Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe
Resource
win7-20240903-en
General
-
Target
808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe
-
Size
634KB
-
MD5
026ecb902b5b7f30506e32414daf1720
-
SHA1
daae8c4583aac745d2246e88d3673770d3cf061c
-
SHA256
808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacf
-
SHA512
0e55a5c8e81516825e2f71a9b7219ca06ddfd52cca5ab9b3e53b31b9fdf21d223ed118a9ba65722872b6de249d04e346966a9234867de2cd5ba4d85dea12851d
-
SSDEEP
12288:PFUNDayA1X0y8ET2RUzcRg8EoVK4HJlA+X8qdwS/GaHTZfn/ZR:PFOayA1KEDzCg8EmTJlFXfTZfP
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2792-103-0x0000000000EE0000-0x0000000000EE9000-memory.dmp family_bdaejec_backdoor -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
resource yara_rule behavioral1/files/0x0007000000015d87-37.dat aspack_v212_v242 -
Executes dropped EXE 7 IoCs
pid Process 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 2628 icsys.icn.exe 2792 XhmNEB.exe 2536 explorer.exe 304 spoolsv.exe 872 svchost.exe 1924 spoolsv.exe -
Loads dropped DLL 9 IoCs
pid Process 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 2628 icsys.icn.exe 2536 explorer.exe 304 spoolsv.exe 872 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe XhmNEB.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe XhmNEB.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe XhmNEB.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe XhmNEB.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE XhmNEB.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe XhmNEB.exe File opened for modification C:\Program Files\7-Zip\7z.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe XhmNEB.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe XhmNEB.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe XhmNEB.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe XhmNEB.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe XhmNEB.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe XhmNEB.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XhmNEB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2488 schtasks.exe 1112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 2536 explorer.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2536 explorer.exe 872 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2536 explorer.exe 2536 explorer.exe 304 spoolsv.exe 304 spoolsv.exe 872 svchost.exe 872 svchost.exe 1924 spoolsv.exe 1924 spoolsv.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2748 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 30 PID 3032 wrote to memory of 2748 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 30 PID 3032 wrote to memory of 2748 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 30 PID 3032 wrote to memory of 2748 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 30 PID 3032 wrote to memory of 2628 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 31 PID 3032 wrote to memory of 2628 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 31 PID 3032 wrote to memory of 2628 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 31 PID 3032 wrote to memory of 2628 3032 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 31 PID 2748 wrote to memory of 2792 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 33 PID 2748 wrote to memory of 2792 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 33 PID 2748 wrote to memory of 2792 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 33 PID 2748 wrote to memory of 2792 2748 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 33 PID 2628 wrote to memory of 2536 2628 icsys.icn.exe 34 PID 2628 wrote to memory of 2536 2628 icsys.icn.exe 34 PID 2628 wrote to memory of 2536 2628 icsys.icn.exe 34 PID 2628 wrote to memory of 2536 2628 icsys.icn.exe 34 PID 2536 wrote to memory of 304 2536 explorer.exe 35 PID 2536 wrote to memory of 304 2536 explorer.exe 35 PID 2536 wrote to memory of 304 2536 explorer.exe 35 PID 2536 wrote to memory of 304 2536 explorer.exe 35 PID 304 wrote to memory of 872 304 spoolsv.exe 36 PID 304 wrote to memory of 872 304 spoolsv.exe 36 PID 304 wrote to memory of 872 304 spoolsv.exe 36 PID 304 wrote to memory of 872 304 spoolsv.exe 36 PID 872 wrote to memory of 1924 872 svchost.exe 37 PID 872 wrote to memory of 1924 872 svchost.exe 37 PID 872 wrote to memory of 1924 872 svchost.exe 37 PID 872 wrote to memory of 1924 872 svchost.exe 37 PID 2536 wrote to memory of 2712 2536 explorer.exe 38 PID 2536 wrote to memory of 2712 2536 explorer.exe 38 PID 2536 wrote to memory of 2712 2536 explorer.exe 38 PID 2536 wrote to memory of 2712 2536 explorer.exe 38 PID 872 wrote to memory of 2488 872 svchost.exe 39 PID 872 wrote to memory of 2488 872 svchost.exe 39 PID 872 wrote to memory of 2488 872 svchost.exe 39 PID 872 wrote to memory of 2488 872 svchost.exe 39 PID 2792 wrote to memory of 1080 2792 XhmNEB.exe 42 PID 2792 wrote to memory of 1080 2792 XhmNEB.exe 42 PID 2792 wrote to memory of 1080 2792 XhmNEB.exe 42 PID 2792 wrote to memory of 1080 2792 XhmNEB.exe 42 PID 872 wrote to memory of 1112 872 svchost.exe 45 PID 872 wrote to memory of 1112 872 svchost.exe 45 PID 872 wrote to memory of 1112 872 svchost.exe 45 PID 872 wrote to memory of 1112 872 svchost.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe"C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\users\admin\appdata\local\temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exec:\users\admin\appdata\local\temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\XhmNEB.exeC:\Users\Admin\AppData\Local\Temp\XhmNEB.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\172720fd.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1080
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:25 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2488
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:26 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1112
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2712
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\k2[1].rar
Filesize4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
187B
MD5c4eb35e731a5ad716a17761cc1d30997
SHA15d265803fe221cb8fce3f44d1aa23b4c80fc9bd8
SHA2564d74032223894b279ae6d6c8bd033c461b3d7167f3a002f03015d9247a941f12
SHA512477d57a14e822dbbf7627f622f53114178eebfde96ccdca8c6194909b761b8ab4bd99c69ad5dcc3554195a3c24a9de1ed76af6fc3b60d99243d8cf7a79a5e314
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
135KB
MD5116b0e933e94cd66308a3b935a380385
SHA11504d4c93151d7c4df39080b2f587aa7fb70d394
SHA25642a5a1b50e92054a13477fd52789b3329b131760c80d04f686c3511a7fa3bffb
SHA512d793309aab7a9078bb70c163600388d8717a31b8d79ec6f2a284e9150be4a4ad06c8e68f27bf31964813bc1f8f936c35b664c4149964e18c2dea8344c17d52b0
-
\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe
Filesize499KB
MD5fe1c73a64fff4bdf575f4a9118ebcfd6
SHA1964a991f99d9131dbcee088dcfd520996fff2aef
SHA256f19b8229adf7dfa9524eb1649acf7686482c4a0cf066de218d2569689a9a802f
SHA5122f0f40541a4f039b1e3143d4ada19cba72f3586a9f98aa94a61765f7a0c20ca773904e3e089bb0fd2997f4be3fb0cd2af2929ec79d0535e19d72be8f696e978d
-
Filesize
135KB
MD5cf83fbea38390db07d284e1ac29176b4
SHA13c1fe39f8f1ddb2d28e9e1928bd5c2758a3254a2
SHA2564e7f8c1c0a55c1dfe6e29bce4f110e89cc8c0174bc84144577c02f18a77b50de
SHA5127de5089689f943a24fa5720ab63636c53a0e2d421995a9b9d99f2f5201705eb5ceff4872f8e113a739a319c229207dae9a231b4a7a39a4c61c9f2e67d77c553e
-
Filesize
135KB
MD58afc4dcfc9443520f3dea034ee228dd6
SHA1670a33cf306e8aa317ff977a13f99415d29254a2
SHA2562254c13ec3a40c428b562a906c301180095d3840c10fd079dc2fc12ef9081071
SHA512f0dce724430a854f3feaf8e9b21e4db9535eff0bdcc3f970d9d2ecfb2744ad9ac0560748491fb83353232751547a8a0226db3d0565699a47fc922d608a346a2f
-
Filesize
135KB
MD52bca9731bf7de56aaa47329026df9d5e
SHA1cb98bf980874d896deace337d42dc97f913197d8
SHA256baa2c5346ce8ed0213492190bd7c16aea73ec7c18e62c1d96a898b6676665d5f
SHA512b8d854b33d3d62330e9703a894a38a889fb4dc7cf462ebccf756cceae70873395935db39276d65ebb23047902d2ee11565f5fdad2c1aaf579f367cd11e1ace68