dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5

Analysis

max time kernel
229s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
Size

739KB
MD5

15d3258e0a610cd824b1f51d9297d640
SHA1

478065a1b38bab5785d8ed5e531ef399bc2633a8
SHA256

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5
SHA512

59c1e735e66392accef8d89dcb81d4e9960027c6820ed9e0c848d749738d650e998ab6939520c0df713f7026acf2afa7cabac128fcd98ce4b868c39edc60f1d9
SSDEEP

12288:DSYr8EeBHl8irqPEWGwfz/NQt0lmmFRxRIMmSN3FUoAjc:Dn7kFLrqV7z7m2RxRIMmC3Cc

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 10 IoCs

Processes:

RkRealTech.exe

description	pid	process	target process
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE
PID 1996 created 1272	1996	RkRealTech.exe	Explorer.EXE

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1192-78-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 9 IoCs

Processes:

RkRealTech.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exe

pid	process
1996	RkRealTech.exe
1192	RtkSYUdp.exe
2040	RtkSYUdp.exe
1784	RtkSYUdp.exe
896	RtkSYUdp.exe
112	RtkSYUdp.exe
1844	RtkSYUdp.exe
188	RtkSYUdp.exe
1736	RtkSYUdp.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1892-55-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1892-56-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1892-72-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
behavioral1/memory/1192-78-0x0000000000400000-0x0000000000415000-memory.dmp	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1228 cmd.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

RtkSYUdp.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini RtkSYUdp.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description ioc process

File opened for modification \??\PhysicalDrive0 dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

pid	process
1228	cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Drops file in Program Files directory 2 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Drops file in Windows directory 2 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
File created	C:\Windows\RkRealTech.exe	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
File created	C:\Windows\RtkSYUdp.exe	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Modifies registry class 46 IoCs

Processes:

regedit.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command	regedit.exe

Runs regedit.exe 12 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
1484	regedit.exe
1528	regedit.exe
1888	regedit.exe
1548	regedit.exe
1952	regedit.exe
1416	regedit.exe
512	regedit.exe
1704	regedit.exe
1016	regedit.exe
1780	regedit.exe
1332	regedit.exe
1976	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exeRkRealTech.exe

pid	process
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe
1996	RkRealTech.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

pid	process
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exeRkRealTech.execmd.execmd.exe

description	pid	process	target process
PID 1892 wrote to memory of 1548	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1548	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1548	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1548	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1640	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1640	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1640	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1640	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1780	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1780	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1780	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 1780	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 1892 wrote to memory of 512	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 512	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 512	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 512	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1828	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1828	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1828	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1828	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1996	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 1892 wrote to memory of 1996	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 1892 wrote to memory of 1996	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 1892 wrote to memory of 1996	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 1892 wrote to memory of 1228	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1228	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1228	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1892 wrote to memory of 1228	1892	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 1996 wrote to memory of 1952	1996	RkRealTech.exe	regedit.exe
PID 1996 wrote to memory of 1952	1996	RkRealTech.exe	regedit.exe
PID 1996 wrote to memory of 1952	1996	RkRealTech.exe	regedit.exe
PID 1996 wrote to memory of 1952	1996	RkRealTech.exe	regedit.exe
PID 1996 wrote to memory of 1952	1996	RkRealTech.exe	regedit.exe
PID 1828 wrote to memory of 1192	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1192	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1192	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1192	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 2040	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 2040	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 2040	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 2040	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1784	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1784	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1784	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1784	1828	cmd.exe	RtkSYUdp.exe
PID 1228 wrote to memory of 1820	1228	cmd.exe	reg.exe
PID 1228 wrote to memory of 1820	1228	cmd.exe	reg.exe
PID 1228 wrote to memory of 1820	1228	cmd.exe	reg.exe
PID 1228 wrote to memory of 1820	1228	cmd.exe	reg.exe
PID 1828 wrote to memory of 896	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 896	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 896	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 896	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 112	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 112	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 112	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 112	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 1844	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 188	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 188	1828	cmd.exe	RtkSYUdp.exe
PID 1828 wrote to memory of 188	1828	cmd.exe	RtkSYUdp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
"C:\Users\Admin\AppData\Local\Temp\dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
3⤵
- Modifies registry class
- Runs regedit.exe
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
3⤵
PID:1640

C:\Windows\SysWOW64\regedit.exe
C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
3⤵
- Modifies registry class
- Runs regedit.exe
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
3⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
4⤵
- Executes dropped EXE
PID:1192

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
4⤵
- Executes dropped EXE
PID:2040

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:1784

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
4⤵
- Executes dropped EXE
PID:896

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
4⤵
- Executes dropped EXE
PID:112

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
4⤵
- Executes dropped EXE
PID:1844

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
4⤵
- Executes dropped EXE
PID:188

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
4⤵
- Executes dropped EXE
PID:1736

C:\Windows\RkRealTech.exe
C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1272 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
3⤵
- Suspicious use of NtCreateProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
4⤵
PID:1820

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1952

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1416

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:512

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1704

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1484

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1528

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1332

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1888

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1976

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
695B

MD5
1628e9b0aa52303b1baa2ad5c0f5acd5

SHA1
0a216aefb39c88b84dbc55929623794e8256ad50

SHA256
03e9a1c433eecc84315d45bf4236f548e197bd8e0b43713d137034c264701043

SHA512
21299ad7a19a21876152cb45bc32db4a5d6bece7d961fdb9fb0dd7dae7b4f632437877339e4a1a89356ecd5e651805c83850967136738e144f068bbcb2096e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
98d7f7eb2ab8df60b86f3eab6cc2d8be

SHA1
a86c8759d8dd00f7d5d64e3c5c0d467ce1f41547

SHA256
cfc8943e4bee67b768f0c7044a094fbb8d5405333e364e87e36afa47ea57e7e0

SHA512
a00934cbd3d20e0058ef844935cc31a652a9726441307dfd776bd2cf08baa16a8004350d4690024d5e626a596823ab7a3a86d72b9cb86b681d1b8e8cda9b5668

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
6c1b7a24de92d5350d81c7b896abe5e4

SHA1
9897cf28af2b5e2e2a1966dd3301364cc813ea27

SHA256
bf959848cc8ab3be53b5a806e1fa97e0e5cfce5d2f0edbce7e9743c9791ea4db

SHA512
bc79ab532a8e3d9393c33991b248ab83e5fd6b28b6c785e006bf36c717017ee7ddbf541f4a74c54742aea14e5dcb816cfd870d56da054a8ea137a97bde26fa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
3KB

MD5
25db315b7c4e03440fc39a45d0e696f4

SHA1
e676a65ddced682543871402c65745615866813b

SHA256
afebbcbfd45e044083133fd2f575f9cee59dbff403ae376b2d2307a89b97a26c

SHA512
d10afe733da4f6c33e2859078ca307e40cf15c0e2ddde9e48b8cb3962491cc73e6b47d2fb98c56d233bef268cf1d45ac68d5835885a8b5395ee4b0c6dd0ad3d4

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
c4d74a5318041d91b2b62f40654b4a9e

SHA1
2569a80a0a43bd16903d45f256da43ddabb14fd0

SHA256
ca192baae8857e254274e6353fb2fdfc0337ee4798fe3ab9bdffd66c8962da05

SHA512
d626e0fabfa35adfa25c4789806490f543eeb8be1736b657d7d528df601a726a1dac329120f69648a52917f1fc79030052b849e896fb22c00a2814ec3a85ade7

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
c4d74a5318041d91b2b62f40654b4a9e

SHA1
2569a80a0a43bd16903d45f256da43ddabb14fd0

SHA256
ca192baae8857e254274e6353fb2fdfc0337ee4798fe3ab9bdffd66c8962da05

SHA512
d626e0fabfa35adfa25c4789806490f543eeb8be1736b657d7d528df601a726a1dac329120f69648a52917f1fc79030052b849e896fb22c00a2814ec3a85ade7

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/112-92-0x0000000000000000-mapping.dmp

Download
memory/188-98-0x0000000000000000-mapping.dmp

Download
memory/512-65-0x0000000000000000-mapping.dmp

Download
memory/896-88-0x0000000000000000-mapping.dmp

Download
memory/1192-75-0x0000000000000000-mapping.dmp

Download
memory/1192-78-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1228-70-0x0000000000000000-mapping.dmp

Download
memory/1548-57-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x0000000000000000-mapping.dmp

Download
memory/1736-101-0x0000000000000000-mapping.dmp

Download
memory/1780-61-0x0000000000000000-mapping.dmp

Download
memory/1784-83-0x0000000000000000-mapping.dmp

Download
memory/1820-85-0x0000000000000000-mapping.dmp

Download
memory/1828-67-0x0000000000000000-mapping.dmp

Download
memory/1844-95-0x0000000000000000-mapping.dmp

Download
memory/1892-72-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1892-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1892-56-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1892-55-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1996-68-0x0000000000000000-mapping.dmp

Download
memory/2040-79-0x0000000000000000-mapping.dmp

Download