Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe
Resource
win7-20240903-en
General
-
Target
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe
-
Size
216KB
-
MD5
3df8c2521ccc2a565789e21a7efe2a2a
-
SHA1
b9cdd76a4e650b8b1df9cad6e28af5e902e195eb
-
SHA256
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
-
SHA512
e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e
-
SSDEEP
3072:ds9KL2cTu/9QvFaWA8pDhDIYG7BswwubXW3pCFUKH5cDKCMvW2PrRh4xeqLsSzjM:WKacK/WaV8pyYG7CyCCPHPrX4xeqLp4
Malware Config
Signatures
-
Modifies security service 2 TTPs 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
pid Process 2340 Tilesys.com 1064 Tilesys.com 2520 Tilesys.com 532 Tilesys.com 992 Tilesys.com 2844 Tilesys.com 2496 Tilesys.com 2648 Tilesys.com 2864 Tilesys.com 2008 Tilesys.com -
Loads dropped DLL 20 IoCs
pid Process 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 2340 Tilesys.com 2340 Tilesys.com 1064 Tilesys.com 1064 Tilesys.com 2520 Tilesys.com 2520 Tilesys.com 532 Tilesys.com 532 Tilesys.com 992 Tilesys.com 992 Tilesys.com 2844 Tilesys.com 2844 Tilesys.com 2496 Tilesys.com 2496 Tilesys.com 2648 Tilesys.com 2648 Tilesys.com 2864 Tilesys.com 2864 Tilesys.com -
Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com File opened for modification \??\PhysicalDrive0 Tilesys.com -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com -
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com -
Modifies registry class 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com -
Runs .reg file with regedit 10 IoCs
pid Process 2848 regedit.exe 2112 regedit.exe 2620 regedit.exe 2200 regedit.exe 764 regedit.exe 2736 regedit.exe 2268 regedit.exe 2408 regedit.exe 2124 regedit.exe 2632 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2700 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 30 PID 2212 wrote to memory of 2700 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 30 PID 2212 wrote to memory of 2700 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 30 PID 2212 wrote to memory of 2700 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 30 PID 2212 wrote to memory of 2340 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 31 PID 2212 wrote to memory of 2340 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 31 PID 2212 wrote to memory of 2340 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 31 PID 2212 wrote to memory of 2340 2212 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 31 PID 2700 wrote to memory of 2848 2700 cmd.exe 32 PID 2700 wrote to memory of 2848 2700 cmd.exe 32 PID 2700 wrote to memory of 2848 2700 cmd.exe 32 PID 2700 wrote to memory of 2848 2700 cmd.exe 32 PID 2340 wrote to memory of 1064 2340 Tilesys.com 34 PID 2340 wrote to memory of 1064 2340 Tilesys.com 34 PID 2340 wrote to memory of 1064 2340 Tilesys.com 34 PID 2340 wrote to memory of 1064 2340 Tilesys.com 34 PID 1064 wrote to memory of 2024 1064 Tilesys.com 35 PID 1064 wrote to memory of 2024 1064 Tilesys.com 35 PID 1064 wrote to memory of 2024 1064 Tilesys.com 35 PID 1064 wrote to memory of 2024 1064 Tilesys.com 35 PID 2024 wrote to memory of 2112 2024 cmd.exe 36 PID 2024 wrote to memory of 2112 2024 cmd.exe 36 PID 2024 wrote to memory of 2112 2024 cmd.exe 36 PID 2024 wrote to memory of 2112 2024 cmd.exe 36 PID 1064 wrote to memory of 2520 1064 Tilesys.com 37 PID 1064 wrote to memory of 2520 1064 Tilesys.com 37 PID 1064 wrote to memory of 2520 1064 Tilesys.com 37 PID 1064 wrote to memory of 2520 1064 Tilesys.com 37 PID 2520 wrote to memory of 2268 2520 Tilesys.com 38 PID 2520 wrote to memory of 2268 2520 Tilesys.com 38 PID 2520 wrote to memory of 2268 2520 Tilesys.com 38 PID 2520 wrote to memory of 2268 2520 Tilesys.com 38 PID 2268 wrote to memory of 2620 2268 cmd.exe 39 PID 2268 wrote to memory of 2620 2268 cmd.exe 39 PID 2268 wrote to memory of 2620 2268 cmd.exe 39 PID 2268 wrote to memory of 2620 2268 cmd.exe 39 PID 2520 wrote to memory of 532 2520 Tilesys.com 40 PID 2520 wrote to memory of 532 2520 Tilesys.com 40 PID 2520 wrote to memory of 532 2520 Tilesys.com 40 PID 2520 wrote to memory of 532 2520 Tilesys.com 40 PID 532 wrote to memory of 1108 532 Tilesys.com 41 PID 532 wrote to memory of 1108 532 Tilesys.com 41 PID 532 wrote to memory of 1108 532 Tilesys.com 41 PID 532 wrote to memory of 1108 532 Tilesys.com 41 PID 1108 wrote to memory of 2200 1108 cmd.exe 42 PID 1108 wrote to memory of 2200 1108 cmd.exe 42 PID 1108 wrote to memory of 2200 1108 cmd.exe 42 PID 1108 wrote to memory of 2200 1108 cmd.exe 42 PID 532 wrote to memory of 992 532 Tilesys.com 43 PID 532 wrote to memory of 992 532 Tilesys.com 43 PID 532 wrote to memory of 992 532 Tilesys.com 43 PID 532 wrote to memory of 992 532 Tilesys.com 43 PID 992 wrote to memory of 2392 992 Tilesys.com 44 PID 992 wrote to memory of 2392 992 Tilesys.com 44 PID 992 wrote to memory of 2392 992 Tilesys.com 44 PID 992 wrote to memory of 2392 992 Tilesys.com 44 PID 2392 wrote to memory of 2408 2392 cmd.exe 45 PID 2392 wrote to memory of 2408 2392 cmd.exe 45 PID 2392 wrote to memory of 2408 2392 cmd.exe 45 PID 2392 wrote to memory of 2408 2392 cmd.exe 45 PID 992 wrote to memory of 2844 992 Tilesys.com 46 PID 992 wrote to memory of 2844 992 Tilesys.com 46 PID 992 wrote to memory of 2844 992 Tilesys.com 46 PID 992 wrote to memory of 2844 992 Tilesys.com 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2848
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 504 "C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 552 "C:\Windows\SysWOW64\Tilesys.com"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2112
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 560 "C:\Windows\SysWOW64\Tilesys.com"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2620
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 564 "C:\Windows\SysWOW64\Tilesys.com"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2200
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 568 "C:\Windows\SysWOW64\Tilesys.com"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2408
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 572 "C:\Windows\SysWOW64\Tilesys.com"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat8⤵
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:764
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 576 "C:\Windows\SysWOW64\Tilesys.com"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat9⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2736
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 580 "C:\Windows\SysWOW64\Tilesys.com"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat10⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2124
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 584 "C:\Windows\SysWOW64\Tilesys.com"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat11⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2268
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 588 "C:\Windows\SysWOW64\Tilesys.com"11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c c:\tempr.bat12⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
576B
MD58a0897226da780b90c11da0756b361f1
SHA167f813e8733ad75a2147c59cca102a60274daeab
SHA256115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee
SHA51255e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642
-
Filesize
1KB
MD55b77620cb52220f4a82e3551ee0a53a6
SHA107d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA25693ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA5129dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c
-
Filesize
1KB
MD53637baf389a0d79b412adb2a7f1b7d09
SHA1f4b011a72f59cf98a325f12b7e40ddd0548ccc16
SHA256835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba
SHA512ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506
-
Filesize
3KB
MD5752fd85212d47da8f0adc29004a573b2
SHA1fa8fe3ff766601db46412879dc13dbec8d055965
SHA2569faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209
-
Filesize
216KB
MD53df8c2521ccc2a565789e21a7efe2a2a
SHA1b9cdd76a4e650b8b1df9cad6e28af5e902e195eb
SHA256b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
SHA512e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904