Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe
Resource
win7-20240903-en
General
-
Target
808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe
-
Size
634KB
-
MD5
026ecb902b5b7f30506e32414daf1720
-
SHA1
daae8c4583aac745d2246e88d3673770d3cf061c
-
SHA256
808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacf
-
SHA512
0e55a5c8e81516825e2f71a9b7219ca06ddfd52cca5ab9b3e53b31b9fdf21d223ed118a9ba65722872b6de249d04e346966a9234867de2cd5ba4d85dea12851d
-
SSDEEP
12288:PFUNDayA1X0y8ET2RUzcRg8EoVK4HJlA+X8qdwS/GaHTZfn/ZR:PFOayA1KEDzCg8EmTJlFXfTZfP
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/2420-87-0x0000000000320000-0x0000000000329000-memory.dmp family_bdaejec_backdoor -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
resource yara_rule behavioral2/files/0x000b000000023bb3-24.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation XhmNEB.exe -
Executes dropped EXE 7 IoCs
pid Process 2232 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 2676 icsys.icn.exe 1820 explorer.exe 2420 XhmNEB.exe 4268 spoolsv.exe 1396 svchost.exe 4764 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE XhmNEB.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe XhmNEB.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe XhmNEB.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe XhmNEB.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe XhmNEB.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe XhmNEB.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe XhmNEB.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe XhmNEB.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE XhmNEB.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe XhmNEB.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe XhmNEB.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe XhmNEB.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe XhmNEB.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe XhmNEB.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe XhmNEB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE XhmNEB.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XhmNEB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 2676 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1820 explorer.exe 1396 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 2676 icsys.icn.exe 2676 icsys.icn.exe 1820 explorer.exe 1820 explorer.exe 4268 spoolsv.exe 4268 spoolsv.exe 1396 svchost.exe 1396 svchost.exe 4764 spoolsv.exe 4764 spoolsv.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2232 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 82 PID 1772 wrote to memory of 2232 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 82 PID 1772 wrote to memory of 2232 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 82 PID 1772 wrote to memory of 2676 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 83 PID 1772 wrote to memory of 2676 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 83 PID 1772 wrote to memory of 2676 1772 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe 83 PID 2676 wrote to memory of 1820 2676 icsys.icn.exe 85 PID 2676 wrote to memory of 1820 2676 icsys.icn.exe 85 PID 2676 wrote to memory of 1820 2676 icsys.icn.exe 85 PID 2232 wrote to memory of 2420 2232 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 86 PID 2232 wrote to memory of 2420 2232 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 86 PID 2232 wrote to memory of 2420 2232 808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 86 PID 1820 wrote to memory of 4268 1820 explorer.exe 87 PID 1820 wrote to memory of 4268 1820 explorer.exe 87 PID 1820 wrote to memory of 4268 1820 explorer.exe 87 PID 4268 wrote to memory of 1396 4268 spoolsv.exe 88 PID 4268 wrote to memory of 1396 4268 spoolsv.exe 88 PID 4268 wrote to memory of 1396 4268 spoolsv.exe 88 PID 1396 wrote to memory of 4764 1396 svchost.exe 89 PID 1396 wrote to memory of 4764 1396 svchost.exe 89 PID 1396 wrote to memory of 4764 1396 svchost.exe 89 PID 2420 wrote to memory of 2964 2420 XhmNEB.exe 90 PID 2420 wrote to memory of 2964 2420 XhmNEB.exe 90 PID 2420 wrote to memory of 2964 2420 XhmNEB.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe"C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\users\admin\appdata\local\temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exec:\users\admin\appdata\local\temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\XhmNEB.exeC:\Users\Admin\AppData\Local\Temp\XhmNEB.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2f5209dc.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2964
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4764
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
187B
MD595c7ab139ef4e86cede4f50b9a8dec25
SHA122a611338b91811ed641a9b746b3a2986ead2f18
SHA25698ac11b173d23c0f45f7f559044b952ad30bfb5c68bc572408232afb7e8ee853
SHA512415a8206f27113a643974e9dd131845cbdcc7cd9f3929533a96e5b21784a6dcc8c664ceb64892ca845b3af07049524fa2716b14e415a51e3bfe8642161740f79
-
C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe
Filesize499KB
MD5fe1c73a64fff4bdf575f4a9118ebcfd6
SHA1964a991f99d9131dbcee088dcfd520996fff2aef
SHA256f19b8229adf7dfa9524eb1649acf7686482c4a0cf066de218d2569689a9a802f
SHA5122f0f40541a4f039b1e3143d4ada19cba72f3586a9f98aa94a61765f7a0c20ca773904e3e089bb0fd2997f4be3fb0cd2af2929ec79d0535e19d72be8f696e978d
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
135KB
MD5fc4d8d5caa0f6986f2c13355d5df451d
SHA1c7b485ac77edc523d19e90cacadd802d6524aa06
SHA2562c2bcbffe2837e4351af5b735f49ac7f4029d07b375e016b1d8f4824321a1340
SHA51262510ddba7b08cd29fac2c1dfbc2e23e1eb7d4114fffd2778d2475ca2d542b566c7d689f0ee4e195d09942e9d6eb0f777fb5f40df5c4346b621d044984894fe9
-
Filesize
135KB
MD5cf83fbea38390db07d284e1ac29176b4
SHA13c1fe39f8f1ddb2d28e9e1928bd5c2758a3254a2
SHA2564e7f8c1c0a55c1dfe6e29bce4f110e89cc8c0174bc84144577c02f18a77b50de
SHA5127de5089689f943a24fa5720ab63636c53a0e2d421995a9b9d99f2f5201705eb5ceff4872f8e113a739a319c229207dae9a231b4a7a39a4c61c9f2e67d77c553e
-
Filesize
135KB
MD51c7445cc24b1b377b4dda9eb3075fbbe
SHA162138655ef77917575a9706c40cf71c49377bfbd
SHA256837dcb786358f3408afab30214640780026ee2cae614aa7a263ed565858b8417
SHA512ef0e6663c2d6f296896d9b871105ece19b817b64febf30bf48b03d3719164ac9a5339af1b95479a0dbf578af7d7497fe2a5f38862aef8b7b8a4aad06e97a526d
-
Filesize
135KB
MD5b667b428ca7f9b6946ecf5ac1d0163ba
SHA1b43ee2f8cd349879fca953e20e68384f7f403e4a
SHA2562d03c7b5db950292b96017e58278a04b0c323c5e36ecb3aa57e2c2843114b183
SHA5127d1204b9e2a06df25c59631bc18e5f3ee0cb545cfbe05bc3447e57a294b693b995dbd413f50f6cbc90f240d5518a59970c0eea1cb4c3e690533bdbf5ce401e8d