXE 2068 WINWORD.EXE 2068 WINWORD.EXE 2068 WINWORD.EXE 2068 WINWORD.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 956 wrote to memory of 1216 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 82 PID 956 wrote to memory of 1216 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 82 PID 956 wrote to memory of 1216 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 82 PID 1216 wrote to memory of 3056 1216 SVCHOST.EXE 83 PID 1216 wrote to memory of 3056 1216 SVCHOST.EXE 83 PID 1216 wrote to memory of 3056 1216 SVCHOST.EXE 83 PID 1216 wrote to memory of 2876 1216 SVCHOST.EXE 84 PID 1216 wrote to memory of 2876 1216 SVCHOST.EXE 84 PID 1216 wrote to memory of 2876 1216 SVCHOST.EXE 84 PID 2876 wrote to memory of 3316 2876 SVCHOST.EXE 85 PID 2876 wrote to memory of 3316 2876 SVCHOST.EXE 85 PID 2876 wrote to memory of 3316 2876 SVCHOST.EXE 85 PID 2876 wrote to memory of 3972 2876 SVCHOST.EXE 86 PID 2876 wrote to memory of 3972 2876 SVCHOST.EXE 86 PID 2876 wrote to memory of 3972 2876 SVCHOST.EXE 86 PID 2876 wrote to memory of 512 2876 SVCHOST.EXE 87 PID 2876 wrote to memory of 512 2876 SVCHOST.EXE 87 PID 2876 wrote to memory of 512 2876 SVCHOST.EXE 87 PID 512 wrote to memory of 1268 512 SPOOLSV.EXE 88 PID 512 wrote to memory of 1268 512 SPOOLSV.EXE 88 PID 512 wrote to memory of 1268 512 SPOOLSV.EXE 88 PID 512 wrote to memory of 4476 512 SPOOLSV.EXE 89 PID 512 wrote to memory of 4476 512 SPOOLSV.EXE 89 PID 512 wrote to memory of 4476 512 SPOOLSV.EXE 89 PID 512 wrote to memory of 5048 512 SPOOLSV.EXE 90 PID 512 wrote to memory of 5048 512 SPOOLSV.EXE 90 PID 512 wrote to memory of 5048 512 SPOOLSV.EXE 90 PID 1216 wrote to memory of 2428 1216 SVCHOST.EXE 91 PID 1216 wrote to memory of 2428 1216 SVCHOST.EXE 91 PID 1216 wrote to memory of 2428 1216 SVCHOST.EXE 91 PID 956 wrote to memory of 2676 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 92 PID 956 wrote to memory of 2676 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 92 PID 956 wrote to memory of 2676 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 92 PID 1216 wrote to memory of 1048 1216 SVCHOST.EXE 93 PID 1216 wrote to memory of 1048 1216 SVCHOST.EXE 93 PID 1216 wrote to memory of 1048 1216 SVCHOST.EXE 93 PID 956 wrote to memory of 4436 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 94 PID 956 wrote to memory of 4436 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 94 PID 956 wrote to memory of 4436 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 94 PID 1048 wrote to memory of 680 1048 userinit.exe 95 PID 1048 wrote to memory of 680 1048 userinit.exe 95 PID 956 wrote to memory of 2068 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 96 PID 956 wrote to memory of 2068 956 87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe"C:\Users\Admin\AppData\Local\Temp\87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3316
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5048
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE4⤵
- Modifies registry class
PID:680
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5d8d281753a419185b9e0741afbe741a0
SHA1417af6051aa1f79057c7cd9d0bcf48d2bdabb56d
SHA256fb770d28648b9b9dff7649a6bc256b864ebad55978b530d75b3efebe6986ffd1
SHA512d7402114de5a5c242dd01d14589226cfac89540fd435c7091d1854f5de2facd2cb12eb4541b245ca0722dcffeb55061b3f5a808f6090518cfd8920043603df3b
-
Filesize
45KB
MD5595811ca02a2ab88705471d302649e69
SHA1a88c5195744e432bd92455a5265535b8affe6a51
SHA256791094d0ab6cca4885e2809700389f379def63c9c11aba292916f4414420f2f9
SHA512f3d64f51716b1a97c57f028e3ebc49a1eb5bec952ed94f8f4008112a039090e47331333ead7f995ee10f9710db5a3d81bd421f61988c1c6d8d8917153f2f5249
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5f2ea28f1ccea5d5d1dcf40cbc9ece6fb
SHA1f32187d5328fcfb3210aaa7009604e330a7af7d7
SHA256f06aec9360eaceca3c134110ba30f08fe6e0e37283f40d15dd04cd5804fa2127
SHA512471e66d4268cef25f60e0ddb5c7912395de3a1e4174ee719f7a4d47bed60d81ca237c5b1eb80dfdd817abd24a2ad3f1e0c509a00b0b04ce10df2ddd10d3f574a
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
45KB
MD59431b9b571ebe9435b28ad1870951a4a
SHA11dc7833ca2eb05af3260a049edb1dcf6efc33efd
SHA2566457787b479ae274b841fcb31ab14a3c8faab85b72f8f3b0d45a9dbe54202cb1
SHA5122f2fc1e05ac9dfa9b113b012979b5558b81d43249ab446544dac6d3150052481fbe87cd5b6248da927ff79ed88f4caa8e4433ac32b1c5d17993aa37e509a583e