ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72

Analysis

max time kernel
57s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
Size

670KB
MD5

6129226d58960fcc74f6cc5ffb798e90
SHA1

1b60d1b86992a29c197e8e6390428866e24e9a28
SHA256

ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72
SHA512

5f76c43998951dbdb4d58db8ec7f58bba5515b8d2f8beb574efdadf7938a16da55450e1e03d11147af4886b18bd2bba199deef3776609347bb55cd8fc80bd360
SSDEEP

12288:0QjNB/yfdkYTZ5soj01t6FKCpoWKmxe89PUom:0Q5NcxT7J84poWKmxl9y

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 20 IoCs

description	pid	Process	procid_target
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14
PID 1540 created 1244	1540	regsougoupy.exe	14
PID 908 created 1244	908	regsougoupy.exe	14

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/240-75-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1744-79-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
1540	regsougoupy.exe
908	regsougoupy.exe
240	RtkSYUdp.exe
1744	RtkSYUdp.exe
1788	RtkSYUdp.exe
1612	RtkSYUdp.exe
640	RtkSYUdp.exe
1632	RtkSYUdp.exe
2020	RtkSYUdp.exe
1336	RtkSYUdp.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/952-54-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/files/0x0007000000013a3b-71.dat	upx
behavioral1/files/0x0007000000013a3b-73.dat	upx
behavioral1/memory/240-75-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0007000000013a3b-77.dat	upx
behavioral1/memory/1744-79-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0007000000013a3b-81.dat	upx
behavioral1/files/0x0007000000013a3b-84.dat	upx
behavioral1/files/0x0007000000013a3b-87.dat	upx
behavioral1/files/0x0007000000013a3b-90.dat	upx
behavioral1/files/0x0007000000013a3b-93.dat	upx
behavioral1/files/0x0007000000013a3b-96.dat	upx
behavioral1/memory/952-103-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1056	cmd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\regsougoupy.exe	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
File created	C:\Windows\RtkSYUdp.exe	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe

Runs regedit.exe 21 IoCs

pid	Process
1928	regedit.exe
708	regedit.exe
1008	regedit.exe
1744	regedit.exe
584	regedit.exe
316	regedit.exe
1608	regedit.exe
1700	regedit.exe
1260	regedit.exe
1784	regedit.exe
1976	regedit.exe
1648	regedit.exe
776	regedit.exe
1428	regedit.exe
672	regedit.exe
1620	regedit.exe
1684	regedit.exe
1500	regedit.exe
976	regedit.exe
1060	regedit.exe
848	regedit.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
1540	regsougoupy.exe
908	regsougoupy.exe
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe
1540	regsougoupy.exe
908	regsougoupy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1976	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	28
PID 952 wrote to memory of 1976	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	28
PID 952 wrote to memory of 1976	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	28
PID 952 wrote to memory of 1976	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	28
PID 952 wrote to memory of 320	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	29
PID 952 wrote to memory of 320	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	29
PID 952 wrote to memory of 320	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	29
PID 952 wrote to memory of 320	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	29
PID 952 wrote to memory of 1540	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	31
PID 952 wrote to memory of 1540	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	31
PID 952 wrote to memory of 1540	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	31
PID 952 wrote to memory of 1540	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	31
PID 952 wrote to memory of 548	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	33
PID 952 wrote to memory of 548	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	33
PID 952 wrote to memory of 548	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	33
PID 952 wrote to memory of 548	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	33
PID 1540 wrote to memory of 976	1540	regsougoupy.exe	35
PID 1540 wrote to memory of 976	1540	regsougoupy.exe	35
PID 1540 wrote to memory of 976	1540	regsougoupy.exe	35
PID 1540 wrote to memory of 976	1540	regsougoupy.exe	35
PID 1540 wrote to memory of 976	1540	regsougoupy.exe	35
PID 952 wrote to memory of 1756	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	36
PID 952 wrote to memory of 1756	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	36
PID 952 wrote to memory of 1756	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	36
PID 952 wrote to memory of 1756	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	36
PID 952 wrote to memory of 908	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	37
PID 952 wrote to memory of 908	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	37
PID 952 wrote to memory of 908	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	37
PID 952 wrote to memory of 908	952	ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe	37
PID 908 wrote to memory of 584	908	regsougoupy.exe	40
PID 908 wrote to memory of 584	908	regsougoupy.exe	40
PID 908 wrote to memory of 584	908	regsougoupy.exe	40
PID 908 wrote to memory of 584	908	regsougoupy.exe	40
PID 908 wrote to memory of 584	908	regsougoupy.exe	40
PID 1756 wrote to memory of 240	1756	cmd.exe	41
PID 1756 wrote to memory of 240	1756	cmd.exe	41
PID 1756 wrote to memory of 240	1756	cmd.exe	41
PID 1756 wrote to memory of 240	1756	cmd.exe	41
PID 1756 wrote to memory of 1744	1756	cmd.exe	42
PID 1756 wrote to memory of 1744	1756	cmd.exe	42
PID 1756 wrote to memory of 1744	1756	cmd.exe	42
PID 1756 wrote to memory of 1744	1756	cmd.exe	42
PID 1756 wrote to memory of 1788	1756	cmd.exe	43
PID 1756 wrote to memory of 1788	1756	cmd.exe	43
PID 1756 wrote to memory of 1788	1756	cmd.exe	43
PID 1756 wrote to memory of 1788	1756	cmd.exe	43
PID 1756 wrote to memory of 1612	1756	cmd.exe	44
PID 1756 wrote to memory of 1612	1756	cmd.exe	44
PID 1756 wrote to memory of 1612	1756	cmd.exe	44
PID 1756 wrote to memory of 1612	1756	cmd.exe	44
PID 1756 wrote to memory of 640	1756	cmd.exe	45
PID 1756 wrote to memory of 640	1756	cmd.exe	45
PID 1756 wrote to memory of 640	1756	cmd.exe	45
PID 1756 wrote to memory of 640	1756	cmd.exe	45
PID 1756 wrote to memory of 1632	1756	cmd.exe	46
PID 1756 wrote to memory of 1632	1756	cmd.exe	46
PID 1756 wrote to memory of 1632	1756	cmd.exe	46
PID 1756 wrote to memory of 1632	1756	cmd.exe	46
PID 1756 wrote to memory of 2020	1756	cmd.exe	47
PID 1756 wrote to memory of 2020	1756	cmd.exe	47
PID 1756 wrote to memory of 2020	1756	cmd.exe	47
PID 1756 wrote to memory of 2020	1756	cmd.exe	47
PID 1756 wrote to memory of 1336	1756	cmd.exe	48
PID 1756 wrote to memory of 1336	1756	cmd.exe	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe
  "C:\Users\Admin\AppData\Local\Temp\ac2fd60bb738b74461dbc78fe603389069240143ca144653e7db366c9dbf4e72.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    PID:320
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 1244 C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      PID:240
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      PID:1744
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      PID:1788
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1612
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
      4⤵
      Executes dropped EXE
      PID:640
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1632
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      PID:2020
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1336
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 1244 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Deletes itself
    PID:1056
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      PID:1064
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:976
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:584
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:848
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1060
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1648
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1928
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:708
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1008
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:316
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1608
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1700
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:776
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1744
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1428
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:672
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1620
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1684
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1260
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1500
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
639B

MD5
dfdf7432958cc9c018b2da0eadcba82c

SHA1
538843ff37223a123d29ed5933e03b3a8ddac541

SHA256
9467badfe54a64b1476a1ca70807f8e0528b5640017564d5c2d6f06b39e45111

SHA512
a8e065a95e56753326d1d719dba78845fce2d2e9bfd3f21f9ad71c6b6d1a6466abf0c9ca63d52489eb54f3769b797480c4892a62d81427adcb628cd57d1c8b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
98d7f7eb2ab8df60b86f3eab6cc2d8be

SHA1
a86c8759d8dd00f7d5d64e3c5c0d467ce1f41547

SHA256
cfc8943e4bee67b768f0c7044a094fbb8d5405333e364e87e36afa47ea57e7e0

SHA512
a00934cbd3d20e0058ef844935cc31a652a9726441307dfd776bd2cf08baa16a8004350d4690024d5e626a596823ab7a3a86d72b9cb86b681d1b8e8cda9b5668

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
0e7e94ac599c15176ec8367c8ccb956a

SHA1
91785bf101f20f047fa9c69a2e0c21a0df23b2be

SHA256
6eebf597dfe79cd17a4da6e38a4c2b10517cadfd2620cc3c8dc83baefad67627

SHA512
6ee1a11e1aef2bb531709fe95c97186002a7cac0eaa1108f529c5a6591e17292e60780ecc2113035533c648c0e0f893c668e2fc250f1d887f83e2463316d4e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
3KB

MD5
b0fbee68075824aee3009fa3f5679713

SHA1
bcb89acea808c4b6027e854c4a08721ccebb5a42

SHA256
76b731f6e46411f4ea50f942f3ee80ac2dee8bda243493a6cc11ce2bf44c1af8

SHA512
de8328811297b93c27bac1a8dfb2a222e82c3a8da9f50415ba48bf65c7a866254e8c6bb70be55507268227ac230d0736a22a8d77176d5ab688ae5ee26640a934

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
memory/240-75-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/952-55-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/952-103-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/952-54-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1744-79-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download