Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe
Resource
win7-20241010-en
General
-
Target
e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe
-
Size
411KB
-
MD5
c46780ae0ca47177112a7d135d95ed10
-
SHA1
b734992f4b47190417028ee8daa7486a30ed4016
-
SHA256
e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0
-
SHA512
18c1d42a8d38872dff389f1ba5c3d0d579dec49f8a1efeba5b3aa75be29f05ecfcfb8e7aa34cc0ef57ccdd5172db8109abb1eb686329e1f0b6462d32fffd2f21
-
SSDEEP
6144:61yUN7pmPUk9VMwXHOCgs+ej/4+zBNnmjf5Yr6ibzsHPwY3mhesXWkoF:6Q8pQ96w+ns+GwoNnmy5Xves/E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" isass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" isass.exe -
Ramnit family
-
Executes dropped EXE 3 IoCs
pid Process 840 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe 2860 isass.exe 2884 isassmgr.exe -
Loads dropped DLL 10 IoCs
pid Process 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 840 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 2860 isass.exe 2860 isass.exe 840 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe 2884 isassmgr.exe 2884 isassmgr.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" isass.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\ISASS.EXE e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe File opened for modification C:\Windows\SysWOW64\isass.exe e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe File created C:\Windows\SysWOW64\isassmgr.exe isass.exe File opened for modification C:\Windows\SysWOW64\isass isass.exe File opened for modification C:\WINDOWS\SYSWOW64\ISASS.EXE isass.exe File opened for modification C:\WINDOWS\SysWOW64\ISASS.EXE isass.exe File created C:\Windows\SysWOW64\isass.exe isass.exe File created C:\Windows\SysWOW64\isass.exe e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe -
resource yara_rule behavioral1/memory/840-15-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/840-55-0x0000000000400000-0x0000000000439000-memory.dmp upx -
Program crash 2 IoCs
pid pid_target Process procid_target 2980 2884 WerFault.exe 2868 840 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language isassmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language isass.exe -
Modifies registry class 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" isass.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 2860 isass.exe -
Suspicious behavior: MapViewOfSection 52 IoCs
pid Process 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe 2860 isass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe Token: SeDebugPrivilege 2860 isass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 840 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 31 PID 1248 wrote to memory of 840 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 31 PID 1248 wrote to memory of 840 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 31 PID 1248 wrote to memory of 840 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 31 PID 1248 wrote to memory of 384 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 3 PID 1248 wrote to memory of 384 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 3 PID 1248 wrote to memory of 384 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 3 PID 1248 wrote to memory of 392 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 4 PID 1248 wrote to memory of 392 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 4 PID 1248 wrote to memory of 392 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 4 PID 1248 wrote to memory of 432 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 5 PID 1248 wrote to memory of 432 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 5 PID 1248 wrote to memory of 432 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 5 PID 1248 wrote to memory of 476 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 6 PID 1248 wrote to memory of 476 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 6 PID 1248 wrote to memory of 476 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 6 PID 1248 wrote to memory of 492 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 7 PID 1248 wrote to memory of 492 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 7 PID 1248 wrote to memory of 492 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 7 PID 1248 wrote to memory of 500 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 8 PID 1248 wrote to memory of 500 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 8 PID 1248 wrote to memory of 500 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 8 PID 1248 wrote to memory of 592 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 9 PID 1248 wrote to memory of 592 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 9 PID 1248 wrote to memory of 592 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 9 PID 1248 wrote to memory of 668 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 10 PID 1248 wrote to memory of 668 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 10 PID 1248 wrote to memory of 668 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 10 PID 1248 wrote to memory of 748 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 11 PID 1248 wrote to memory of 748 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 11 PID 1248 wrote to memory of 748 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 11 PID 1248 wrote to memory of 812 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 12 PID 1248 wrote to memory of 812 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 12 PID 1248 wrote to memory of 812 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 12 PID 1248 wrote to memory of 852 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 13 PID 1248 wrote to memory of 852 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 13 PID 1248 wrote to memory of 852 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 13 PID 1248 wrote to memory of 964 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 15 PID 1248 wrote to memory of 964 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 15 PID 1248 wrote to memory of 964 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 15 PID 1248 wrote to memory of 112 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 16 PID 1248 wrote to memory of 112 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 16 PID 1248 wrote to memory of 112 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 16 PID 1248 wrote to memory of 1008 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 17 PID 1248 wrote to memory of 1008 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 17 PID 1248 wrote to memory of 1008 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 17 PID 1248 wrote to memory of 1044 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 18 PID 1248 wrote to memory of 1044 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 18 PID 1248 wrote to memory of 1044 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 18 PID 1248 wrote to memory of 1108 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 19 PID 1248 wrote to memory of 1108 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 19 PID 1248 wrote to memory of 1108 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 19 PID 1248 wrote to memory of 1152 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 20 PID 1248 wrote to memory of 1152 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 20 PID 1248 wrote to memory of 1152 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 20 PID 1248 wrote to memory of 1192 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 21 PID 1248 wrote to memory of 1192 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 21 PID 1248 wrote to memory of 1192 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 21 PID 1248 wrote to memory of 844 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 23 PID 1248 wrote to memory of 844 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 23 PID 1248 wrote to memory of 844 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 23 PID 1248 wrote to memory of 324 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 24 PID 1248 wrote to memory of 324 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 24 PID 1248 wrote to memory of 324 1248 e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe 24
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:844
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:316
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1152
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2596
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1008
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1044
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1912
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2276
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe"C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exeC:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 1804⤵
- Program crash
PID:2868
-
-
-
C:\Windows\SysWOW64\isass.exeC:\Windows\system32\isass.exe C:\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0N.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\isassmgr.exeC:\Windows\SysWOW64\isassmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1805⤵
- Program crash
PID:2980
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3257020635\zmstage.exeC:\Users\Admin\AppData\Local\Temp\3257020635\zmstage.exe1⤵PID:1848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5c46780ae0ca47177112a7d135d95ed10
SHA1b734992f4b47190417028ee8daa7486a30ed4016
SHA256e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0
SHA51218c1d42a8d38872dff389f1ba5c3d0d579dec49f8a1efeba5b3aa75be29f05ecfcfb8e7aa34cc0ef57ccdd5172db8109abb1eb686329e1f0b6462d32fffd2f21
-
\Users\Admin\AppData\Local\Temp\e786c502e5ca4c315d4301e6e14aa460f3deef5a6b04a1df2099c182b17adad0Nmgr.exe
Filesize174KB
MD57888876a491f083b317a7b3127b0f9d5
SHA1fc699bf9e556298ea6653f6706805fe642b8c24a
SHA25688cac81bd77b809f2c34374d3f042ef5b1d25e92576743145a958d8f71743736
SHA51289dd77f8ffe111e637b3b669c9c17f07455b89e3d71adcb68463fd1aa2caa81ba699d78525d3ddf6f35e40677a458a88185a1f840a261eb69b18405c206fa561
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94