c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 08:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
Size

228KB
MD5

2dfca2249cd28cef30aed5ed12616ad8
SHA1

beeb02a1a505e1503afec3e664264ae99cfe1330
SHA256

c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296
SHA512

67272296011fbd34fc41c217c0f276ddd06591fead8e7fbbb82f7a03557b71f8cfef3f134647ae61bdc2aae048a2a12bb170252e4a4b75393e85f67c51c77ac0
SSDEEP

6144:K8M2z+NDSjSug9bMD/t9FDGFqw1Cq9Hb21IT:Xjtg9bMDV9FDqf8q9721IT

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 20 IoCs

description	pid	Process	procid_target
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15
PID 572 created 1208	572	regsougoupy.exe	15
PID 1872 created 1208	1872	regsougoupy.exe	15

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1164-78-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/540-82-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
572	regsougoupy.exe
1872	regsougoupy.exe
1164	RtkSYUdp.exe
540	RtkSYUdp.exe
548	RtkSYUdp.exe
928	RtkSYUdp.exe
1456	RtkSYUdp.exe
2000	RtkSYUdp.exe
1000	RtkSYUdp.exe
976	RtkSYUdp.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-55-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1996-72-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/files/0x000700000001313e-74.dat	upx
behavioral1/files/0x000700000001313e-76.dat	upx
behavioral1/memory/1164-78-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x000700000001313e-80.dat	upx
behavioral1/memory/540-82-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x000700000001313e-85.dat	upx
behavioral1/files/0x000700000001313e-90.dat	upx
behavioral1/files/0x000700000001313e-93.dat	upx
behavioral1/files/0x000700000001313e-97.dat	upx
behavioral1/files/0x000700000001313e-100.dat	upx
behavioral1/files/0x000700000001313e-103.dat	upx

Deletes itself 1 IoCs

pid	Process
604	cmd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\regsougoupy.exe	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
File created	C:\Windows\RtkSYUdp.exe	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe

Runs regedit.exe 21 IoCs

pid	Process
1020	regedit.exe
1964	regedit.exe
956	regedit.exe
1688	regedit.exe
1724	regedit.exe
1988	regedit.exe
1620	regedit.exe
1264	regedit.exe
1064	regedit.exe
548	regedit.exe
680	regedit.exe
480	regedit.exe
1664	regedit.exe
672	regedit.exe
1436	regedit.exe
980	regedit.exe
1960	regedit.exe
1812	regedit.exe
972	regedit.exe
1108	regedit.exe
1644	regedit.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe
572	regsougoupy.exe
1872	regsougoupy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1436	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	29
PID 1996 wrote to memory of 1436	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	29
PID 1996 wrote to memory of 1436	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	29
PID 1996 wrote to memory of 1436	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	29
PID 1996 wrote to memory of 1292	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	30
PID 1996 wrote to memory of 1292	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	30
PID 1996 wrote to memory of 1292	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	30
PID 1996 wrote to memory of 1292	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	30
PID 1996 wrote to memory of 572	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	32
PID 1996 wrote to memory of 572	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	32
PID 1996 wrote to memory of 572	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	32
PID 1996 wrote to memory of 572	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	32
PID 1996 wrote to memory of 1924	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	33
PID 1996 wrote to memory of 1924	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	33
PID 1996 wrote to memory of 1924	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	33
PID 1996 wrote to memory of 1924	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	33
PID 572 wrote to memory of 1020	572	regsougoupy.exe	36
PID 572 wrote to memory of 1020	572	regsougoupy.exe	36
PID 572 wrote to memory of 1020	572	regsougoupy.exe	36
PID 572 wrote to memory of 1020	572	regsougoupy.exe	36
PID 572 wrote to memory of 1020	572	regsougoupy.exe	36
PID 1996 wrote to memory of 360	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	37
PID 1996 wrote to memory of 360	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	37
PID 1996 wrote to memory of 360	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	37
PID 1996 wrote to memory of 360	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	37
PID 1996 wrote to memory of 1872	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	38
PID 1996 wrote to memory of 1872	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	38
PID 1996 wrote to memory of 1872	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	38
PID 1996 wrote to memory of 1872	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	38
PID 1872 wrote to memory of 680	1872	regsougoupy.exe	41
PID 1872 wrote to memory of 680	1872	regsougoupy.exe	41
PID 1872 wrote to memory of 680	1872	regsougoupy.exe	41
PID 1996 wrote to memory of 604	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	42
PID 1872 wrote to memory of 680	1872	regsougoupy.exe	41
PID 1872 wrote to memory of 680	1872	regsougoupy.exe	41
PID 1996 wrote to memory of 604	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	42
PID 1996 wrote to memory of 604	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	42
PID 1996 wrote to memory of 604	1996	c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe	42
PID 360 wrote to memory of 1164	360	cmd.exe	44
PID 360 wrote to memory of 1164	360	cmd.exe	44
PID 360 wrote to memory of 1164	360	cmd.exe	44
PID 360 wrote to memory of 1164	360	cmd.exe	44
PID 360 wrote to memory of 540	360	cmd.exe	46
PID 360 wrote to memory of 540	360	cmd.exe	46
PID 360 wrote to memory of 540	360	cmd.exe	46
PID 360 wrote to memory of 540	360	cmd.exe	46
PID 604 wrote to memory of 756	604	cmd.exe	45
PID 604 wrote to memory of 756	604	cmd.exe	45
PID 604 wrote to memory of 756	604	cmd.exe	45
PID 604 wrote to memory of 756	604	cmd.exe	45
PID 360 wrote to memory of 548	360	cmd.exe	47
PID 360 wrote to memory of 548	360	cmd.exe	47
PID 360 wrote to memory of 548	360	cmd.exe	47
PID 360 wrote to memory of 548	360	cmd.exe	47
PID 360 wrote to memory of 928	360	cmd.exe	48
PID 360 wrote to memory of 928	360	cmd.exe	48
PID 360 wrote to memory of 928	360	cmd.exe	48
PID 360 wrote to memory of 928	360	cmd.exe	48
PID 360 wrote to memory of 1456	360	cmd.exe	49
PID 360 wrote to memory of 1456	360	cmd.exe	49
PID 360 wrote to memory of 1456	360	cmd.exe	49
PID 360 wrote to memory of 1456	360	cmd.exe	49
PID 572 wrote to memory of 1724	572	regsougoupy.exe	50
PID 572 wrote to memory of 1724	572	regsougoupy.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe
  "C:\Users\Admin\AppData\Local\Temp\c630d41e05c2ec2a472e7a41da94e352fd5b9fd37f52d3a61c34a33bb0871296.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    PID:1292
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 1208 C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      PID:1164
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      PID:540
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      PID:548
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      PID:928
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1456
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      PID:1000
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      PID:976
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 1208 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      PID:756
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1020
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:680
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1724
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1988
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1620
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1964
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:480
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:980
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1264
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1960
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1812
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:972
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1108
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1064
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:956
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:548
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1688
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1664
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:672
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
639B

MD5
16cafa5daf75c9f4abf144b4a8ba8aee

SHA1
b3b068802cd3979e269695ee9a3be64a5420622b

SHA256
b79657793e2e203aa0caaa1aa5d90f7c3da866f15b69dad8ada402bc26b6eb9d

SHA512
cd93a2fa3a28fc5fba1bf620f41a5ff2dc1ea8da6125e75fd680fb4b13bc8865f978c2b642c8a280be4c68578dfcc8946445725ff2363389a726a798f89ce705

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
98d7f7eb2ab8df60b86f3eab6cc2d8be

SHA1
a86c8759d8dd00f7d5d64e3c5c0d467ce1f41547

SHA256
cfc8943e4bee67b768f0c7044a094fbb8d5405333e364e87e36afa47ea57e7e0

SHA512
a00934cbd3d20e0058ef844935cc31a652a9726441307dfd776bd2cf08baa16a8004350d4690024d5e626a596823ab7a3a86d72b9cb86b681d1b8e8cda9b5668

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
f5ff8c800eaa531bf144e442995a76e1

SHA1
263a4b074c06ff10d08afd8d75c001797e533415

SHA256
381525f1b4908fb08a5ad08bc1e80e5c2f03040263c7ab37c812221d4f5183ec

SHA512
ff1757921c1de6d26a203a5eadd81bf6766fa6b5405420d76cf5a3f61928d3ec42e9469d29b28fac550692379f94c3288316295997bb0ddcbe591d7d3e4314a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
3KB

MD5
b0fbee68075824aee3009fa3f5679713

SHA1
bcb89acea808c4b6027e854c4a08721ccebb5a42

SHA256
76b731f6e46411f4ea50f942f3ee80ac2dee8bda243493a6cc11ce2bf44c1af8

SHA512
de8328811297b93c27bac1a8dfb2a222e82c3a8da9f50415ba48bf65c7a866254e8c6bb70be55507268227ac230d0736a22a8d77176d5ab688ae5ee26640a934

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
memory/540-82-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1164-78-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1996-72-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download