Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe
Resource
win7-20240903-en
General
-
Target
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe
-
Size
216KB
-
MD5
3df8c2521ccc2a565789e21a7efe2a2a
-
SHA1
b9cdd76a4e650b8b1df9cad6e28af5e902e195eb
-
SHA256
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
-
SHA512
e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e
-
SSDEEP
3072:ds9KL2cTu/9QvFaWA8pDhDIYG7BswwubXW3pCFUKH5cDKCMvW2PrRh4xeqLsSzjM:WKacK/WaV8pyYG7CyCCPHPrX4xeqLp4
Malware Config
Signatures
-
Modifies security service 2 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
pid Process 2920 Tilesys.com 1988 Tilesys.com 3620 Tilesys.com 3612 Tilesys.com 4944 Tilesys.com 1932 Tilesys.com 756 Tilesys.com 552 Tilesys.com 4620 Tilesys.com 2140 Tilesys.com -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tilesys.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com -
Runs .reg file with regedit 11 IoCs
pid Process 3176 regedit.exe 4088 regedit.exe 4632 regedit.exe 3996 regedit.exe 4200 regedit.exe 5092 regedit.exe 4516 regedit.exe 2260 regedit.exe 4068 regedit.exe 1132 regedit.exe 3140 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4944 4920 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 84 PID 4920 wrote to memory of 4944 4920 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 84 PID 4920 wrote to memory of 4944 4920 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 84 PID 4944 wrote to memory of 3176 4944 cmd.exe 85 PID 4944 wrote to memory of 3176 4944 cmd.exe 85 PID 4944 wrote to memory of 3176 4944 cmd.exe 85 PID 4920 wrote to memory of 2920 4920 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 87 PID 4920 wrote to memory of 2920 4920 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 87 PID 4920 wrote to memory of 2920 4920 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe 87 PID 2920 wrote to memory of 5060 2920 Tilesys.com 88 PID 2920 wrote to memory of 5060 2920 Tilesys.com 88 PID 2920 wrote to memory of 5060 2920 Tilesys.com 88 PID 5060 wrote to memory of 5092 5060 cmd.exe 89 PID 5060 wrote to memory of 5092 5060 cmd.exe 89 PID 5060 wrote to memory of 5092 5060 cmd.exe 89 PID 2920 wrote to memory of 1988 2920 Tilesys.com 97 PID 2920 wrote to memory of 1988 2920 Tilesys.com 97 PID 2920 wrote to memory of 1988 2920 Tilesys.com 97 PID 1988 wrote to memory of 2968 1988 Tilesys.com 98 PID 1988 wrote to memory of 2968 1988 Tilesys.com 98 PID 1988 wrote to memory of 2968 1988 Tilesys.com 98 PID 2968 wrote to memory of 4088 2968 cmd.exe 99 PID 2968 wrote to memory of 4088 2968 cmd.exe 99 PID 2968 wrote to memory of 4088 2968 cmd.exe 99 PID 1988 wrote to memory of 3620 1988 Tilesys.com 103 PID 1988 wrote to memory of 3620 1988 Tilesys.com 103 PID 1988 wrote to memory of 3620 1988 Tilesys.com 103 PID 3620 wrote to memory of 2260 3620 Tilesys.com 104 PID 3620 wrote to memory of 2260 3620 Tilesys.com 104 PID 3620 wrote to memory of 2260 3620 Tilesys.com 104 PID 2260 wrote to memory of 4632 2260 cmd.exe 105 PID 2260 wrote to memory of 4632 2260 cmd.exe 105 PID 2260 wrote to memory of 4632 2260 cmd.exe 105 PID 3620 wrote to memory of 3612 3620 Tilesys.com 109 PID 3620 wrote to memory of 3612 3620 Tilesys.com 109 PID 3620 wrote to memory of 3612 3620 Tilesys.com 109 PID 3612 wrote to memory of 2360 3612 Tilesys.com 110 PID 3612 wrote to memory of 2360 3612 Tilesys.com 110 PID 3612 wrote to memory of 2360 3612 Tilesys.com 110 PID 2360 wrote to memory of 4516 2360 cmd.exe 111 PID 2360 wrote to memory of 4516 2360 cmd.exe 111 PID 2360 wrote to memory of 4516 2360 cmd.exe 111 PID 3612 wrote to memory of 4944 3612 Tilesys.com 112 PID 3612 wrote to memory of 4944 3612 Tilesys.com 112 PID 3612 wrote to memory of 4944 3612 Tilesys.com 112 PID 4944 wrote to memory of 2000 4944 Tilesys.com 113 PID 4944 wrote to memory of 2000 4944 Tilesys.com 113 PID 4944 wrote to memory of 2000 4944 Tilesys.com 113 PID 2000 wrote to memory of 3996 2000 cmd.exe 114 PID 2000 wrote to memory of 3996 2000 cmd.exe 114 PID 2000 wrote to memory of 3996 2000 cmd.exe 114 PID 4944 wrote to memory of 1932 4944 Tilesys.com 116 PID 4944 wrote to memory of 1932 4944 Tilesys.com 116 PID 4944 wrote to memory of 1932 4944 Tilesys.com 116 PID 1932 wrote to memory of 1828 1932 Tilesys.com 117 PID 1932 wrote to memory of 1828 1932 Tilesys.com 117 PID 1932 wrote to memory of 1828 1932 Tilesys.com 117 PID 1828 wrote to memory of 2260 1828 cmd.exe 118 PID 1828 wrote to memory of 2260 1828 cmd.exe 118 PID 1828 wrote to memory of 2260 1828 cmd.exe 118 PID 1932 wrote to memory of 756 1932 Tilesys.com 119 PID 1932 wrote to memory of 756 1932 Tilesys.com 119 PID 1932 wrote to memory of 756 1932 Tilesys.com 119 PID 756 wrote to memory of 3276 756 Tilesys.com 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3176
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1104 "C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:5092
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1208 "C:\Windows\SysWOW64\Tilesys.com"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4088
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1180 "C:\Windows\SysWOW64\Tilesys.com"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4632
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1184 "C:\Windows\SysWOW64\Tilesys.com"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4516
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1148 "C:\Windows\SysWOW64\Tilesys.com"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3996
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1196 "C:\Windows\SysWOW64\Tilesys.com"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2260
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1192 "C:\Windows\SysWOW64\Tilesys.com"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat9⤵
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4068
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1204 "C:\Windows\SysWOW64\Tilesys.com"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat10⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1132
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1200 "C:\Windows\SysWOW64\Tilesys.com"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat11⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3140
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1212 "C:\Windows\SysWOW64\Tilesys.com"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat12⤵
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4200
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476B
MD5a5d4cddfecf34e5391a7a3df62312327
SHA104a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA2568961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA51248024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643
-
Filesize
849B
MD5558ce6da965ba1758d112b22e15aa5a2
SHA1a365542609e4d1dc46be62928b08612fcabe2ede
SHA256c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA51237f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
206B
MD52d9f1ff716273d19e3f0d10a3cd8736f
SHA1b4ca02834dd3f3489c5088d2157279d2be90f5ff
SHA2569acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623
SHA5121d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025
-
Filesize
1KB
MD5a920eceddece6cf7f3487fd8e919af34
SHA1a6dee2d31d4cbd1b18f5d3bc971521411a699889
SHA256ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6
SHA512a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc
-
Filesize
3KB
MD5d085cde42c14e8ee2a5e8870d08aee42
SHA1c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b
-
Filesize
925B
MD50d1e5715cf04d212bcd7c9dea5f7ab72
SHA1a8add44bf542e4d22260a13de6a35704fb7f3bfb
SHA2565d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473
SHA51289da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117
-
Filesize
1KB
MD5614dc91c25423b19711b270e1e5a49ad
SHA1f66496dcf9047ae934bdc4a65f697be55980b169
SHA256cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e
SHA51227a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7
-
Filesize
1KB
MD5f31b2aa720a1c523c1e36a40ef21ee0d
SHA19c8089896c55e6e6a9cca99b1b98c544723d314e
SHA256cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716
SHA512a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb
-
Filesize
2KB
MD5d5e129352c8dd0032b51f34a2bbecad3
SHA1a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA5129a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2
-
Filesize
784B
MD55a466127fedf6dbcd99adc917bd74581
SHA1a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA2568cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5
-
Filesize
1KB
MD58a84d46ef81c793a90a80bc806cffdcf
SHA102fac9db9330040ffc613a325686ddca2678a7c5
SHA256201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374
-
Filesize
1KB
MD5c1e5f93e2bee9ca33872764d8889de23
SHA1167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA2568f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859
-
Filesize
2KB
MD55da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1681788d5a3044eee8426d431bd786375cd32bf13
SHA2567f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA5126e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b
-
Filesize
2KB
MD5b9dc88ed785d13aaeae9626d7a26a6a0
SHA1ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e
SHA2569f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc
SHA512df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91
-
Filesize
216KB
MD53df8c2521ccc2a565789e21a7efe2a2a
SHA1b9cdd76a4e650b8b1df9cad6e28af5e902e195eb
SHA256b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
SHA512e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904