Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314.msi
Resource
win7-20240903-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314.msi
-
Size
1.7MB
-
MD5
51dd5767de678bb6359cbb175319f0ec
-
SHA1
76ae487dda6cf3651a9b2b30614c0fefd1f3149c
-
SHA256
5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314
-
SHA512
ffb798290e2f6840eb8f0587dc675e8654589bfd070b1c54e49c7984272aa94da3a493cbd28b1dddef1f6a44b09ad9fd8a14ec0d77b90f948dc85089f91cc8a0
-
SSDEEP
49152:+EJnsHyjtk2MYC5GDChloJfWJ255hpB14Rd:1nsmtk2arhlTJ23h
Malware Config
Extracted
Family
xred
C2
xred.mooo.com
Attributes
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MRIYKG.lnk ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" MSI991.tmp Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRIYKG = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\CHVALO.exe\"" ._cache_Synaptics.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4208-216-0x0000000000980000-0x0000000000B84000-memory.dmp autoit_exe behavioral2/memory/4208-217-0x0000000000980000-0x0000000000B84000-memory.dmp autoit_exe behavioral2/memory/4208-226-0x0000000000980000-0x0000000000B84000-memory.dmp autoit_exe behavioral2/memory/4064-230-0x00000000006E0000-0x00000000008E4000-memory.dmp autoit_exe behavioral2/memory/4208-262-0x0000000000980000-0x0000000000B84000-memory.dmp autoit_exe behavioral2/memory/3524-269-0x00000000006E0000-0x00000000008E4000-memory.dmp autoit_exe behavioral2/memory/4208-270-0x0000000000980000-0x0000000000B84000-memory.dmp autoit_exe behavioral2/memory/4208-276-0x0000000000980000-0x0000000000B84000-memory.dmp autoit_exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MSI991.tmp Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\._cache_MSI991.tmp MSI991.tmp File opened for modification C:\Windows\SysWOW64\._cache_MSI991.tmp MSI991.tmp File created C:\Windows\SysWOW64\._cache_Synaptics.exe Synaptics.exe File opened for modification C:\Windows\SysWOW64\._cache_Synaptics.exe Synaptics.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\root\SecurityCenter2 ._cache_Synaptics.exe -
resource yara_rule behavioral2/files/0x0033000000023b79-94.dat upx behavioral2/memory/4208-151-0x0000000000980000-0x0000000000B84000-memory.dmp upx behavioral2/memory/4208-216-0x0000000000980000-0x0000000000B84000-memory.dmp upx behavioral2/memory/4208-217-0x0000000000980000-0x0000000000B84000-memory.dmp upx behavioral2/memory/4208-226-0x0000000000980000-0x0000000000B84000-memory.dmp upx behavioral2/memory/4064-228-0x00000000006E0000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4064-230-0x00000000006E0000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4208-262-0x0000000000980000-0x0000000000B84000-memory.dmp upx behavioral2/memory/3524-269-0x00000000006E0000-0x00000000008E4000-memory.dmp upx behavioral2/memory/4208-270-0x0000000000980000-0x0000000000B84000-memory.dmp upx behavioral2/memory/4208-276-0x0000000000980000-0x0000000000B84000-memory.dmp upx -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e580858.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI913.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI991.tmp msiexec.exe File created C:\Windows\Installer\e580858.msi msiexec.exe -
Executes dropped EXE 5 IoCs
pid Process 2648 MSI991.tmp 924 Synaptics.exe 4208 ._cache_Synaptics.exe 4064 CHVALO.exe 3524 CHVALO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2060 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CHVALO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI991.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WSCript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CHVALO.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MSI991.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 440 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4560 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 msiexec.exe 2740 msiexec.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe 4208 ._cache_Synaptics.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4208 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 2060 msiexec.exe Token: SeIncreaseQuotaPrivilege 2060 msiexec.exe Token: SeSecurityPrivilege 2740 msiexec.exe Token: SeCreateTokenPrivilege 2060 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2060 msiexec.exe Token: SeLockMemoryPrivilege 2060 msiexec.exe Token: SeIncreaseQuotaPrivilege 2060 msiexec.exe Token: SeMachineAccountPrivilege 2060 msiexec.exe Token: SeTcbPrivilege 2060 msiexec.exe Token: SeSecurityPrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeLoadDriverPrivilege 2060 msiexec.exe Token: SeSystemProfilePrivilege 2060 msiexec.exe Token: SeSystemtimePrivilege 2060 msiexec.exe Token: SeProfSingleProcessPrivilege 2060 msiexec.exe Token: SeIncBasePriorityPrivilege 2060 msiexec.exe Token: SeCreatePagefilePrivilege 2060 msiexec.exe Token: SeCreatePermanentPrivilege 2060 msiexec.exe Token: SeBackupPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeShutdownPrivilege 2060 msiexec.exe Token: SeDebugPrivilege 2060 msiexec.exe Token: SeAuditPrivilege 2060 msiexec.exe Token: SeSystemEnvironmentPrivilege 2060 msiexec.exe Token: SeChangeNotifyPrivilege 2060 msiexec.exe Token: SeRemoteShutdownPrivilege 2060 msiexec.exe Token: SeUndockPrivilege 2060 msiexec.exe Token: SeSyncAgentPrivilege 2060 msiexec.exe Token: SeEnableDelegationPrivilege 2060 msiexec.exe Token: SeManageVolumePrivilege 2060 msiexec.exe Token: SeImpersonatePrivilege 2060 msiexec.exe Token: SeCreateGlobalPrivilege 2060 msiexec.exe Token: SeBackupPrivilege 3996 vssvc.exe Token: SeRestorePrivilege 3996 vssvc.exe Token: SeAuditPrivilege 3996 vssvc.exe Token: SeBackupPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeBackupPrivilege 1360 srtasks.exe Token: SeRestorePrivilege 1360 srtasks.exe Token: SeSecurityPrivilege 1360 srtasks.exe Token: SeTakeOwnershipPrivilege 1360 srtasks.exe Token: SeBackupPrivilege 1360 srtasks.exe Token: SeRestorePrivilege 1360 srtasks.exe Token: SeSecurityPrivilege 1360 srtasks.exe Token: SeTakeOwnershipPrivilege 1360 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2060 msiexec.exe 2060 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE 4560 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2740 wrote to memory of 1360 2740 msiexec.exe 91 PID 2740 wrote to memory of 1360 2740 msiexec.exe 91 PID 2740 wrote to memory of 2648 2740 msiexec.exe 93 PID 2740 wrote to memory of 2648 2740 msiexec.exe 93 PID 2740 wrote to memory of 2648 2740 msiexec.exe 93 PID 2648 wrote to memory of 924 2648 MSI991.tmp 94 PID 2648 wrote to memory of 924 2648 MSI991.tmp 94 PID 2648 wrote to memory of 924 2648 MSI991.tmp 94 PID 924 wrote to memory of 4208 924 Synaptics.exe 96 PID 924 wrote to memory of 4208 924 Synaptics.exe 96 PID 924 wrote to memory of 4208 924 Synaptics.exe 96 PID 4208 wrote to memory of 4960 4208 ._cache_Synaptics.exe 97 PID 4208 wrote to memory of 4960 4208 ._cache_Synaptics.exe 97 PID 4208 wrote to memory of 4960 4208 ._cache_Synaptics.exe 97 PID 4208 wrote to memory of 2656 4208 ._cache_Synaptics.exe 99 PID 4208 wrote to memory of 2656 4208 ._cache_Synaptics.exe 99 PID 4208 wrote to memory of 2656 4208 ._cache_Synaptics.exe 99 PID 4960 wrote to memory of 440 4960 cmd.exe 100 PID 4960 wrote to memory of 440 4960 cmd.exe 100 PID 4960 wrote to memory of 440 4960 cmd.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2060
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\Installer\MSI991.tmp"C:\Windows\Installer\MSI991.tmp"2⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\._cache_Synaptics.exe"C:\Windows\system32\._cache_Synaptics.exe" InjUpdate4⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn MRIYKG.exe /tr C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe /sc minute /mo 15⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MRIYKG.exe /tr C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe /sc minute /mo 16⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:440
-
-
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\MRIYKG.vbs5⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4560
-
C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exeC:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4064
-
C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exeC:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681B
MD5b524c9ef9d7d1e5297f6befd4b3b59aa
SHA19f6482be5bbd8d4da582146a55febc0431d364b2
SHA25644621612ce4d44b30ea39a39b0ab7344e1d87d7cf08b814ed9577b67bf5714e0
SHA5122853c5b6dcb833952d8fe15fba333606545b57dc7a96b012b964a0c1491bcf294c63eea3ffe26a6fe5f099e25e632845e612180540a7a6c889b6d18282b53bd5
-
Filesize
22KB
MD574948937813dac9d70b28c97ea4989c7
SHA175ee0a6ccd8f81ac95f0c055a22ca79d834e35e6
SHA2565d75f0f63e1af9017931dd989fc9ad0dd3c1a64407c84a51cd469f9d45749998
SHA5120410cab456e2e1434a18f96101919584e248ba4cadfb5b2e1692abdad4f68239857535fff8c17c52c98102f9502e783e5c4ffe16cb18047b01ff1fde6d6f9f98
-
Filesize
840B
MD589137407cd4107effa2ff9f29a2a99ad
SHA199814ebc80118160841a2cf0f29eb578b57e4ac6
SHA256cbee270ed61982f063979c013888bb288d5db2720d2d69f86ee13263a26ffe36
SHA512d7f64023ef44e2f91195bd8950f211110f530ec751c39b4122925993e8da7c11e0c8bcd6b4286f67efb6df20cc1cde08ededbc241a8ddbde934b58a75592684b
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
1.6MB
MD51d2237faf8e6198625010cb580280901
SHA1592449bddf763bb63c22f638cb42f71484f87f06
SHA25678643b903379276085c5ef0092afc5c10dee821c5754e01bc8ef835907b16ac4
SHA5128abe1ff967d92c663080caf54f315e534ea296c91474d66cd327dccc38a3aa8685101649bb120e28f1438011596dde4f2f83e8150c90d51529efce9906a5aa0b
-
Filesize
935KB
MD5a1d37a2a0a4cd5038e129946ee935868
SHA187042fbecf1558a2e974c6ad045584f23e1ac7c9
SHA2569988b0297ad8be4bd3c559437176eaca54cdc36593728967395c4dee21fc898c
SHA512eb6cfcc7b1c526c06737dc6187af4f65bdd178ffc951cf8bb13571b44cc2c3c0cd051c6e9b4930433f8e6830420a04e0b538d353dd86a1fefb0663032c37c03c
-
Filesize
24.1MB
MD57841418d9f9e3e836d1a36ec5179fad1
SHA10e9db91158b2c62c81c93817122ad628ba0fe528
SHA256ce7e450d4dded7977770e91df63f5b0fadefac6aa59af820b4a1ca7c53ae258c
SHA512ab6f18497cd2f54c6ff0c4267efdc94dbd49a2356711b8145e7b09888c79e1725cefc027a73f1f2f505459ad07a6c6f7cab7a84d6c74a9d91222ba0daf39df67
-
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{87522006-fd75-452f-a1b1-89fe577cfb22}_OnDiskSnapshotProp
Filesize6KB
MD5f551043743dddfc2027d2e757998f067
SHA19413855cabcc9f2ff660a8c0b637a7a97aaad28c
SHA2566ab5b608fc177e40cb2b2cd69f2daf109838ccd1bf9e84c9d14102df6500f585
SHA5125259eaa094b9da79d7e5ae7513b0b6c2a8d1e0f38fa4954d64dd17212edf836d5fe822794e3bc02d815222b95fe84e48e4fbf915a0b135f4248068c11f4fab80