Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 00:22
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20241010-en
General
-
Target
setup.exe
-
Size
880KB
-
MD5
43d3ff349ad31e0ad76201755445cb1e
-
SHA1
7b3b15c369203cf892fb0b023201c5627e23973a
-
SHA256
5c402fd8244e177338a2a8f0c7b8df055d5a06ebd7a5225edb3d3cdaf1d1c749
-
SHA512
771f98fcade1687c3714e6631d800ba8f186cc6de46ee36e52e78d04727f0bc7f9352d5f32788a315bd1dc5b84fabd585ea50c1bf32bbd7fc168b87a8a97d101
-
SSDEEP
24576:L20Bj512nz5ME9t+Fez6ovAJv9aGk3KgY7rmvZf5/I:L2Xzh/fvAJ4GkJECvTI
Malware Config
Signatures
-
Possible privilege escalation attempt 12 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 2676 takeown.exe 2628 takeown.exe 2640 icacls.exe 2704 icacls.exe 2212 takeown.exe 2680 icacls.exe 2140 icacls.exe 2652 takeown.exe 624 icacls.exe 2004 icacls.exe 2672 takeown.exe 1976 takeown.exe -
Executes dropped EXE 2 IoCs
Processes:
setup.tmpinstaller.exepid process 2912 setup.tmp 2760 installer.exe -
Loads dropped DLL 11 IoCs
Processes:
setup.exesetup.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 2712 setup.exe 2912 setup.tmp 2912 setup.tmp 2912 setup.tmp 2900 regsvr32.exe 1560 regsvr32.exe 1964 regsvr32.exe 1444 regsvr32.exe 1444 regsvr32.exe 1444 regsvr32.exe 2992 regsvr32.exe -
Modifies file permissions 1 TTPs 12 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 2652 takeown.exe 2676 takeown.exe 2628 takeown.exe 2704 icacls.exe 2680 icacls.exe 2140 icacls.exe 624 icacls.exe 2004 icacls.exe 2640 icacls.exe 2672 takeown.exe 1976 takeown.exe 2212 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 30 IoCs
Processes:
cmd.exeregsvr32.exedescription ioc process File created C:\Windows\SysWOW64\GPBAK\gpedit.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\gptext.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\fdeploy.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\gpedit.msc cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\conf.adm cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\wuau.adm cmd.exe File opened for modification C:\Windows\SysWOW64\fdeploy.dll cmd.exe File opened for modification C:\Windows\SysWOW64\gpedit.msc cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\wmplayer.adm cmd.exe File opened for modification C:\Windows\SysWOW64\rsop.msc regsvr32.exe File created C:\Windows\SysWOW64\GPBAK\fde.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\gptext.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\appmgr.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\appmgr.dll cmd.exe File opened for modification C:\Windows\SysWOW64\fde.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\inetres.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\fdeploy.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\wmplayer.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\wuau.adm cmd.exe File opened for modification C:\Windows\SysWOW64\gpedit.dll cmd.exe File opened for modification C:\Windows\SysWOW64\appmgr.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\Adm\system.adm cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\inetres.adm cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\conf.adm cmd.exe File created C:\Windows\SysWOW64\GroupPolicy\Adm\system.adm cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\gpedit.dll cmd.exe File opened for modification C:\Windows\SysWOW64\GPBAK\fde.dll cmd.exe File created C:\Windows\SysWOW64\GPBAK\gpedit.msc cmd.exe File opened for modification C:\Windows\SysWOW64\gptext.dll cmd.exe File created C:\Windows\SysWOW64\gpedit.msc cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
setup.tmpdescription ioc process File created C:\Windows\unins000.dat setup.tmp File created C:\Windows\is-4CFVJ.tmp setup.tmp File opened for modification C:\Windows\unins000.dat setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
setup.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exesetup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\ = "Administrative Templates (Computers)" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{7E45546F-6D52-4D10-B702-9C2E67232E62}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63E23168-BFF7-4E87-A246-EF024425E4EC}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FDE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{942A8E4F-A261-11D1-A760-00C04FB9603F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FDE5092-AA2A-11D1-A7D4-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63E23168-BFF7-4E87-A246-EF024425E4EC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\ = "Software installation" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID\ = "{7E45546F-6D52-4D10-B702-9C2E67232E62}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B66660-4972-11D1-A7CA-0000F87571E3}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\gptext.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FDE.1\ = "Folder Redirection Editor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FDE.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\ = "Software installation" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\GPEdit.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C40D66A0-E90C-46C6-AA3B-473E38C72BF2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B66661-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B66661-4972-11D1-A7CA-0000F87571E3}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{942A8E4F-A261-11D1-A760-00C04FB9603F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B66660-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E45546F-6D52-4D10-B702-9C2E67232E62}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B66650-4972-11D1-A7CA-0000F87571E3}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppManager\CLSID\ = "{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40B6664F-4972-11D1-A7CA-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F637904-2CAB-4F0E-8688-D3717EBD2975}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\ = "Administrative Templates (Users)" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\VersionIndependentProgID regsvr32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 1312 regsvr32.exe 2376 regsvr32.exe 1944 regsvr32.exe 1784 regsvr32.exe 1264 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2652 takeown.exe Token: SeTakeOwnershipPrivilege 2676 takeown.exe Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeTakeOwnershipPrivilege 2672 takeown.exe Token: SeTakeOwnershipPrivilege 1976 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
setup.tmppid process 2912 setup.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup.exesetup.tmpinstaller.execmd.exeregsvr32.exedescription pid process target process PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2712 wrote to memory of 2912 2712 setup.exe setup.tmp PID 2912 wrote to memory of 2760 2912 setup.tmp installer.exe PID 2912 wrote to memory of 2760 2912 setup.tmp installer.exe PID 2912 wrote to memory of 2760 2912 setup.tmp installer.exe PID 2912 wrote to memory of 2760 2912 setup.tmp installer.exe PID 2760 wrote to memory of 2804 2760 installer.exe cmd.exe PID 2760 wrote to memory of 2804 2760 installer.exe cmd.exe PID 2760 wrote to memory of 2804 2760 installer.exe cmd.exe PID 2804 wrote to memory of 2652 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2652 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2652 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 624 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 624 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 624 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2676 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2676 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2676 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2004 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2004 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2004 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2628 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2628 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2628 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2640 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2640 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2640 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2672 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2672 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2672 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2704 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2704 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2704 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 1976 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 1976 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 1976 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2680 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2680 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2680 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2212 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2212 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2212 2804 cmd.exe takeown.exe PID 2804 wrote to memory of 2140 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2140 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 2140 2804 cmd.exe icacls.exe PID 2804 wrote to memory of 1312 2804 cmd.exe regsvr32.exe PID 2804 wrote to memory of 1312 2804 cmd.exe regsvr32.exe PID 2804 wrote to memory of 1312 2804 cmd.exe regsvr32.exe PID 2804 wrote to memory of 1312 2804 cmd.exe regsvr32.exe PID 2804 wrote to memory of 1312 2804 cmd.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 1312 wrote to memory of 2900 1312 regsvr32.exe regsvr32.exe PID 2804 wrote to memory of 2376 2804 cmd.exe regsvr32.exe PID 2804 wrote to memory of 2376 2804 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\is-HQ1PB.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HQ1PB.tmp\setup.tmp" /SL5="$30144,660927,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\Temp\gpedit\installer.exe"C:\Windows\Temp\gpedit\installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\cmd.execmd /c ""C:\Windows\Temp\gpedit\x64.bat" "4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\gpedit.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\gpedit.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:624 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\fde.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\fde.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\gptext.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\gptext.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2640 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\appmgr.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\appmgr.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2704 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\fdeploy.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\fdeploy.dll /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2680 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\GPBAK\*5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2212 -
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\GPBAK\* /grant:r Admin:f5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2140 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\gpedit.dll5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\gpedit.dll6⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\fde.dll5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2376 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\fde.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1560 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\gptext.dll5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1944 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\gptext.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1964 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\appmgr.dll5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1784 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\appmgr.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1444 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Windows\SysWOW64\fdeploy.dll5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1264 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Windows\SysWOW64\fdeploy.dll6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
289KB
MD576422d781c0fbbb368f8559dc12a39b1
SHA1148ec10a2f8fab845f8e1b2a8c013fcb9451ecb2
SHA2562613b7e843d0ad5959a74d2b2601f5e981e8e1fdc39a44da175ab076c08839a3
SHA5122f86df50d71740cf5e571fa8ba478ba70ec12cf94d96ede50d864dddd92d3b3a5991c874264c05edf0a5824df9b9f1c513a429bc97ec275a7eb001f98097cb84
-
Filesize
39KB
MD56c2422f9265d2ead5cfb47540bd46c71
SHA12e19092c1883ef8578b066569843a3b4156138ee
SHA2563c21ed1d9ee8de426d9dd329499ce4eb9cc24122aea61694fcfe9115c0ea2ea7
SHA512686dc55296226967df3a447271dbb16b72f114de4134efbdebc8c392b2e660fc4dc1fd077054b4d7924e73ccde123ef2098b286a90878ef4b2e2cdd832fe5ce2
-
Filesize
122KB
MD5cba0be94e3985f6db7701e259c73b43b
SHA18b20257ee2add36f93943a33f7f683928d86463d
SHA256a1f26b60132f7db711140b4f170bd3a9c92053bf178bef6d5809e12c483bf7fc
SHA512a9b6cf644980b841e6c1d34483bada401b53ed54bfb0846a069e9a301decb997792939fd45e6a0e5612cc4c50f1fa236f1a190422b4f1abce7cb4a4537510334
-
Filesize
72KB
MD55e12974f81fae8f695e2b4ea05418af3
SHA1c5b887f1b8909b217818c220a9bb21c95a56b387
SHA2565f6331af5e4159a48a5f2da6c9b52c970564f58fc5a889cbcb90f9edca011d90
SHA5126e9c4dc6bd514ff3ab2cd3a808eda06ada2728e7d30985a2211beb99a75004a4128ba9c0582fe471a16fd5cac3e98e6ecfaece1ec498455b5a7135642dbd35f0
-
Filesize
553KB
MD565f8da8424ad27a365f61ccc8621fed2
SHA159979870fcdf01414b9999578d6bee4426feb3ba
SHA25692beba4934d0263fd21827cc96e02689da9abaed571fe88836b3469f70d4a28e
SHA5128f64574466cb4f9646b550899101b62fa84c5b6afe72f517860ff8c27599cc817986d0dc6f42a30d57efe3fe4b27cb1389db3795b71e66f5a4f7e3b07733fd71
-
Filesize
34KB
MD5c9ad01520798dc5cd144c2dce97657c3
SHA190973c38ddb1ace1fbf8eefd043141553868f3c7
SHA256da7f0d319289ddbcd70d110f72778cec6246e342f65fef727219bd575405d89b
SHA5127a2b335a880b034dcac8ff61fc8e87e3af2a54625200a7ee2daa2d5d02753ff713e1e81718b3cd4c4b6bf1eb874994bcfe7761b93e78b3f4298fb545b12d69c6
-
Filesize
195KB
MD5e75463b95cb67b77bb6fa71e4f0539e8
SHA11c78c2d1a5d2ad62d83a8fe2f11e56dbcc3a50ac
SHA256e11ff0a739e09df75cd1af7833ba8fe8783e8b937e2d5f3dc25a8f6d234ba93b
SHA5123df066f7cc265b75010d9ccd1ab5b574b590dd0fc7a73c6ace488ac3a641d4eb9c253393fffaf941083c7fb6b55638457df9abbdd73b48d4b9824196a284e1d9
-
Filesize
1.4MB
MD5bb39b39e6d48620dfd401733bc8dbbd2
SHA1c832b2edbe26eec52bb560b41e99eeaeef8b4b1a
SHA256e749d975062f79b5a63a123f75cd615b0b5b833316ca6fd17b999b884193e194
SHA51269542ef1e8cbb372ee586dceca019b3434df2de2011573150cc3d84dee5fffcfc3b020f99af4239e03d583a6dab2aeb95998062f7b16ea570738930861add93a
-
Filesize
1.7MB
MD581e9f4f83b5a6b43293db805f31629df
SHA128baaaf9958b0f27e60f873ac275cc593b55e2b3
SHA256c4fa35170090dccd405ff951dadc2a64b6e3618728efb5f41ccf939971eabcd2
SHA512a79b9e04ba5c2094c9cdc4e738b5fbd900a2dc0613d0fa2002b1cce79293f84f43454c1e8102b307baf6958b8b4fcb96eda84665e987136266df0bfa56926b27
-
Filesize
65KB
MD59780ba64ffd34694fdfa0066b907bd04
SHA1ffc36cfb3934499c73092751a5eb406720eb915b
SHA256c954c69ee2490819cee734265470a3cc1cec1159ab5233258769ef6f703509eb
SHA512eb5d672bf06c7943618e10b52e44427689c3d373c4eb5e196aa26aa88e7bba91a99a2d263789ea11eb6c37fee2bf57d34d6d8dc1aae54b90185b3dc76e5f8806
-
Filesize
39KB
MD5989878dae9f52b78fb79b49ef9759ec0
SHA194cc11280f7cd7fd93652f40013e79c15f2e751a
SHA2569f0f5b397eb903c36a668ffa7274574994d56b832439b750f4e85e472253bfea
SHA5126d5b01d4e263a35df6abc9a7a8e1d22c27c017a2c8f2a33b5a432ac1d8bdd95629afb68d4699c987e0c951f20ef1b81a66ff794aa1ea3610c0306d44d28700a3
-
Filesize
2KB
MD56c718c722c6b289de25ce1c758fdf970
SHA106264f2bcde0dc43b035340ec2f36ed04999a30e
SHA256a13339020b5b3ccb7e185ff26b9a9916a48663dc0ce6d88c3d310556ad4a733f
SHA512ff3b2a737de7b40d10ddb18cebd8993fd0e809f07ced2b7931fcb3cbcaaa2e0fde34b0fb0693b2ee667688c2fa1b54593f48244d4d9f144dae5e6beda093babb
-
Filesize
680KB
MD5e60a74a65005e4c4f61cbe9c09d368df
SHA11d649b2ab5e08632d64e23f5f9e5675b68e184b4
SHA25678f6692d50d07bd78a97294d196f9ae7d1fc48b058375e5d7bb766970faab758
SHA512a73b84739f4da0827976cf473e63ba3dc7649ab2d37be13c8fb786487d0dc7ef5b2bd446d8c745d75266447357bde4f32f58f1f1c92b156f06f141fea2873856
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
5KB
MD55e0ece1cfe6a91a811f49bd35234d4a2
SHA1a458b8ef3d88b3e5ff5c732532ffc7677dea3d2e
SHA256bba8c14f2816d3a107f5609f5be9cfdc63ac1c499d2ee3d73b117af77ba9a6a5
SHA51276801b41aebcaa216134e70f8a8b4bcb416736cee5b241ae5f8ffee89e3c41131a9d69bd9ae25bc3f4d7f09b32f2b05f8e70efe880477f3e6bc28ef1f8d3a929