Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 08:47
Behavioral task
behavioral1
Sample
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe
Resource
win10v2004-en-20220112
General
-
Target
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe
-
Size
2.0MB
-
MD5
41a34d0c4bcefdb876e8b0c7906a80bc
-
SHA1
4db30d988061ee03f419ef2ab27ad79d686d59f3
-
SHA256
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464
-
SHA512
d5179f05d4266584e4e93e7d709e92221d8178b57943e52110c20ff75de984bd27727900a7ecbbc21c7d731d804e32e7e4b4e1b139a1258174f29d2734c4a0cc
Malware Config
Extracted
qakbot
324.127
spx107
1588082813
97.81.255.189:443
67.8.103.21:443
47.232.26.181:443
50.104.67.101:443
173.172.205.216:443
108.188.46.240:995
96.35.170.82:2222
70.95.94.91:2222
72.204.242.138:6881
72.231.224.122:2222
73.137.187.150:443
73.123.16.215:443
71.213.29.14:995
209.182.121.133:2222
82.210.157.185:443
69.47.26.41:443
86.122.7.89:443
71.187.170.235:443
79.113.46.93:443
74.134.4.236:443
94.53.92.42:443
67.251.155.12:443
97.124.162.104:995
188.173.185.139:443
72.29.181.77:2078
47.180.66.10:443
97.96.51.117:443
74.75.237.11:443
50.244.112.10:443
93.113.177.152:443
66.26.160.37:443
24.46.40.189:2222
31.5.189.71:443
121.139.184.226:443
121.74.205.27:995
75.87.161.32:995
172.78.87.180:443
50.247.230.33:995
70.170.111.174:443
5.37.164.24:443
47.205.231.60:443
84.117.176.32:443
74.105.139.160:443
86.126.126.75:443
47.203.89.185:443
94.52.124.226:443
73.163.242.114:443
89.45.101.75:443
173.3.132.17:995
69.206.163.116:443
74.222.204.82:443
79.113.223.184:443
173.187.155.170:995
206.183.190.53:995
24.183.39.93:443
86.124.5.243:443
31.5.21.66:443
173.175.29.210:443
189.140.39.34:443
76.190.68.162:443
49.191.9.180:995
85.121.42.12:443
68.207.39.244:2222
47.146.169.85:443
97.127.144.203:2222
116.202.36.62:21
68.60.221.169:465
98.121.187.78:443
86.106.126.91:443
75.183.171.155:3389
75.81.25.223:995
24.229.245.124:995
92.1.83.210:2222
100.38.123.22:443
67.165.206.193:995
24.115.246.224:995
100.40.48.96:443
110.142.205.182:443
72.224.213.98:2222
108.54.103.234:443
72.142.106.198:465
89.137.162.193:443
68.174.15.223:443
172.113.74.96:443
24.201.79.208:2078
72.204.242.138:2087
72.204.242.138:80
68.4.137.211:443
68.49.120.179:443
86.127.12.161:21
172.95.42.35:443
98.219.77.197:443
50.78.93.74:443
72.204.242.138:50003
74.33.70.18:443
65.116.179.83:443
72.36.59.46:2222
24.202.42.48:2222
71.77.252.14:2222
108.27.217.44:443
72.204.242.138:443
64.19.74.29:995
75.137.60.81:443
73.37.1.116:443
50.108.212.180:443
108.30.125.94:443
58.108.188.231:443
47.41.3.40:443
197.210.96.222:995
47.136.224.60:443
85.204.189.105:443
108.227.161.27:995
89.32.218.74:443
203.33.139.134:443
24.26.1.14:2222
216.137.140.236:2222
72.209.191.27:443
63.230.2.205:2083
67.6.34.43:443
5.13.110.111:443
71.172.110.236:443
68.98.142.248:443
73.111.224.222:443
173.216.174.39:443
181.140.208.0:443
72.190.101.70:443
98.26.50.62:995
203.213.104.25:995
108.30.161.143:443
173.197.155.139:443
86.123.130.104:443
47.214.144.253:443
24.10.42.174:443
70.62.160.186:6883
120.147.83.120:2222
212.126.109.14:443
188.26.150.82:2222
24.184.5.251:2222
50.246.229.50:443
50.244.112.106:443
72.255.200.69:2222
73.104.218.229:0
75.111.145.5:443
71.182.142.63:443
184.57.17.74:443
72.16.212.107:465
184.98.104.7:995
71.163.225.75:443
67.209.195.198:3389
95.77.144.238:443
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops startup file 1 IoCs
Processes:
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\outuga.lnk e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exeWaaSMedicAgent.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.687140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3864" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4064" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006588" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exee4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exee4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exepid process 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 2528 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 2528 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 2528 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 2528 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exee4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.execmd.exedescription pid process target process PID 3916 wrote to memory of 2528 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe PID 3916 wrote to memory of 2528 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe PID 3916 wrote to memory of 2528 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe PID 3916 wrote to memory of 2592 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe schtasks.exe PID 3916 wrote to memory of 2592 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe schtasks.exe PID 3916 wrote to memory of 2592 3916 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe schtasks.exe PID 2272 wrote to memory of 3308 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 3308 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 2404 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 2404 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 956 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 956 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 868 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 868 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 924 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 924 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 2016 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 2016 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 3364 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 3364 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 2940 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 2940 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe reg.exe PID 2272 wrote to memory of 3488 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe cmd.exe PID 2272 wrote to memory of 3488 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe cmd.exe PID 2272 wrote to memory of 2564 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe schtasks.exe PID 2272 wrote to memory of 2564 2272 e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe schtasks.exe PID 3488 wrote to memory of 3692 3488 cmd.exe PING.EXE PID 3488 wrote to memory of 3692 3488 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe"C:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exeC:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oplbplcp /tr "\"C:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe\" /I oplbplcp" /SC ONCE /Z /ST 09:50 /ET 10:022⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe a47056b8e1ed3553c7af124ed05f2241 VEKkGeTnokKB+WGexLHxbg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exeC:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe /I oplbplcp1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\e4d08e043acee0101260fad44e81a9d2cc514fac6f3b2a92209c5eb59e6f1464.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN oplbplcp2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2272-133-0x0000000000400000-0x00000000005FB000-memory.dmpFilesize
2.0MB
-
memory/2528-132-0x0000000000400000-0x00000000005FB000-memory.dmpFilesize
2.0MB
-
memory/3916-130-0x0000000002330000-0x0000000002369000-memory.dmpFilesize
228KB
-
memory/3916-131-0x0000000000400000-0x00000000005FB000-memory.dmpFilesize
2.0MB