Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
213s -
max time network
214s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/10/2024, 18:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bazaar.abuse.ch/sample/405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84/
Resource
win11-20241007-en
General
-
Target
https://bazaar.abuse.ch/sample/405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84/
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
ABwuRZS5Mjh5 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3124 created 3152 3124 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 52 PID 7940 created 3152 7940 tmpACE5.tmp.exe 52 -
Executes dropped EXE 5 IoCs
pid Process 3124 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 7692 docdd.exe 7728 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 7940 tmpACE5.tmp.exe 7932 tmpACE5.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\ioibrzb = "C:\\Users\\Admin\\AppData\\Roaming\\ioibrzb.exe" 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\ioibrzb = "C:\\Users\\Admin\\AppData\\Roaming\\ioibrzb.exe" tmpACE5.tmp.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 21 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3124 set thread context of 7728 3124 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 99 PID 7940 set thread context of 7932 7940 tmpACE5.tmp.exe 101 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language docdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpACE5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpACE5.tmp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.zip:Zone.Identifier chrome.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 7932 tmpACE5.tmp.exe 6872 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3524 chrome.exe 3524 chrome.exe 3124 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 7728 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 7728 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe 7940 tmpACE5.tmp.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe Token: SeShutdownPrivilege 3524 chrome.exe Token: SeCreatePagefilePrivilege 3524 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 5016 7zG.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe 3524 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE 6872 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3524 wrote to memory of 2088 3524 chrome.exe 79 PID 3524 wrote to memory of 2088 3524 chrome.exe 79 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 5032 3524 chrome.exe 80 PID 3524 wrote to memory of 2532 3524 chrome.exe 81 PID 3524 wrote to memory of 2532 3524 chrome.exe 81 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82 PID 3524 wrote to memory of 2688 3524 chrome.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3152
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84/2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83b28cc40,0x7ff83b28cc4c,0x7ff83b28cc583⤵PID:2088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1708,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1704 /prefetch:23⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:33⤵PID:2532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2336 /prefetch:83⤵PID:2688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:13⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:13⤵PID:2568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:13⤵PID:1692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:83⤵PID:960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4336,i,6544499944011439273,1849587721634162570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:83⤵
- NTFS ADS
PID:224
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16818:190:7zEvent135252⤵
- Suspicious use of FindShellTrayWindow
PID:5016
-
-
C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe"C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\docdd.exe"C:\Users\Admin\AppData\Local\Temp\docdd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7692 -
C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7940
-
-
-
-
C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe"C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7728
-
-
C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:7932
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RegisterTest.xlsx"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6872
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1172
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1716
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD53b5537dce96f57098998e410b0202920
SHA17732b57e4e3bbc122d63f67078efa7cf5f975448
SHA256a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88
SHA512c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d
-
Filesize
98KB
MD524cb2ec6cfa9fbe60bfbe091b9f560bd
SHA182b151d5cde170d1d55c5d5ad12ea36fbe949f62
SHA2569c028b9742d2382dd5f4cd980a382bbd7cea418df9a252d7b3634b0d58c6055f
SHA512be3457a3135ee62c71b40796a2e3e23e295145428a6d63b0728d216fc5edcc971912ebb590ca4168a144eac8fc30afb99065e8074255162d61b97d4a738e36e2
-
Filesize
213KB
MD5f942900ff0a10f251d338c612c456948
SHA14a283d3c8f3dc491e43c430d97c3489ee7a3d320
SHA25638b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6
SHA5129b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41
-
Filesize
480B
MD51ebca178ff5aa651d5e655068d05640e
SHA184663ef1d1abe70f2f4722cc2a828a5a5bc66f82
SHA256c45ff1b7800bf2dce6899a9c3cfe4eac7a29fb9b55018cb1f7a3f7a2f7fa43a3
SHA5122c8373db6bb64d93f376f987916eb4cae61ab3d1748cdec13894d6c1710345d63b90675d642742b3f1b79794f1459eb460f6bfdbd21e3d62e8320d0959775004
-
Filesize
312B
MD5fcb0d72e71790418c85d1813016d25b3
SHA1a580321d2f94ee89288b3a45a99d85f1c606c1c8
SHA256be790e545d507ac2c4b14b1005f7ce44492371fd7bfa74496c6c8523be0d0bc1
SHA512da1705471465d5a6f7ea755028258a9fd95fff23b64205b747df634956c41d4f589addc566c7198dff4ae111240e6239c73aa7de87c02af081158367747c5df1
-
Filesize
4KB
MD51548da01cbbda1834eedd8ff25b6d977
SHA1f75516549ace62f78ceed1dcacd5b9fa42e68628
SHA256931026131bc7b6be53c5ea38a34ea256fab083a7d0378911f29cca3c17c8129d
SHA5127d616e6e16a9c7f189c0ab106d071f3a94bbb220b8954cfc564d1fc6e030437f4e41d7e69bab4fc54f8d42324796f34d431a966053a92a7c472b6cc805e7d75c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD5361ec9b9773e003cc052a29289edf9ec
SHA196820eeac101f789605695f69f6a8a3fd312eae1
SHA256a7bebab1fbb5ce38e49927ae4dd7747069f4cde8a94718db872bbb5f650f8a3a
SHA512018dca395c2ea4c0c47f1b1ff476e0546e28767d5c952c8121a844d7a122595b87c0ab8194b94447ad8332377db351535b20c5b893c9620455c1b7835785abc6
-
Filesize
690B
MD5c451b4e00e95cbf2d0b5305a5683468e
SHA19ce89feeadb1821929befabb4b15f55cae54c379
SHA25664a843894a343ab1e4fb2ee0fb3aba9d3b3fe89bc865eff66928f3cc5814fec6
SHA512b5ae9a0276970ec504fe197be490a24772967029be0c45d73a1eece6825c24c8ab40dfe5dd4deb2b9ed3e44f3e7d6f00cf09da7dec7cc2782136b45804b48eda
-
Filesize
690B
MD5786e17b18b82054efe71f27b514c79d4
SHA19f392e2d5096a87af918a253bccc4c408384dcd6
SHA2566b73cf1c3911bb4df87cdc2426ba04958dc21a13cd372cb90e4c07db244a6436
SHA5122da34d108e34f117ed4931554980b042868407eb543ca146074e28710361f74f489ee369ea2a6e8f254080c8ba3da63a6c4ef9a41aafd31105cfe32691393d10
-
Filesize
8KB
MD5a68143effce350f9ac5a605c615a84a7
SHA1b96c81ce2e4a45da52fd3ee35fda1ad0d91204f0
SHA256e14a47b23cb294eb1186251ecf00f43d8875e0f676cf3fc68d22c8e4f44d40f1
SHA512de069e38d0a20e2e759136136968f6b00f31874c085c8ef0a1b061cc3952996bd710afbb8e01f17d4b87c7b825ca0ca02b6e0f12bf0e4d4949e039c7eec7a911
-
Filesize
8KB
MD5ac9371e3bade1900b372e1f5cec046db
SHA1f955e8840f84c867c8fa71ee3aaff2377f9714e5
SHA25607979eeb713d573829d2e664d7a6e65673ad35f2190f5cb9c0e4e44534870c14
SHA512e71b3ef7dcece212905e9889c88b208672a46c5c4fe1d0bf772efb0cd112e9fdb9e1659d443a3ee77dd94dea62dcb27323599570f1b99b7f2afbf8ab076e2d89
-
Filesize
8KB
MD5550e446528770f71bfa27375e7c871ec
SHA160f96ee983d7e9c95979dcc2f0653cebda5dc5fa
SHA2569d355a30016c254c73c2d49706320c44cc2543f5475b5d7a79cedf05718521db
SHA512e79716d8ceddc89a89c22dbf6ad5277402dd5a28630e74aa415ea756aa1550ad449c27e3a5dc6aefee30e40788543470770ffc904c03b1a2c2b7b0deb5b96e29
-
Filesize
8KB
MD5390eb9e06d452f0bc1f8088111c882e5
SHA1b706b75d7114d6ee3a0ab9f565824e5942d89b2f
SHA2565b281af049d096a28f8392db9c404298d286a36a3b17a40e4195937d8a18203a
SHA5125eb14b0fc47596ce2796e42d9825658fafb45e85e4a42351d07ee2e463a387ec493dc62dfacd35fd7ac0ac95b392da630e03275aca7d783941ca67187beddeeb
-
Filesize
228KB
MD5f3abe590f7d47b130a0393e90ee1caf7
SHA1fe94c5dedbda2dd4169c78e7672b3a6ee4df0389
SHA2566becfc92aa56188c5a42c931cde41e7814ce0adf04076f62c87c53f3107c3afd
SHA512459498d09e819a3dd2fc5654a7e76c4f765661363b24f57ad59f1f25087eba2394cd39c5677a334d1b8eae6b90d87a15d092cac690a54f12c5a868269c9b3324
-
Filesize
228KB
MD533486cb84db746010497a55b104ea0b7
SHA1b78219063213330f56d521dfdda61503d708954e
SHA256bfc7ecb1cbbb40f42e9325ea629b9ad219ec7540f7ea9cabce61d5510a2131b8
SHA512a97f6cb24f57f8da7c32fa23b8137cd050c6b43c3dc5f34cc5132fc7ad1811e15b6cba55926cfcb9c3451be4228be4fe58cc3aa6eb6f9cec46e2e01cb9edb5b1
-
Filesize
228KB
MD5776359edef4d33edcf7d4b03f3c8b462
SHA12d4aa0dc40f61be833aaa14de208ea54dd0d569a
SHA256fbb6650efbae901c88b94493388de4f0e749bd0988f0670b38262db030b00624
SHA512d1a6df90cc17572d4c168cc4512211c63d190c44a3f83e6bd0b66b37e91a1d5a4cf641dc70abdb1925cf224fba0a98589682c763f9d1b361a6cb645d04a23a65
-
Filesize
264KB
MD539a43d835e9dc208164ff36f4d9a77f7
SHA1c2f760f1d3f05893ccb2f9e54d2264b24a95ff2f
SHA256d6640e8fc7036df209e51b89bd2749b4244110b8cf1ffcd8e4b57421087acb95
SHA512de68264fc3ffdd392877d22b04c9c6279378d213a1e3bae6a5c155f873a0a543dc2fb1d87606a39819c0f98c13ec5bf575457813bf5b411a5db21b42ae323ad3
-
Filesize
45KB
MD5dbd0e17845da07384d942b76268cf5b7
SHA1c1fca3c8ab7e6d60fe3703a4ee52bbac1d61e6ad
SHA2564a9a9156581680f9b5082c685a656994a2248ff274900710014ca9c3c7868db8
SHA512f7697d93690f3bd673501401b4286cf4794b39563e5d1707af5bd407e2acb2cba8f3331e0df9091f0cc4895155ac9be9aa89668f92b33a9319ea25551b876f8c
-
Filesize
2.4MB
MD51590a3efb4a143305e7182fbd284a414
SHA14b1910fc583442a94a7a246c5424354991e22f13
SHA256b11ec3f1e913b4c0caeaf24b194998e7702da6c0b30afc8a147df52b26fd829f
SHA5126b34bb151902e7c0a9ac349d16be5ebe23c4574fd1b4131d63691ab7b8771beccf2044db85b5714fc90da15fb0c4029313a174497fc85652e1e6a4c084f010f7
-
Filesize
260B
MD5ed15d1050df681bd56dd5768ef558577
SHA1ebb70fd13f4392bc2a7a717154f22dcf21262d8c
SHA256ee181ffec2811e66f18e2697a1564b2d5390f8586664cc35da79d41224e117b9
SHA512d961063cdfe91feade4a563425e3630a9c1173a8ff50ca01418f9e8866abc82a4b17d87473c507f83324be0ff2b710ccd30b673121b2e3e4b0cb6509b33d3c41
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD50c0837db088a872500e0b6172cdf996b
SHA18fe9e3dde3e656adf39211380f434d550047b807
SHA2566b494dd2d770ea339fe2cf966b4f22aae9af9e11ab796bae936d81a9ed52de57
SHA5128c3a7407e4ff9f59d89aec11d58a85d575dcbd661c1bae780a0cb072668a262a7e1b8979cb5610d40364b0d838bc79014d9f996ce077097495f03269379e15dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5e6c7fb4bc6cb9cc16c2f7911a258d78f
SHA1e3889adc9adbf36bb79cf0f046a1d61ad03fe1a2
SHA25621e475282b30ee717fcac74505f9374eaa3dc299ac724b86e818d6103760131f
SHA512eee559c653987c3f29127034182446ee218baf0b80ecfb55dd994c208095f97a6c7289693de9cad003fc198d7f627190a6ff8c8024a1b57848f833d07c359bd0
-
Filesize
1.8MB
MD53b2e54913c8b29ce886c8b36f8dd0cfc
SHA1ff514c4f55dc70f5d1914fcf7118f24fd636e8a2
SHA256405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84
SHA512c872c307a060c3ec9b026d24f159447d74de06a5e2e73f5729c9360c5f20b0dc1afe17c870793309f4bddd6c1ec52ce68a1dca9c0b102d089ab48a6db7071c81
-
Filesize
1.4MB
MD5eaf6dee7b4c85cc6fe02a0164ae9abc8
SHA165955d78cb5fbaa4a7054d7b7b8387be6faa8d67
SHA2568ddb3d269659b497ebd1fd7daa907fcb49f25b8f135dbff6ad6b7d549692f134
SHA512ceebaf44fbfd31266b02b3016743226e074eb7bf1f86ae3d15ba71aeeb23a7e6d95bfb960d1fb2aae869850daf2cacaf8f3902eb7c2c95ef2676054b2f20d14b
-
C:\Users\Admin\Downloads\405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84.zip:Zone.Identifier
Filesize202B
MD5e7c1703fe10e842accecfbf58de98d2d
SHA157cfc8214a24114810e644fb88d4c668562bd046
SHA2563d7bd3cdf522890b26085b9ede08f92785c8412af3dc140b12bd40edf278189f
SHA5129687fcd81d8ebf224e17bb75c94a238829b305c66591bc5179bb4934edb4a6037f74035f414ef30cdccf6efe8605122255d03518abae78172b52c2b49af725a4