Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/11/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe
Resource
win10v2004-20241007-en
General
-
Target
abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe
-
Size
2.8MB
-
MD5
3d0a200a7a10fc050f676cab55641882
-
SHA1
feb4e4c35face5b3cff34abbd340244485137183
-
SHA256
abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1
-
SHA512
97a11508b65d52cbb7d341b33672bd56f66de7bbc7ebec23100e6b938a3322e3b755a6c3faf219e10907f428385be066fd05824310092ce31434a138d82bb0fd
-
SSDEEP
49152:S9+hB4W9rsYBtYnPnQyTdDyHP8+FVKnHKduZYFMZh3uSg:SO2srDYPnXyk+FVO66a
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 1 IoCs
pid Process 2548 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Loads dropped DLL 2 IoCs
pid Process 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2548 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2548 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe Token: SeIncreaseQuotaPrivilege 2548 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe Token: SeAssignPrimaryTokenPrivilege 2548 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31 PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31 PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31 PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31 PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31 PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31 PID 804 wrote to memory of 2548 804 abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe"C:\Users\Admin\AppData\Local\Temp\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859KB
MD5754309b7b83050a50768236ee966224f
SHA110ed7efc2e594417ddeb00a42deb8fd9f804ed53
SHA256acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6
SHA512e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\abb01ac0bf94e0ad9efd79e14a8770e94fb5aae7d727661ccb5d5a52d1b017b1.exe
Filesize2.8MB
MD5c1d41be0f40221538bc94a337fb11fbf
SHA18be8593c93d13ceb11bb3c1a8900bbc1f40139a4
SHA2568ef980356e73b3719ae029ccc2caa8d5f740d8f00248f6b3e0dbf95b2a77afa0
SHA512173b7a56b0e5eabfdd0b278bb67cfc97bea088c8f137589720f7e18de7062a033ea4d3b726ba57559f2aec15223d2dc8d73f700f5173d5d4e2ab26fab276d71a