Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
8s -
max time network
21s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/02/2025, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe
Resource
win11-20250217-en
General
-
Target
2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe
-
Size
2.1MB
-
MD5
57ebf50902949e13220b379c136db8a7
-
SHA1
75d55564986c8fb2d24c2f467e9c0cd2196a2055
-
SHA256
2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c
-
SHA512
77d90317289a247c1bda59e378b9073cf2c1a8d30763bd68c33b8a256f1dc2edb1f380dafd1572a2f762a4400f15d52c9375d4314c07faa3f78ee7011508de33
-
SSDEEP
49152:6VkETZV9OLiWLunGxHqsEbtNPDLzA7YzminZ:VETAi4EgHqsEpFL
Malware Config
Signatures
-
BlackSuit
A ransomware first detected in May 2023 linked to the Conti group.
-
Blacksuit_windows family
-
Detects the Windows variant of BlackSuit Ransomware 14 IoCs
resource yara_rule behavioral1/memory/1120-2-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-1-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-4-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-11-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-12-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-3-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-10-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-9-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-8-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-7-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-6-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-5-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-15-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows behavioral1/memory/1120-200-0x00000000024E0000-0x0000000002539000-memory.dmp family_blacksuit_windows -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Renames multiple (967) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Modalities.xbf 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Media Player\uk-UA\setup_wm.exe.mui 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Media Player\uk-UA\wmlaunch.exe.mui 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\content-types.properties 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File created C:\Program Files\dotnet\swidtag\readme.blacksuit.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.9.2002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\resources.pri 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Microsoft.Photos.Edit.Services.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File created C:\Program Files\WindowsApps\Mutable\readme.blacksuit.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_4.7.28001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\MyOffice.BackgroundTasks.winmd 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_neutral_~_8wekyb3d8bbwe\readme.blacksuit.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\CheckpointDisable.dot 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.Services.Maps.GuidanceContract.winmd 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\ScreenSketch.winmd 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.29231.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.System.SystemManagementContract.winmd 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\mfc140u.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File created C:\Program Files\Windows Photo Viewer\es-ES\readme.blacksuit.txt 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\MapsStub.winmd 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\7-Zip\descript.ion 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Microsoft.IoT.Cortana.dll 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2344 1120 WerFault.exe 78 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1120 wrote to memory of 3572 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 79 PID 1120 wrote to memory of 3572 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 79 PID 1120 wrote to memory of 3572 1120 2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exeC:\Users\Admin\AppData\Local\Temp\2adcf43d221de2f72ba5088dac3a3193219412882df711d095f04e3f5b40767c.exe cmd /c %payload% -id 000000000000000000000000000000001⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
PID:3572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 682682⤵
- Program crash
PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1120 -ip 11201⤵PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b998d433168b18428f7f7713d1851f23
SHA10a5023d699ed0d9b1c2b1d4d5138747d0eb8955a
SHA25606453319ed3bd3fa04da6b9d1c2ada5eb445e1e0a878c0eb3af54f751dace513
SHA512c1b2d9282cf887c5c41b9365aec04284c420442cd33d4eeded89a3a74501fe1bfe5058bcc26af952fe3e5c04b896db70352e3b6324d2d5329225138af9f0e11a