Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 09:04
Behavioral task
behavioral1
Sample
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe
Resource
win10v2004-en-20220112
General
-
Target
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe
-
Size
1.9MB
-
MD5
aed9891bffd34b072018072f82aaec78
-
SHA1
4a51e246dd0bb889c02a7d20a7d518151a05370c
-
SHA256
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9
-
SHA512
31309e4fbf00daa77bb9ca4cd93561b8af5e44c3ac420316b596b8b4935b6c5a04692a38be2ff9542c14529876d3706fbb8f6a7681359773f74da2a300ee33ef
Malware Config
Extracted
qakbot
324.127
spx103
1587642800
65.116.179.83:443
108.30.125.94:443
212.126.109.14:443
47.153.115.154:443
197.210.96.222:995
71.77.252.14:2222
24.202.42.48:2222
108.27.217.44:443
208.93.202.49:443
70.183.127.6:995
64.19.74.29:995
68.225.250.136:443
75.137.60.81:443
173.70.165.101:995
73.37.1.116:443
98.32.60.217:443
73.111.224.222:443
89.137.162.193:443
188.210.231.17:443
24.250.199.137:995
72.190.30.180:443
121.121.119.6:443
195.162.106.93:2222
96.41.93.96:443
203.213.104.25:995
86.121.197.61:443
5.193.175.12:2078
190.78.159.59:2078
108.190.151.108:2222
199.0.199.26:443
98.199.226.41:443
78.97.3.6:443
72.186.1.237:443
89.45.111.127:443
184.167.2.251:2222
68.46.142.48:995
170.82.210.138:2222
173.175.29.210:443
188.115.175.58:443
81.133.234.36:2222
37.41.15.49:443
84.232.238.30:443
89.43.136.239:443
79.114.194.106:443
24.234.86.201:995
96.248.125.34:443
75.182.220.196:2222
78.96.148.177:443
98.22.66.236:443
79.119.69.76:443
148.75.231.53:443
71.43.165.10:995
108.34.131.96:443
46.214.62.199:443
82.210.157.185:443
24.27.82.216:2222
184.21.151.81:995
199.241.223.66:443
73.239.11.160:443
78.96.193.12:443
24.183.39.93:443
188.26.150.82:2222
35.142.126.181:443
24.46.40.189:2222
72.29.181.77:2078
103.216.191.12:443
50.29.181.193:995
107.2.148.99:443
86.189.181.83:443
89.136.21.66:443
73.126.67.69:443
47.180.66.10:443
68.174.15.223:443
50.244.112.10:443
173.197.155.139:443
98.173.34.212:995
72.190.101.70:443
24.184.5.251:2222
85.122.141.42:995
184.98.104.7:995
66.26.160.37:443
97.96.51.117:443
71.213.29.14:995
178.193.33.121:2222
77.159.149.74:443
24.110.14.40:443
71.187.170.235:443
172.78.87.180:443
24.110.96.149:443
47.153.115.154:993
173.79.220.156:443
70.95.94.91:2078
86.120.53.111:443
64.121.114.87:443
94.53.92.42:443
93.115.69.220:443
75.183.171.155:3389
31.5.208.2:443
203.33.139.134:443
72.209.191.27:443
216.201.162.158:443
86.106.126.91:443
72.218.167.183:995
104.36.135.227:443
68.39.177.147:995
31.5.189.71:443
75.117.128.20:22
188.27.17.115:443
50.247.230.33:995
216.163.4.91:443
2.179.27.180:443
24.168.237.215:443
47.202.98.230:443
5.2.149.216:443
71.77.231.251:443
50.246.229.50:443
68.1.171.93:443
75.81.25.223:995
65.131.79.162:995
24.210.45.215:443
73.94.229.115:443
24.44.180.236:2222
173.3.132.17:995
24.229.245.124:995
41.42.173.14:443
67.165.206.193:995
193.23.5.134:443
100.38.123.22:443
47.40.244.237:443
95.77.237.115:443
72.204.242.138:443
110.142.205.182:443
100.40.48.96:443
70.126.76.75:443
95.76.95.19:443
181.126.86.223:443
69.245.130.192:443
73.169.47.57:443
72.204.242.138:53
68.14.210.246:22
68.98.142.248:443
108.54.103.234:443
72.204.242.138:50003
24.115.246.224:995
46.214.136.252:443
1.172.254.207:443
78.97.145.242:443
86.127.33.116:443
188.24.80.203:443
46.214.136.6:443
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops startup file 1 IoCs
Processes:
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\nkcdsot.lnk df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exedf00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.412378" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3940" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006659" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887019267031212" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exedf00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exedf00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exepid process 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 2268 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 2268 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 2268 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 2268 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exedf00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.execmd.exedescription pid process target process PID 2436 wrote to memory of 2268 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe PID 2436 wrote to memory of 2268 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe PID 2436 wrote to memory of 2268 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe PID 2436 wrote to memory of 3868 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe schtasks.exe PID 2436 wrote to memory of 3868 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe schtasks.exe PID 2436 wrote to memory of 3868 2436 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe schtasks.exe PID 732 wrote to memory of 1908 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 1908 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 2580 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 2580 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 1832 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 1832 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 3076 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 3076 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 3548 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 3548 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 2536 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 2536 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 3616 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 3616 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 1500 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 1500 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe reg.exe PID 732 wrote to memory of 2936 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe cmd.exe PID 732 wrote to memory of 2936 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe cmd.exe PID 732 wrote to memory of 3216 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe schtasks.exe PID 732 wrote to memory of 3216 732 df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe schtasks.exe PID 2936 wrote to memory of 3488 2936 cmd.exe PING.EXE PID 2936 wrote to memory of 3488 2936 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe"C:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exeC:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn smctrxp /tr "\"C:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe\" /I smctrxp" /SC ONCE /Z /ST 10:07 /ET 10:192⤵
- Creates scheduled task(s)
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0cc349e8c0b6f50db18228f957572419 KECjp6QaQUCgsygyyZ+xfQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exeC:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe /I smctrxp1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\df00adf1fb966829442c3933c08a85ad8cbdd1097d5a71422b8503d397f242a9.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN smctrxp2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/732-133-0x0000000000400000-0x00000000005DF000-memory.dmpFilesize
1.9MB
-
memory/2268-132-0x0000000000400000-0x00000000005DF000-memory.dmpFilesize
1.9MB
-
memory/2436-130-0x0000000000760000-0x0000000000799000-memory.dmpFilesize
228KB
-
memory/2436-131-0x0000000000400000-0x00000000005DF000-memory.dmpFilesize
1.9MB