Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3Internet E...rt.exe
windows10-2004-x64
1Internet E...ms.dll
windows10-2004-x64
1Internet E...pi.dll
windows10-2004-x64
1Internet E...xe.dll
windows10-2004-x64
1Internet E...xe.dll
windows10-2004-x64
1Internet E...pi.dll
windows10-2004-x64
1Internet E...md.exe
windows10-2004-x64
8Internet E...al.exe
windows10-2004-x64
1Internet E...il.exe
windows10-2004-x64
1Internet E...re.exe
windows10-2004-x64
3Analysis
-
max time kernel
94s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
Internet Explorer/ExtExport.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Internet Explorer/IEShims.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral3
Sample
Internet Explorer/en-US/hmmapi.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Internet Explorer/en-US/ieinstal.exe.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Internet Explorer/en-US/iexplore.exe.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
Internet Explorer/hmmapi.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Internet Explorer/iediagcmd.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
Internet Explorer/ieinstal.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Internet Explorer/ielowutil.exe
Resource
win10v2004-20240802-en
General
-
Target
Internet Explorer/iediagcmd.exe
-
Size
528KB
-
MD5
e7276e0f11dc763ee18dedfc7ee31b7c
-
SHA1
da3e7ccf857aa0a19921b2f45d33269d41d7e513
-
SHA256
0ec05d16b1ae0b2362e521902796c32ac9cd3cbbb05e56b564902229a32297a0
-
SHA512
a028275679b84c886144640b7e6e35e3a0ec0d747995a002d3859938d2b37f16f86a36b621894be1376e77a6bf176828e0795c8f9e90d571866a868906bf74c7
-
SSDEEP
6144:kkZIE1d78DBfKJcfh2mq1Zi2H2vAwP5gZpOZ1INeWe9Rlvm/JTIbvzKJcfh2m213:kk7ADBfpq1Zi2HOKOXIwgT8p21ZZ
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2380 netsh.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in System32 directory 16 IoCs
description ioc Process File created \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 648 ipconfig.exe -
Modifies registry class 35 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{7CF6ABDB-10A1-454D-BE70-1DD2F9BF3EDA} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 iediagcmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a iediagcmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a iediagcmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2352 dxdiag.exe 2352 dxdiag.exe 948 iediagcmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe Token: SeSecurityPrivilege 948 iediagcmd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 948 iediagcmd.exe 948 iediagcmd.exe 2352 dxdiag.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 948 wrote to memory of 2352 948 iediagcmd.exe 83 PID 948 wrote to memory of 2352 948 iediagcmd.exe 83 PID 948 wrote to memory of 648 948 iediagcmd.exe 86 PID 948 wrote to memory of 648 948 iediagcmd.exe 86 PID 948 wrote to memory of 3180 948 iediagcmd.exe 88 PID 948 wrote to memory of 3180 948 iediagcmd.exe 88 PID 948 wrote to memory of 4020 948 iediagcmd.exe 90 PID 948 wrote to memory of 4020 948 iediagcmd.exe 90 PID 948 wrote to memory of 2380 948 iediagcmd.exe 92 PID 948 wrote to memory of 2380 948 iediagcmd.exe 92 PID 948 wrote to memory of 4908 948 iediagcmd.exe 94 PID 948 wrote to memory of 4908 948 iediagcmd.exe 94 PID 948 wrote to memory of 2784 948 iediagcmd.exe 96 PID 948 wrote to memory of 2784 948 iediagcmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Internet Explorer\iediagcmd.exe"C:\Users\Admin\AppData\Local\Temp\Internet Explorer\iediagcmd.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\system32\dxdiag.exe"C:\Windows\system32\dxdiag.exe" /x C:\Users\Admin\AppData\Local\Temp\dxdiag.xml2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2352
-
-
C:\Windows\SYSTEM32\ipconfig.exe"ipconfig" /all2⤵
- Gathers network information
PID:648
-
-
C:\Windows\SYSTEM32\route.exe"route" print2⤵PID:3180
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" in tcp show global2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4020
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall show rule name=all verbose2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2380
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" winsock show catalog2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4908
-
-
C:\Windows\SYSTEM32\makecab.exe"makecab.exe" /F "C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt"2⤵PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD525c5e888f2739f7a22835f4115152a59
SHA1073c5c117230dff53b80e50e7a088b242d87e277
SHA256d6e9979dc4fa5b17902a15999e17bfd9792304f0642629245d654874cd646719
SHA51243c9d46083304ea536cf36281754c5030fa450b6f02966c21856cf317823630856b3699c5e510f1f31a2b94efb538b0a7eadf4c3f170770d09961e40e0eefbbe
-
Filesize
2.2MB
MD5619676df66d1e2930389dae2e1f0aa3b
SHA1e7f8b89792ce585fd1e30a018c8f2ea34b98685c
SHA25604de6dbb93e64f1450a5469dfaa6830dcfffc60eee21f26ed61b83ee4dc7f920
SHA5126ca6bd33b6939e4bb53cb171b081fc7ee40e60a7d5f9e13cbea2f66bbe50bdff09e1a17a098bf983283910fb6505522df220123e8826b0ba9eb8956003e8dea7
-
Filesize
172KB
MD54cc5b5a08d76602b2c878bdbb5a91f3a
SHA14d2e3d539aa321077939724ece1fee2337ced3c9
SHA2564eca901e03993c298beed88dbc95be88a715e0bbcfd840ab7b5dc82e5263f552
SHA512bfad4ba4fc635ad5c0b444f0d62dc15ca9279ffa9bebcb81e69db7ba3bf2d5b8b40bc5cd55b391f576be2dd60d369f78c8f3d84ad2aac2dd813e3a139bae4d27
-
Filesize
515B
MD514c148857af11ebcee263a2fb2b359ee
SHA1710cb526ed69db7fdcc5da6b49241f70101e12fb
SHA256810a37010bd4e6eed276310610dc4ebc7cc91535edf65e6ba6d9ed6edbe793ac
SHA512d47ff7bdb40d518cf8daed410f29fea0f990457ed2da25ff2840a3bdcda77abe0b1b9948198a105a217fadbd4e4eed80fd0eb4338db7202892b9b4b910189e12