Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 02:04
Static task
static1
General
-
Target
9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe
-
Size
2.8MB
-
MD5
c32d39710b13585f9608ebac9e028ea0
-
SHA1
96ce25ea1f05d91a7314e6eed4101af60259a811
-
SHA256
9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386a
-
SHA512
e6222188e39d4260c8de06a4d8033ef2a4c1122e8df22fda616b4bb2de2377846c1621f3cb0d9840c81791b7a1cba3276081063875a91781972a2be0da96e3c5
-
SSDEEP
49152:GLNDk2Pu0hI2hcbYQc4Nv0PYax7Ia1uTZYs:GFk2PuWIBeOv0P1WayZYs
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734
Extracted
lumma
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2920 created 1196 2920 f73d0b292e.exe 21 PID 2688 created 1196 2688 783e26d6da.exe 21 -
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF a133921b52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 9541b56535.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6110e0ab9d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f73d0b292e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 70a894aa0b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 783e26d6da.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a133921b52.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ANEDNjf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2cf4512e98.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9541b56535.exe -
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/1592-432-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1592-435-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1592-434-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1592-433-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1592-431-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1592-436-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1592-437-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2676 powershell.exe 2220 powershell.exe 1996 powershell.exe 288 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a133921b52.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2cf4512e98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2cf4512e98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 783e26d6da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6110e0ab9d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f73d0b292e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 70a894aa0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6110e0ab9d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 70a894aa0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9541b56535.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 783e26d6da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f73d0b292e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a133921b52.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ANEDNjf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ANEDNjf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9541b56535.exe -
Executes dropped EXE 23 IoCs
pid Process 2256 axplong.exe 2144 6110e0ab9d.exe 2920 f73d0b292e.exe 1812 70a894aa0b.exe 2808 skotes.exe 1020 kf5cl0F.exe 2012 a133921b52.exe 1268 ANEDNjf.exe 948 4b9f4ded1c.exe 744 7z.exe 2360 7z.exe 1588 7z.exe 2836 7z.exe 3060 7z.exe 2680 7z.exe 2828 7z.exe 2168 7z.exe 1952 in.exe 1752 2cf4512e98.exe 2888 9541b56535.exe 2032 b95d9d8471.exe 2688 783e26d6da.exe 2660 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine f73d0b292e.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 9541b56535.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 783e26d6da.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 2cf4512e98.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 6110e0ab9d.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 70a894aa0b.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine a133921b52.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine ANEDNjf.exe -
Loads dropped DLL 40 IoCs
pid Process 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 2256 axplong.exe 2256 axplong.exe 2256 axplong.exe 2256 axplong.exe 2256 axplong.exe 1812 70a894aa0b.exe 2808 skotes.exe 2256 axplong.exe 2808 skotes.exe 2808 skotes.exe 2808 skotes.exe 2528 cmd.exe 744 7z.exe 2528 cmd.exe 2360 7z.exe 2528 cmd.exe 1588 7z.exe 2528 cmd.exe 2836 7z.exe 2528 cmd.exe 3060 7z.exe 2528 cmd.exe 2680 7z.exe 2528 cmd.exe 2828 7z.exe 2528 cmd.exe 2168 7z.exe 2528 cmd.exe 2528 cmd.exe 2808 skotes.exe 2808 skotes.exe 2808 skotes.exe 2808 skotes.exe 2808 skotes.exe 2808 skotes.exe 2808 skotes.exe 2628 taskeng.exe 2628 taskeng.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\6110e0ab9d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007328001\\6110e0ab9d.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\70a894aa0b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007330001\\70a894aa0b.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 2256 axplong.exe 2144 6110e0ab9d.exe 2920 f73d0b292e.exe 1812 70a894aa0b.exe 2808 skotes.exe 2012 a133921b52.exe 1268 ANEDNjf.exe 1752 2cf4512e98.exe 2888 9541b56535.exe 2688 783e26d6da.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2660 set thread context of 1592 2660 Intel_PTT_EK_Recertification.exe 83 -
resource yara_rule behavioral1/memory/1952-318-0x000000013F3A0000-0x000000013F830000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe File created C:\Windows\Tasks\skotes.job 70a894aa0b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kf5cl0F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6110e0ab9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70a894aa0b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a133921b52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEDNjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9541b56535.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b95d9d8471.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cf4512e98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b9f4ded1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 783e26d6da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f73d0b292e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1740 powershell.exe 2236 PING.EXE 1952 powershell.exe 2112 PING.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 ANEDNjf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ANEDNjf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ANEDNjf.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2236 PING.EXE 2112 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1288 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 2256 axplong.exe 2144 6110e0ab9d.exe 2920 f73d0b292e.exe 2920 f73d0b292e.exe 2920 f73d0b292e.exe 2920 f73d0b292e.exe 2920 f73d0b292e.exe 640 dialer.exe 640 dialer.exe 640 dialer.exe 640 dialer.exe 1812 70a894aa0b.exe 2808 skotes.exe 1020 kf5cl0F.exe 2676 powershell.exe 2220 powershell.exe 2012 a133921b52.exe 1268 ANEDNjf.exe 2012 a133921b52.exe 2012 a133921b52.exe 2012 a133921b52.exe 2012 a133921b52.exe 2012 a133921b52.exe 1740 powershell.exe 1752 2cf4512e98.exe 1268 ANEDNjf.exe 1268 ANEDNjf.exe 1268 ANEDNjf.exe 1268 ANEDNjf.exe 2888 9541b56535.exe 2888 9541b56535.exe 2888 9541b56535.exe 2888 9541b56535.exe 2888 9541b56535.exe 2888 9541b56535.exe 2032 b95d9d8471.exe 1996 powershell.exe 288 powershell.exe 2688 783e26d6da.exe 2688 783e26d6da.exe 2688 783e26d6da.exe 2688 783e26d6da.exe 2688 783e26d6da.exe 1436 dialer.exe 1436 dialer.exe 1436 dialer.exe 1436 dialer.exe 2660 Intel_PTT_EK_Recertification.exe 1952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1020 kf5cl0F.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeRestorePrivilege 744 7z.exe Token: 35 744 7z.exe Token: SeSecurityPrivilege 744 7z.exe Token: SeSecurityPrivilege 744 7z.exe Token: SeRestorePrivilege 2360 7z.exe Token: 35 2360 7z.exe Token: SeSecurityPrivilege 2360 7z.exe Token: SeSecurityPrivilege 2360 7z.exe Token: SeRestorePrivilege 1588 7z.exe Token: 35 1588 7z.exe Token: SeSecurityPrivilege 1588 7z.exe Token: SeSecurityPrivilege 1588 7z.exe Token: SeRestorePrivilege 2836 7z.exe Token: 35 2836 7z.exe Token: SeSecurityPrivilege 2836 7z.exe Token: SeSecurityPrivilege 2836 7z.exe Token: SeRestorePrivilege 3060 7z.exe Token: 35 3060 7z.exe Token: SeSecurityPrivilege 3060 7z.exe Token: SeSecurityPrivilege 3060 7z.exe Token: SeRestorePrivilege 2680 7z.exe Token: 35 2680 7z.exe Token: SeSecurityPrivilege 2680 7z.exe Token: SeSecurityPrivilege 2680 7z.exe Token: SeRestorePrivilege 2828 7z.exe Token: 35 2828 7z.exe Token: SeSecurityPrivilege 2828 7z.exe Token: SeSecurityPrivilege 2828 7z.exe Token: SeRestorePrivilege 2168 7z.exe Token: 35 2168 7z.exe Token: SeSecurityPrivilege 2168 7z.exe Token: SeSecurityPrivilege 2168 7z.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2032 b95d9d8471.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeLockMemoryPrivilege 1592 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 1812 70a894aa0b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2256 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 30 PID 2960 wrote to memory of 2256 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 30 PID 2960 wrote to memory of 2256 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 30 PID 2960 wrote to memory of 2256 2960 9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe 30 PID 2256 wrote to memory of 2144 2256 axplong.exe 32 PID 2256 wrote to memory of 2144 2256 axplong.exe 32 PID 2256 wrote to memory of 2144 2256 axplong.exe 32 PID 2256 wrote to memory of 2144 2256 axplong.exe 32 PID 2256 wrote to memory of 2920 2256 axplong.exe 34 PID 2256 wrote to memory of 2920 2256 axplong.exe 34 PID 2256 wrote to memory of 2920 2256 axplong.exe 34 PID 2256 wrote to memory of 2920 2256 axplong.exe 34 PID 2920 wrote to memory of 640 2920 f73d0b292e.exe 35 PID 2920 wrote to memory of 640 2920 f73d0b292e.exe 35 PID 2920 wrote to memory of 640 2920 f73d0b292e.exe 35 PID 2920 wrote to memory of 640 2920 f73d0b292e.exe 35 PID 2920 wrote to memory of 640 2920 f73d0b292e.exe 35 PID 2920 wrote to memory of 640 2920 f73d0b292e.exe 35 PID 2256 wrote to memory of 1812 2256 axplong.exe 36 PID 2256 wrote to memory of 1812 2256 axplong.exe 36 PID 2256 wrote to memory of 1812 2256 axplong.exe 36 PID 2256 wrote to memory of 1812 2256 axplong.exe 36 PID 1812 wrote to memory of 2808 1812 70a894aa0b.exe 37 PID 1812 wrote to memory of 2808 1812 70a894aa0b.exe 37 PID 1812 wrote to memory of 2808 1812 70a894aa0b.exe 37 PID 1812 wrote to memory of 2808 1812 70a894aa0b.exe 37 PID 2808 wrote to memory of 1020 2808 skotes.exe 38 PID 2808 wrote to memory of 1020 2808 skotes.exe 38 PID 2808 wrote to memory of 1020 2808 skotes.exe 38 PID 2808 wrote to memory of 1020 2808 skotes.exe 38 PID 1020 wrote to memory of 2676 1020 kf5cl0F.exe 41 PID 1020 wrote to memory of 2676 1020 kf5cl0F.exe 41 PID 1020 wrote to memory of 2676 1020 kf5cl0F.exe 41 PID 1020 wrote to memory of 2676 1020 kf5cl0F.exe 41 PID 1020 wrote to memory of 2220 1020 kf5cl0F.exe 43 PID 1020 wrote to memory of 2220 1020 kf5cl0F.exe 43 PID 1020 wrote to memory of 2220 1020 kf5cl0F.exe 43 PID 1020 wrote to memory of 2220 1020 kf5cl0F.exe 43 PID 2256 wrote to memory of 2012 2256 axplong.exe 45 PID 2256 wrote to memory of 2012 2256 axplong.exe 45 PID 2256 wrote to memory of 2012 2256 axplong.exe 45 PID 2256 wrote to memory of 2012 2256 axplong.exe 45 PID 2808 wrote to memory of 1268 2808 skotes.exe 46 PID 2808 wrote to memory of 1268 2808 skotes.exe 46 PID 2808 wrote to memory of 1268 2808 skotes.exe 46 PID 2808 wrote to memory of 1268 2808 skotes.exe 46 PID 2808 wrote to memory of 948 2808 skotes.exe 47 PID 2808 wrote to memory of 948 2808 skotes.exe 47 PID 2808 wrote to memory of 948 2808 skotes.exe 47 PID 2808 wrote to memory of 948 2808 skotes.exe 47 PID 948 wrote to memory of 2528 948 4b9f4ded1c.exe 48 PID 948 wrote to memory of 2528 948 4b9f4ded1c.exe 48 PID 948 wrote to memory of 2528 948 4b9f4ded1c.exe 48 PID 948 wrote to memory of 2528 948 4b9f4ded1c.exe 48 PID 2528 wrote to memory of 1300 2528 cmd.exe 50 PID 2528 wrote to memory of 1300 2528 cmd.exe 50 PID 2528 wrote to memory of 1300 2528 cmd.exe 50 PID 2528 wrote to memory of 744 2528 cmd.exe 51 PID 2528 wrote to memory of 744 2528 cmd.exe 51 PID 2528 wrote to memory of 744 2528 cmd.exe 51 PID 2528 wrote to memory of 2360 2528 cmd.exe 52 PID 2528 wrote to memory of 2360 2528 cmd.exe 52 PID 2528 wrote to memory of 2360 2528 cmd.exe 52 PID 2528 wrote to memory of 1588 2528 cmd.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2392 attrib.exe 2708 attrib.exe 1928 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe"C:\Users\Admin\AppData\Local\Temp\9ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386aN.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\1007328001\6110e0ab9d.exe"C:\Users\Admin\AppData\Local\Temp\1007328001\6110e0ab9d.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\1007329001\f73d0b292e.exe"C:\Users\Admin\AppData\Local\Temp\1007329001\f73d0b292e.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\1007330001\70a894aa0b.exe"C:\Users\Admin\AppData\Local\Temp\1007330001\70a894aa0b.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\dkdikf"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\1017253001\4b9f4ded1c.exe"C:\Users\Admin\AppData\Local\Temp\1017253001\4b9f4ded1c.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\mode.commode 65,108⤵PID:1300
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"8⤵
- Views/modifies file attributes
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"8⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:1928
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:2708
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE9⤵
- Scheduled Task/Job: Scheduled Task
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.110⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2236
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017254001\2cf4512e98.exe"C:\Users\Admin\AppData\Local\Temp\1017254001\2cf4512e98.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\1017255001\9541b56535.exe"C:\Users\Admin\AppData\Local\Temp\1017255001\9541b56535.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\1017256001\b95d9d8471.exe"C:\Users\Admin\AppData\Local\Temp\1017256001\b95d9d8471.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\hexgsmwhwm"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017257001\783e26d6da.exe"C:\Users\Admin\AppData\Local\Temp\1017257001\783e26d6da.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007331001\a133921b52.exe"C:\Users\Admin\AppData\Local\Temp\1007331001\a133921b52.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:640
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5B54846E-00F1-46E0-BCB0-4DEE28DF3F7B} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:2628 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2660 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD579d73f0973da38285b0e0a83fa7ef5d0
SHA118692d3c66779517481c1868e39a8ed62f3af7fd
SHA256554bde2e706bad2908fc0534a58e7cfa7e099edc754a46717f738616da146131
SHA512471ba9cd38f5126e79a52baa70e5bb169dd09b7b05b7a56da8dc6da28c0a6e579d2962b575ac4ca83695d8a60a07457d974e2d79d4e7506cb4769a7ff87ca270
-
Filesize
1.9MB
MD5d6070b7d0ec34e67a998dbe217c6c746
SHA164e771f2bcb20e9ccc89c8b4a9cf1b36e431d491
SHA25610b27d9cb387fa4ac371de8767d5204925ca4da9c490ea8e2491b1a60c49fd85
SHA51252bc768f8654cef43e62abfdba30878313aea5893d80759c633d84ce01c701b05e6f24c995f3a2568ab16ca69e6c1223b7e39c74c509fd6607bfa5e9418784f3
-
Filesize
2.9MB
MD590c7e768e9ccc60d7259f30b23571419
SHA106aa4afabe34974704b73757888f6605711115dc
SHA256fa51ea713353ed850b8b06c9ea95fd37ab6c07668711aaec94d97c5e8cf2eceb
SHA5120861209fb9b11a1da355b6e0a1cb9e69840e8aae638ad744638c37039f037da2f1781ac556bdf988a2f269f84bda8348d4cceb1a8aef8e7b5bcf8b70910c0033
-
Filesize
4.3MB
MD5aa1d9bfcb4fee4ff65cf6209fbc83204
SHA13334182b3bf48e928683a9c0a87d25ea57e8d70b
SHA256dc645ba585c2d41ec553cefd46bd3dab212882cb07097905f9ed071e8882b161
SHA512aec316f0ea02349b57a5e75a972edf70b8aea705a7c74f67452a5840834fca0cf70c3d099ca003bab73a25186e6f03298ea68440a03216fb40ece74b82f71d68
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
4.3MB
MD5d6cfec5f8c250d92d751030c95d46aec
SHA170439cf2611f97c84af487c44b88703d004a2bca
SHA2560200c5657794ccc0916aae772004b7f72a793b77dc807b51b2f88e597813f611
SHA512a939f9af174d37e3d32d0794b1f14110deffd7847b884a79b5fd300bcc7c30ce285f6dbbc41ad6ab5bd237bb6353efb7ddee903a8ec155a10840dec8c25d9bbb
-
Filesize
112KB
MD56ebaf1137fd8cde7dac6ff3044f094ac
SHA1283fc901af7b858487c4093d7839d4a3f4b3f04e
SHA2560b375dd837cf8c9951633b1f7918472b6d770247db554a2f273b2ad326b9f55a
SHA512d10dd4b7e1c669eabcff2e141fac18339c2f4c6c323544197d7c8f7946ce0527008d327582a2f608a79dcfaa9a2e1e84ed58471d83797bb39bba74c4923d7708
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.7MB
MD55659eba6a774f9d5322f249ad989114a
SHA14bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4
-
Filesize
1.7MB
MD55404286ec7853897b3ba00adf824d6c1
SHA139e543e08b34311b82f6e909e1e67e2f4afec551
SHA256ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30
-
Filesize
1.7MB
MD55eb39ba3698c99891a6b6eb036cfb653
SHA1d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA5126c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a21351a7b43ffc62b4f26cd264ad80d8
SHA1139efdfc402b5f8bdb0db1d3ebb69dd33935595b
SHA256a14940a2beeaa6b8bc7f0fd1fb662cae816261c661a852cbbd1a88d2f7eab2fd
SHA5123d6fda37c0f52ef031d5f488fd5501fa73e0e8d2b8b78ad261a1560fd8fc0189f78346beea318252b22f1300a1899987f3de00d036dc91a0a019e24be97ddae5
-
Filesize
2.8MB
MD5c32d39710b13585f9608ebac9e028ea0
SHA196ce25ea1f05d91a7314e6eed4101af60259a811
SHA2569ec7fc750fe77210f8b47d16680bdcf7c2c97177517e604214eb560a2a90386a
SHA512e6222188e39d4260c8de06a4d8033ef2a4c1122e8df22fda616b4bb2de2377846c1621f3cb0d9840c81791b7a1cba3276081063875a91781972a2be0da96e3c5
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628