Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe
Resource
win7-20240903-en
General
-
Target
4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe
-
Size
349KB
-
MD5
090e974c7161cffe453d7b57b9023308
-
SHA1
2ff3846c3800e0f729c30352f01a8b742b44569f
-
SHA256
4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559
-
SHA512
930b42fa9668f0ea56194e5d3e1374fe6bdd70402f9ef0609fe2d4ba7912c105b4f6909d265ea5d2e9432a0f3531ef085f1bd3f3569236a58d691ea5dcf313c6
-
SSDEEP
6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIq:FB1Q6rpr7MrswfLjGwW5xFdRyJpt
Malware Config
Extracted
nanocore
1.2.2.2
bemery2.no-ip.biz:57628
127.0.0.1:57628
997af15f-5576-4030-975c-eb3264fb6789
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-23T21:31:33.540664436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
57628
-
default_group
grace
-
enable_debug_mode
true
-
gc_threshold
1.048576e+08
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+09
-
mutex
997af15f-5576-4030-975c-eb3264fb6789
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
bemery2.no-ip.biz
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.2
-
wan_timeout
8000
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1356 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe -
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.exe.exe" REG.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DPI Service\dpisv.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisv.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4856 ping.exe 2860 ping.exe 1040 ping.exe 4848 ping.exe 1612 ping.exe 3044 ping.exe 1120 ping.exe 2412 ping.exe 4816 ping.exe 4724 ping.exe 2440 ping.exe 1640 ping.exe 1800 ping.exe 4396 ping.exe 2716 ping.exe 3944 ping.exe 636 ping.exe 4420 ping.exe 2644 ping.exe 1956 ping.exe -
Runs ping.exe 1 TTPs 20 IoCs
pid Process 3044 ping.exe 4816 ping.exe 4724 ping.exe 1040 ping.exe 1956 ping.exe 4856 ping.exe 3944 ping.exe 2860 ping.exe 2644 ping.exe 2440 ping.exe 636 ping.exe 1120 ping.exe 4396 ping.exe 1612 ping.exe 2412 ping.exe 1640 ping.exe 4420 ping.exe 1800 ping.exe 4848 ping.exe 2716 ping.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2984 RegAsm.exe 2984 RegAsm.exe 2984 RegAsm.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2984 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe Token: SeDebugPrivilege 2984 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 4856 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 82 PID 2024 wrote to memory of 4856 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 82 PID 2024 wrote to memory of 4856 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 82 PID 2024 wrote to memory of 3044 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 84 PID 2024 wrote to memory of 3044 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 84 PID 2024 wrote to memory of 3044 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 84 PID 2024 wrote to memory of 3944 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 90 PID 2024 wrote to memory of 3944 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 90 PID 2024 wrote to memory of 3944 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 90 PID 2024 wrote to memory of 2440 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 93 PID 2024 wrote to memory of 2440 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 93 PID 2024 wrote to memory of 2440 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 93 PID 2024 wrote to memory of 636 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 97 PID 2024 wrote to memory of 636 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 97 PID 2024 wrote to memory of 636 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 97 PID 2024 wrote to memory of 1120 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 99 PID 2024 wrote to memory of 1120 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 99 PID 2024 wrote to memory of 1120 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 99 PID 2024 wrote to memory of 2412 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 101 PID 2024 wrote to memory of 2412 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 101 PID 2024 wrote to memory of 2412 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 101 PID 2024 wrote to memory of 4816 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 103 PID 2024 wrote to memory of 4816 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 103 PID 2024 wrote to memory of 4816 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 103 PID 2024 wrote to memory of 2860 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 107 PID 2024 wrote to memory of 2860 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 107 PID 2024 wrote to memory of 2860 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 107 PID 2024 wrote to memory of 1640 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 109 PID 2024 wrote to memory of 1640 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 109 PID 2024 wrote to memory of 1640 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 109 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 2984 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 111 PID 2024 wrote to memory of 1356 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 112 PID 2024 wrote to memory of 1356 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 112 PID 2024 wrote to memory of 1356 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 112 PID 2024 wrote to memory of 4420 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 114 PID 2024 wrote to memory of 4420 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 114 PID 2024 wrote to memory of 4420 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 114 PID 2024 wrote to memory of 1800 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 116 PID 2024 wrote to memory of 1800 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 116 PID 2024 wrote to memory of 1800 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 116 PID 2024 wrote to memory of 4724 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 118 PID 2024 wrote to memory of 4724 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 118 PID 2024 wrote to memory of 4724 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 118 PID 2024 wrote to memory of 1040 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 120 PID 2024 wrote to memory of 1040 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 120 PID 2024 wrote to memory of 1040 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 120 PID 2024 wrote to memory of 2644 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 122 PID 2024 wrote to memory of 2644 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 122 PID 2024 wrote to memory of 2644 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 122 PID 2024 wrote to memory of 1956 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 124 PID 2024 wrote to memory of 1956 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 124 PID 2024 wrote to memory of 1956 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 124 PID 2024 wrote to memory of 4848 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 126 PID 2024 wrote to memory of 4848 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 126 PID 2024 wrote to memory of 4848 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 126 PID 2024 wrote to memory of 4396 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 128 PID 2024 wrote to memory of 4396 2024 4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe 128 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1356 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe"C:\Users\Admin\AppData\Local\Temp\4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4856
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3044
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3944
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2440
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:636
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1120
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2412
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4816
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1640
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe2⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1356
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4420
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1800
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4724
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1040
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2644
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4848
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4396
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1612
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2716
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3524
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4924
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3376
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1636
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5016
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4888
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4548
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3356
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3592
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3032
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1416
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD5afdc9bc67929288fbc720dd366129967
SHA1cd269c5bdda94be2f18f36b9054ad83e83978dc7
SHA25675b8a2ada1452d01880956495283748f3368295387858cdcbbd05923a3b0197a
SHA512e1a5616ee6251a14bbe0fadc3678ae13f74b95bc543ea1797afa707876c90e80fa064b9eb086b063326047253e31d6254d77b1fb0dea0c07772497710bc0e1b4