Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 07:08
Static task
static1
Behavioral task
behavioral1
Sample
0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
Resource
win10v2004-20240802-en
General
-
Target
0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
-
Size
88KB
-
MD5
c5cdf1176286efaa5fc3d7185d0e51c0
-
SHA1
a7dabf9f070ff73be95a488393d988cd8e6f1ffa
-
SHA256
0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814
-
SHA512
d371bdd24c03096d5c67fdfbf0758cf22a1a129fefaaf61e602fb9ab26271e700bdccf31bf0983aeb96608cee1f4f9fc1ca45e5535730bedbacf87bb6b682e9a
-
SSDEEP
1536:8h7xsCKosi5pzjIcdRiTpqMGxs3lh7xsCKosi5pzjIcdRiTpqMGxs34:8EhWbcpqIlEhWbcpqI4
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" reg.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe " cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jconsole.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\msotd.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jstat.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\dotnet\dotnet.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jmap.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\pack200.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\serialver.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\xjc.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javah.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jstatd.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javaw.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\policytool.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\java.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\klist.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\keytool.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\orbd.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\pack200.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\wsimport.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\jjs.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javapackager.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jps.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\kinit.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe " cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2792 wrote to memory of 3336 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 82 PID 2792 wrote to memory of 3336 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 82 PID 2792 wrote to memory of 3336 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 82 PID 2792 wrote to memory of 4440 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 84 PID 2792 wrote to memory of 4440 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 84 PID 2792 wrote to memory of 4440 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 84 PID 2792 wrote to memory of 1140 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 85 PID 2792 wrote to memory of 1140 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 85 PID 2792 wrote to memory of 1140 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 85 PID 2792 wrote to memory of 4348 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 86 PID 2792 wrote to memory of 4348 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 86 PID 2792 wrote to memory of 4348 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 86 PID 2792 wrote to memory of 4556 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 87 PID 2792 wrote to memory of 4556 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 87 PID 2792 wrote to memory of 4556 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 87 PID 2792 wrote to memory of 4592 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 88 PID 2792 wrote to memory of 4592 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 88 PID 2792 wrote to memory of 4592 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 88 PID 2792 wrote to memory of 4396 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 89 PID 2792 wrote to memory of 4396 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 89 PID 2792 wrote to memory of 4396 2792 0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe 89 PID 4440 wrote to memory of 940 4440 cmd.exe 96 PID 4440 wrote to memory of 940 4440 cmd.exe 96 PID 4440 wrote to memory of 940 4440 cmd.exe 96 PID 4440 wrote to memory of 2776 4440 cmd.exe 97 PID 4440 wrote to memory of 2776 4440 cmd.exe 97 PID 4440 wrote to memory of 2776 4440 cmd.exe 97 PID 4440 wrote to memory of 4056 4440 cmd.exe 98 PID 4440 wrote to memory of 4056 4440 cmd.exe 98 PID 4440 wrote to memory of 4056 4440 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe"C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.execmd.exe2⤵
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\123.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
- System Location Discovery: System Language Discovery
PID:4056
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c assoc .txt = exefile2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1140
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe2⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4348
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4556
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4592
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443B
MD570170ba16a737a438223b88279dc6c85
SHA1cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA51237cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da
-
Filesize
88KB
MD590a9a90e8c1e2e1b95ea9f71eb8c53fc
SHA10b82e7a00dde5829cabcaf1efd08112bac9f8b44
SHA256ad46c59a20d00952a9e3a1769f10cb45ea18e6d59cfdd35f853c3eb6fdbb60c5
SHA512b7e9b29fe3c3ebde728d29f7f3e050136a5a47cc48371a1a714b9fb57bb3f59e9c6aab569a1a7a39c0221cd373ff80f17e872246eaa51addfa43264a1bcfb421