Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 18:11
Static task
static1
Behavioral task
behavioral1
Sample
5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe
Resource
win10v2004-20241007-en
General
-
Target
5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe
-
Size
3.1MB
-
MD5
9f1383e2d52a5b294ebe8daf13689060
-
SHA1
bf3262405f0f337a4456b9900264039ad8054ebe
-
SHA256
5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9c
-
SHA512
a5b5007f5c710573b6b2227e48456c01edf4efc68004856688a804b575d5f5e159c522d081b75a65e1aa5c36539ccb5f040f4f4119483cb527f8096ab7da2459
-
SSDEEP
49152:aPn7jMWf14IzfJSm5W/IYhYt+JawfDwqMxivs4ympISasV9U:EjMJIzfgIYhpU/qwiUZmCg
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ secioit.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ secioit.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 55feng39.MIR -
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts.ics secioit.exe File opened for modification C:\Windows\System32\drivers\etc\hosts secioit.exe File opened for modification C:\WINDOWS\system32\drivers\etc\hosts secioit.exe File created C:\WINDOWS\system32\drivers\etc\hosts.ics secioit.exe File opened for modification C:\WINDOWS\system32\drivers\etc\hosts.ics secioit.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\secinit.exe.lnk secioit.exe -
Executes dropped EXE 3 IoCs
pid Process 2992 secioit.exe 2500 55feng39.MIR 1008 secioit.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 55feng39.MIR Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine secioit.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine secioit.exe -
Loads dropped DLL 7 IoCs
pid Process 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2992 secioit.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2500 55feng39.MIR 2500 55feng39.MIR -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2384 icacls.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\secioit.exe 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe File opened for modification C:\Windows\SysWOW64\secioit.exe 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe File opened for modification C:\Windows\SysWOW64\winioit.exe 55feng39.MIR File created C:\Windows\SysWOW64\secioit.exe 55feng39.MIR File opened for modification C:\Windows\SysWOW64\secioit.exe 55feng39.MIR File opened for modification C:\Windows\SysWOW64\winioit.exe 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2992 secioit.exe 2500 55feng39.MIR 1008 secioit.exe -
resource yara_rule behavioral1/memory/2664-45-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-43-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-41-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-39-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-37-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-35-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-33-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-31-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-29-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-27-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-25-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-23-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-21-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-19-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-17-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-15-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-13-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-11-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-9-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-7-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-5-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-4-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2664-2-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-108-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-106-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-104-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-102-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-100-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-98-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-96-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-94-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-92-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2500-91-0x0000000010000000-0x000000001003F000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\ADsafa.exe 55feng39.MIR File opened for modification C:\WINDOWS\ADsafa.exe 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language secioit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main secioit.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2992 secioit.exe 2500 55feng39.MIR 2500 55feng39.MIR 2500 55feng39.MIR 1008 secioit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2500 55feng39.MIR -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2500 55feng39.MIR -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 2992 secioit.exe 2992 secioit.exe 2992 secioit.exe 2992 secioit.exe 2500 55feng39.MIR 2500 55feng39.MIR 2500 55feng39.MIR 2500 55feng39.MIR 2500 55feng39.MIR 1008 secioit.exe 1008 secioit.exe 1008 secioit.exe 1008 secioit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2992 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 31 PID 2664 wrote to memory of 2992 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 31 PID 2664 wrote to memory of 2992 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 31 PID 2664 wrote to memory of 2992 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 31 PID 2664 wrote to memory of 2008 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 32 PID 2664 wrote to memory of 2008 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 32 PID 2664 wrote to memory of 2008 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 32 PID 2664 wrote to memory of 2008 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 32 PID 2992 wrote to memory of 2332 2992 secioit.exe 34 PID 2992 wrote to memory of 2332 2992 secioit.exe 34 PID 2992 wrote to memory of 2332 2992 secioit.exe 34 PID 2992 wrote to memory of 2332 2992 secioit.exe 34 PID 2992 wrote to memory of 2036 2992 secioit.exe 35 PID 2992 wrote to memory of 2036 2992 secioit.exe 35 PID 2992 wrote to memory of 2036 2992 secioit.exe 35 PID 2992 wrote to memory of 2036 2992 secioit.exe 35 PID 2332 wrote to memory of 2384 2332 cmd.exe 38 PID 2332 wrote to memory of 2384 2332 cmd.exe 38 PID 2332 wrote to memory of 2384 2332 cmd.exe 38 PID 2332 wrote to memory of 2384 2332 cmd.exe 38 PID 2036 wrote to memory of 532 2036 cmd.exe 39 PID 2036 wrote to memory of 532 2036 cmd.exe 39 PID 2036 wrote to memory of 532 2036 cmd.exe 39 PID 2036 wrote to memory of 532 2036 cmd.exe 39 PID 2036 wrote to memory of 480 2036 cmd.exe 40 PID 2036 wrote to memory of 480 2036 cmd.exe 40 PID 2036 wrote to memory of 480 2036 cmd.exe 40 PID 2036 wrote to memory of 480 2036 cmd.exe 40 PID 2664 wrote to memory of 2500 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 41 PID 2664 wrote to memory of 2500 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 41 PID 2664 wrote to memory of 2500 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 41 PID 2664 wrote to memory of 2500 2664 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe 41 PID 2500 wrote to memory of 1008 2500 55feng39.MIR 42 PID 2500 wrote to memory of 1008 2500 55feng39.MIR 42 PID 2500 wrote to memory of 1008 2500 55feng39.MIR 42 PID 2500 wrote to memory of 1008 2500 55feng39.MIR 42 PID 2500 wrote to memory of 3000 2500 55feng39.MIR 44 PID 2500 wrote to memory of 3000 2500 55feng39.MIR 44 PID 2500 wrote to memory of 3000 2500 55feng39.MIR 44 PID 2500 wrote to memory of 3000 2500 55feng39.MIR 44 PID 2992 wrote to memory of 1408 2992 secioit.exe 46 PID 2992 wrote to memory of 1408 2992 secioit.exe 46 PID 2992 wrote to memory of 1408 2992 secioit.exe 46 PID 2992 wrote to memory of 1408 2992 secioit.exe 46 PID 1408 wrote to memory of 2944 1408 cmd.exe 48 PID 1408 wrote to memory of 2944 1408 cmd.exe 48 PID 1408 wrote to memory of 2944 1408 cmd.exe 48 PID 1408 wrote to memory of 2944 1408 cmd.exe 48 PID 2992 wrote to memory of 1032 2992 secioit.exe 49 PID 2992 wrote to memory of 1032 2992 secioit.exe 49 PID 2992 wrote to memory of 1032 2992 secioit.exe 49 PID 2992 wrote to memory of 1032 2992 secioit.exe 49 PID 1032 wrote to memory of 2100 1032 cmd.exe 51 PID 1032 wrote to memory of 2100 1032 cmd.exe 51 PID 1032 wrote to memory of 2100 1032 cmd.exe 51 PID 1032 wrote to memory of 2100 1032 cmd.exe 51 PID 2992 wrote to memory of 2712 2992 secioit.exe 52 PID 2992 wrote to memory of 2712 2992 secioit.exe 52 PID 2992 wrote to memory of 2712 2992 secioit.exe 52 PID 2992 wrote to memory of 2712 2992 secioit.exe 52 PID 2712 wrote to memory of 2908 2712 cmd.exe 54 PID 2712 wrote to memory of 2908 2712 cmd.exe 54 PID 2712 wrote to memory of 2908 2712 cmd.exe 54 PID 2712 wrote to memory of 2908 2712 cmd.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe"C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\secioit.exeC:\Windows\System32\secioit.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd.exe /c icacls %windir%\system32\drivers\etc /t /grant:r everyone:f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\drivers\etc /t /grant:r everyone:f4⤵
- Modifies file permissions
PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo y|cacls %windir%\system32\drivers\etc /g everyone:f3⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"4⤵PID:532
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc /g everyone:f4⤵PID:480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2588
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1404
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:576
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1536
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:532
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2680
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2224
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1016
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2496
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:900
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1880
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2148
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2896
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1344
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2980
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1396
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2444
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1404
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2276
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1984
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2584
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2200
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2680
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2224
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1016
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:608
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1272
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1704
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:636
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2148
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2100
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2908
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1492
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:936
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2444
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:920
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1360
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2384
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:480
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2192
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:3040
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:900
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:844
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2496
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1056
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:740 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:968
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:112
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2268
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1372
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1424
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2560
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2980
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2316
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2444
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1360
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:3044
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:324
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:992
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:840
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2384
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2156
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2372
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1488
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1668
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:800
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1648
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:968
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2268
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1424
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2456
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2876
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2284
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2816
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1048
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1928
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1596
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:872
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2392
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:344
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2140
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:916
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1532
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1092
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2756
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2608
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1036
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1400
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1244
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2036
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2916
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:1576
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- System Location Discovery: System Language Discovery
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:444
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵PID:2044
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh ipsec static delete all3⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static delete all4⤵PID:2228
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\updata.bat2⤵PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\55feng39.MIRC:\Users\Admin\AppData\Local\Temp\55feng39.MIR2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\secioit.exeC:\Windows\System32\secioit.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\updata.bat3⤵PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54a2328e295a2f9c8f59b39d27acb3f43
SHA1b50ecf41cf5ebe6e50861cf907a3ae738617cf43
SHA2569b1906a82a0cb79dd1fbf899d837beb5a5adb51507f00d5af19806bd8d9630d8
SHA5127359a2598bc5ad2cc3c07382c4c7a098e1d1686fa6d426445b84fe152deccc6aad00960786230885d260b247f1c48f3614d26fd3174ab992292bf2f3d21b393f
-
Filesize
9B
MD50f7a94080870b545360292682eed22f2
SHA1ad613ab81429ee8082fc53c4bc5a5c398dfc679d
SHA256e42746069d2eb9fda1c664b91c224867304423fd496d25bdba0757f9c62f8ad6
SHA512b02d7d854cb15bd9cf2b7e0768196b693a0b32e5c5f75835c68198d7981cde6172fac78e81eda6050ffcb0d91561c864d2b5f979af2554b476455f9b3542552a
-
Filesize
1.2MB
MD5e9011bd6a4286dbd05a84a4932044ca6
SHA18034237c355fa5d7b46207872311f11869a67e04
SHA256f855f7e32d30381c64f7faa4759e710186a77aea902466e6db521f5846279618
SHA5122c2e311800f2825d200529e9f266a98ef40c4fecba5fb7ed326909e2ca558426dde8350e388e041f9c7f3b561f001c441364bb9991f59b226b8f948246118baa