Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
51ee1c43b8c4c83a1ee89f486a002e8a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
51ee1c43b8c4c83a1ee89f486a002e8a.exe
Resource
win10v2004-20241007-en
General
-
Target
51ee1c43b8c4c83a1ee89f486a002e8a.exe
-
Size
1.9MB
-
MD5
51ee1c43b8c4c83a1ee89f486a002e8a
-
SHA1
ac3559b85e9f8328fc661c4f7dc17d464aa461fa
-
SHA256
2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253
-
SHA512
3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6
-
SSDEEP
49152:SIsY+oZb+wZGTt6IDmYYg+tfxXi1Mq39V:SIg6IDatJXbM9V
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\csrss.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\dllhost.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\", \"C:\\Windows\\Setup\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\51ee1c43b8c4c83a1ee89f486a002e8a.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\audiodg.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2888 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2888 schtasks.exe 31 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1596 powershell.exe 2240 powershell.exe 1100 powershell.exe 1772 powershell.exe 2268 powershell.exe 2344 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1364 Idle.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Sidebar\\csrss.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\dllhost.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\51ee1c43b8c4c83a1ee89f486a002e8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51ee1c43b8c4c83a1ee89f486a002e8a.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Sidebar\\audiodg.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Setup\\Idle.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Setup\\Idle.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Sidebar\\csrss.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\AppData\\dllhost.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\51ee1c43b8c4c83a1ee89f486a002e8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51ee1c43b8c4c83a1ee89f486a002e8a.exe\"" 51ee1c43b8c4c83a1ee89f486a002e8a.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipinfo.io 12 ipinfo.io 13 ipinfo.io 4 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCDEDAB071B0F64DE09691ADF5636D8BE.TMP csc.exe File created \??\c:\Windows\System32\wa0wg5.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\886983d96e3d3e 51ee1c43b8c4c83a1ee89f486a002e8a.exe File created C:\Program Files (x86)\Windows Sidebar\audiodg.exe 51ee1c43b8c4c83a1ee89f486a002e8a.exe File created C:\Program Files (x86)\Windows Sidebar\42af1c969fbb7b 51ee1c43b8c4c83a1ee89f486a002e8a.exe File created C:\Program Files\Windows Sidebar\csrss.exe 51ee1c43b8c4c83a1ee89f486a002e8a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Setup\Idle.exe 51ee1c43b8c4c83a1ee89f486a002e8a.exe File created C:\Windows\Setup\6ccacd8608530f 51ee1c43b8c4c83a1ee89f486a002e8a.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 51ee1c43b8c4c83a1ee89f486a002e8a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 51ee1c43b8c4c83a1ee89f486a002e8a.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2868 schtasks.exe 264 schtasks.exe 2000 schtasks.exe 1600 schtasks.exe 2064 schtasks.exe 2104 schtasks.exe 2796 schtasks.exe 1524 schtasks.exe 2720 schtasks.exe 2612 schtasks.exe 2900 schtasks.exe 1188 schtasks.exe 2188 schtasks.exe 2620 schtasks.exe 2928 schtasks.exe 1196 schtasks.exe 1036 schtasks.exe 1604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1364 Idle.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 628 wrote to memory of 3032 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 35 PID 628 wrote to memory of 3032 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 35 PID 628 wrote to memory of 3032 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 35 PID 3032 wrote to memory of 1776 3032 csc.exe 37 PID 3032 wrote to memory of 1776 3032 csc.exe 37 PID 3032 wrote to memory of 1776 3032 csc.exe 37 PID 628 wrote to memory of 2268 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 53 PID 628 wrote to memory of 2268 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 53 PID 628 wrote to memory of 2268 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 53 PID 628 wrote to memory of 2344 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 54 PID 628 wrote to memory of 2344 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 54 PID 628 wrote to memory of 2344 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 54 PID 628 wrote to memory of 1772 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 55 PID 628 wrote to memory of 1772 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 55 PID 628 wrote to memory of 1772 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 55 PID 628 wrote to memory of 1100 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 57 PID 628 wrote to memory of 1100 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 57 PID 628 wrote to memory of 1100 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 57 PID 628 wrote to memory of 2240 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 60 PID 628 wrote to memory of 2240 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 60 PID 628 wrote to memory of 2240 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 60 PID 628 wrote to memory of 1596 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 62 PID 628 wrote to memory of 1596 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 62 PID 628 wrote to memory of 1596 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 62 PID 628 wrote to memory of 2024 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 65 PID 628 wrote to memory of 2024 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 65 PID 628 wrote to memory of 2024 628 51ee1c43b8c4c83a1ee89f486a002e8a.exe 65 PID 2024 wrote to memory of 1416 2024 cmd.exe 67 PID 2024 wrote to memory of 1416 2024 cmd.exe 67 PID 2024 wrote to memory of 1416 2024 cmd.exe 67 PID 2024 wrote to memory of 896 2024 cmd.exe 68 PID 2024 wrote to memory of 896 2024 cmd.exe 68 PID 2024 wrote to memory of 896 2024 cmd.exe 68 PID 2024 wrote to memory of 1364 2024 cmd.exe 69 PID 2024 wrote to memory of 1364 2024 cmd.exe 69 PID 2024 wrote to memory of 1364 2024 cmd.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe"C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxtgffdb\qxtgffdb.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE60B.tmp" "c:\Windows\System32\CSCDEDAB071B0F64DE09691ADF5636D8BE.TMP"3⤵PID:1776
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r4rizFZOU7.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1416
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:896
-
-
C:\Windows\Setup\Idle.exe"C:\Windows\Setup\Idle.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Setup\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e4aefa079f5292f6ac30954830a5eb0
SHA17cc247720ade3256d835c08b3db0153990e1dfec
SHA256c4357308c78ef68572b068d68facff8ac6e37da51f357324a40f05ee0da08096
SHA51214c9ea30d9d98d8ef7281f0fc91a10e43b6199f20a16fa084bdc5989c6ab16c6637c586349eedc2f523efbb789c60893ca4345d69c09bebec9f3b9b38d101fc5
-
Filesize
201B
MD527d0b5229146d95fb16032266d06adc9
SHA130152ac8a3e48384b5ea6233643645df241aec89
SHA256ce2e4e1c24f624d59a5ae109e22745407d0fe7a749f44ed829a9afc7c6a8f57c
SHA512df712ebf91c92ecef278a5f294da0a48bf2c612dac5b6a428fd1da3c0d5b43060baa06611f8bdb356623c28ea4bf46dbef65985c987384db6584777a8a69c1e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56d7b261fe79ac8ce6930fe492a312ba8
SHA1a4ed9e41d92285d46dfc260627e3b2035ea365f7
SHA2560788294f9b647f7342f5387d65380e7b955919f4bea084cbbf17dee655d78105
SHA512b10d4a57ae56f464b8a34cc31083ddc9f03cf15a7f50d3ac3bd1e952aee218ebac2d8b9b94fd3ec6da777b81d3857c3d762810e14e91d1939c0a14be7c324b61
-
Filesize
1.9MB
MD551ee1c43b8c4c83a1ee89f486a002e8a
SHA1ac3559b85e9f8328fc661c4f7dc17d464aa461fa
SHA2562c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253
SHA5123191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6
-
Filesize
365B
MD568c3a3838b33acb4afbdca44a1ae8009
SHA1dcd4a944b27c31e013a7b1f2acc623da9b13348e
SHA2568beb67b7d15a6684a450a40453943ea89b95e50cc51f05dc4b8c8dca63e81e24
SHA512144439322fa15372eb4963a7bad46af0b75afb2f51373be88e25dc6f2be97de661952c3a789d25d2981ef7dcc86347d099245a76f3220cb486059aa5b8e559b6
-
Filesize
235B
MD5114554d05044eb27154ce1db7f0284b6
SHA1f87e786090db9a26be57785fb1b20a5d0239a5fd
SHA25617552327528ff3fbcf24f71bc568420bcac76d983f532a89b1da09fcd3d2f4c3
SHA5122d91d1035c59b19a707bf5a39603e96aa78b5ad9a2e4a1c723a3f3f0349f00615cd7cccff0aea66ab4f6821f0b2369f705a2c7898018388267849b0b1cb0a75a
-
Filesize
1KB
MD5b74f131aab310dc6e37b43e729c24199
SHA1bade4cf35d7e80e79880396c1fdd518d9ab78bdf
SHA2565fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858
SHA512733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885