Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 12:39
Static task
static1
Behavioral task
behavioral1
Sample
0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
Resource
win10v2004-20241007-en
General
-
Target
0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe
-
Size
612KB
-
MD5
412ce7c1f8dd5dcfafb5c3af08297c65
-
SHA1
fd98960ab8e7bfe92fc566237be4bc433332c3f3
-
SHA256
0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328
-
SHA512
10e654df43c193ae7786848093967092b0f7fc1bf61ef55e2edf77347acc029ee8dcce9c64a64922f846bcea0b33307e6dabd54ba196f0f2f027a88f3e213748
-
SSDEEP
12288:/lTMgGurXwc8Xq1m3fdjQU+v4PN/CnBMj5qJwhq92hyuZCZh06H4FCd:/lTMgBrXwc8Xq1Cfdj/PN/IWyuZ+h
Malware Config
Extracted
C:\#HowToRecover.txt
https://paxful.com
Signatures
-
Renames multiple (7784) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\background.bmp" 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\#HowToRecover.txt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#HowToRecover.txt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\#HowToRecover.txt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\#HowToRecover.txt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\#HowToRecover.txt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\#HowToRecover.txt 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jre7\lib\tzmappings 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00923_.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02269_.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQS.ICO 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98SP.POC 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102762.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Havana 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\background.bmp" 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\background.bmp" 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\background.bmp" 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1668 vssvc.exe Token: SeRestorePrivilege 1668 vssvc.exe Token: SeAuditPrivilege 1668 vssvc.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemProfilePrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeProfSingleProcessPrivilege 2796 WMIC.exe Token: SeIncBasePriorityPrivilege 2796 WMIC.exe Token: SeCreatePagefilePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeDebugPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeRemoteShutdownPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: 33 2796 WMIC.exe Token: 34 2796 WMIC.exe Token: 35 2796 WMIC.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemProfilePrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeProfSingleProcessPrivilege 2796 WMIC.exe Token: SeIncBasePriorityPrivilege 2796 WMIC.exe Token: SeCreatePagefilePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeDebugPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeRemoteShutdownPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: 33 2796 WMIC.exe Token: 34 2796 WMIC.exe Token: 35 2796 WMIC.exe Token: SeIncreaseQuotaPrivilege 2548 WMIC.exe Token: SeSecurityPrivilege 2548 WMIC.exe Token: SeTakeOwnershipPrivilege 2548 WMIC.exe Token: SeLoadDriverPrivilege 2548 WMIC.exe Token: SeSystemProfilePrivilege 2548 WMIC.exe Token: SeSystemtimePrivilege 2548 WMIC.exe Token: SeProfSingleProcessPrivilege 2548 WMIC.exe Token: SeIncBasePriorityPrivilege 2548 WMIC.exe Token: SeCreatePagefilePrivilege 2548 WMIC.exe Token: SeBackupPrivilege 2548 WMIC.exe Token: SeRestorePrivilege 2548 WMIC.exe Token: SeShutdownPrivilege 2548 WMIC.exe Token: SeDebugPrivilege 2548 WMIC.exe Token: SeSystemEnvironmentPrivilege 2548 WMIC.exe Token: SeRemoteShutdownPrivilege 2548 WMIC.exe Token: SeUndockPrivilege 2548 WMIC.exe Token: SeManageVolumePrivilege 2548 WMIC.exe Token: 33 2548 WMIC.exe Token: 34 2548 WMIC.exe Token: 35 2548 WMIC.exe Token: SeIncreaseQuotaPrivilege 2548 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 268 wrote to memory of 2812 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 34 PID 268 wrote to memory of 2812 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 34 PID 268 wrote to memory of 2812 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 34 PID 2812 wrote to memory of 2796 2812 cmd.exe 36 PID 2812 wrote to memory of 2796 2812 cmd.exe 36 PID 2812 wrote to memory of 2796 2812 cmd.exe 36 PID 268 wrote to memory of 2700 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 37 PID 268 wrote to memory of 2700 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 37 PID 268 wrote to memory of 2700 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 37 PID 2700 wrote to memory of 2548 2700 cmd.exe 39 PID 2700 wrote to memory of 2548 2700 cmd.exe 39 PID 2700 wrote to memory of 2548 2700 cmd.exe 39 PID 268 wrote to memory of 2884 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 40 PID 268 wrote to memory of 2884 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 40 PID 268 wrote to memory of 2884 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 40 PID 2884 wrote to memory of 2680 2884 cmd.exe 42 PID 2884 wrote to memory of 2680 2884 cmd.exe 42 PID 2884 wrote to memory of 2680 2884 cmd.exe 42 PID 268 wrote to memory of 2524 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 43 PID 268 wrote to memory of 2524 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 43 PID 268 wrote to memory of 2524 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 43 PID 2524 wrote to memory of 2576 2524 cmd.exe 45 PID 2524 wrote to memory of 2576 2524 cmd.exe 45 PID 2524 wrote to memory of 2576 2524 cmd.exe 45 PID 268 wrote to memory of 2972 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 46 PID 268 wrote to memory of 2972 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 46 PID 268 wrote to memory of 2972 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 46 PID 2972 wrote to memory of 1408 2972 cmd.exe 48 PID 2972 wrote to memory of 1408 2972 cmd.exe 48 PID 2972 wrote to memory of 1408 2972 cmd.exe 48 PID 268 wrote to memory of 308 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 49 PID 268 wrote to memory of 308 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 49 PID 268 wrote to memory of 308 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 49 PID 308 wrote to memory of 1772 308 cmd.exe 51 PID 308 wrote to memory of 1772 308 cmd.exe 51 PID 308 wrote to memory of 1772 308 cmd.exe 51 PID 268 wrote to memory of 2732 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 52 PID 268 wrote to memory of 2732 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 52 PID 268 wrote to memory of 2732 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 52 PID 2732 wrote to memory of 2828 2732 cmd.exe 54 PID 2732 wrote to memory of 2828 2732 cmd.exe 54 PID 2732 wrote to memory of 2828 2732 cmd.exe 54 PID 268 wrote to memory of 1776 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 55 PID 268 wrote to memory of 1776 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 55 PID 268 wrote to memory of 1776 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 55 PID 1776 wrote to memory of 1600 1776 cmd.exe 57 PID 1776 wrote to memory of 1600 1776 cmd.exe 57 PID 1776 wrote to memory of 1600 1776 cmd.exe 57 PID 268 wrote to memory of 2280 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 58 PID 268 wrote to memory of 2280 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 58 PID 268 wrote to memory of 2280 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 58 PID 2280 wrote to memory of 1816 2280 cmd.exe 60 PID 2280 wrote to memory of 1816 2280 cmd.exe 60 PID 2280 wrote to memory of 1816 2280 cmd.exe 60 PID 268 wrote to memory of 2848 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 61 PID 268 wrote to memory of 2848 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 61 PID 268 wrote to memory of 2848 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 61 PID 2848 wrote to memory of 1724 2848 cmd.exe 63 PID 2848 wrote to memory of 1724 2848 cmd.exe 63 PID 2848 wrote to memory of 1724 2848 cmd.exe 63 PID 268 wrote to memory of 1156 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 64 PID 268 wrote to memory of 1156 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 64 PID 268 wrote to memory of 1156 268 0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe 64 PID 1156 wrote to memory of 2964 1156 cmd.exe 66 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe"C:\Users\Admin\AppData\Local\Temp\0a5ba8d248080666c7ea5bd9c325452fad055a00e194989a34bd816c26a62328.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8B17145-7F63-4C9F-B88B-CAD2D9F7949D}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B8B17145-7F63-4C9F-B88B-CAD2D9F7949D}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4BD09E8-AC1D-4F60-97E8-3EB7A82DEBD9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E4BD09E8-AC1D-4F60-97E8-3EB7A82DEBD9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B61F1B9-0076-4B4E-A4A8-0C347AF4BCC7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B61F1B9-0076-4B4E-A4A8-0C347AF4BCC7}'" delete3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C70BB53C-D749-4A61-B498-87943061C142}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C70BB53C-D749-4A61-B498-87943061C142}'" delete3⤵PID:2576
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{183E609F-4DAA-41DD-84CD-3F218272416B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{183E609F-4DAA-41DD-84CD-3F218272416B}'" delete3⤵PID:1408
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5998CC-29C3-40EE-A979-4F596B94F64B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5998CC-29C3-40EE-A979-4F596B94F64B}'" delete3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A4D0AB3-B5FC-4EFF-B663-8E360E15C406}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A4D0AB3-B5FC-4EFF-B663-8E360E15C406}'" delete3⤵PID:2828
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5CB54C4-14EA-429A-A427-02197A1B53AD}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5CB54C4-14EA-429A-A427-02197A1B53AD}'" delete3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DBEC09BD-E3B2-473B-9ED5-0DFB50A9C4EA}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DBEC09BD-E3B2-473B-9ED5-0DFB50A9C4EA}'" delete3⤵PID:1816
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CFAA339D-ABBB-4A2F-A043-3EEA040766D3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CFAA339D-ABBB-4A2F-A043-3EEA040766D3}'" delete3⤵PID:1724
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B682E805-210F-4EC4-AE05-165F6083B72A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B682E805-210F-4EC4-AE05-165F6083B72A}'" delete3⤵PID:2964
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DEC64B2A-68AD-4DF7-9CCC-F11FDA0D2B80}'" delete2⤵PID:2688
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DEC64B2A-68AD-4DF7-9CCC-F11FDA0D2B80}'" delete3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C56E56F4-F055-4CC0-AAE2-F9530678124E}'" delete2⤵PID:2156
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C56E56F4-F055-4CC0-AAE2-F9530678124E}'" delete3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D580416-48DD-41A5-843C-EEAB9F3D637D}'" delete2⤵PID:1940
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0D580416-48DD-41A5-843C-EEAB9F3D637D}'" delete3⤵PID:448
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91E11A9B-A0A0-42C9-A234-2876DF560AA9}'" delete2⤵PID:2412
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91E11A9B-A0A0-42C9-A234-2876DF560AA9}'" delete3⤵PID:836
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA0B5003-F425-4DAE-A867-E34340F53ACE}'" delete2⤵PID:1860
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA0B5003-F425-4DAE-A867-E34340F53ACE}'" delete3⤵PID:1708
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D5DD5A-0043-40A5-8BD6-7D0C4D8AF64B}'" delete2⤵PID:764
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D5DD5A-0043-40A5-8BD6-7D0C4D8AF64B}'" delete3⤵PID:1684
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C00897D4-B2CF-4E0D-BD6A-46960C9E1BFA}'" delete2⤵PID:620
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C00897D4-B2CF-4E0D-BD6A-46960C9E1BFA}'" delete3⤵PID:2788
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 268 -s 5202⤵PID:1376
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871B
MD583f8bacb8f86e7e33ce04386ce1c9228
SHA16812db951e3094ac5dd7ee9791c6b6b7dc07b003
SHA256b8ffd1c3f47e917c996bce4de87b4bc54f9f302366bbd84ab82af1631a778768
SHA512ebacb4c6702e00efe00be5fc79f76c73079801286c7b70a6cfaef08b591666854ca693113fa9e0b2a25f8ee62b7de13d937b9b7f5739023a498f2ef669e6ae28