dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5

Analysis

max time kernel
143s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
Size

739KB
MD5

15d3258e0a610cd824b1f51d9297d640
SHA1

478065a1b38bab5785d8ed5e531ef399bc2633a8
SHA256

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5
SHA512

59c1e735e66392accef8d89dcb81d4e9960027c6820ed9e0c848d749738d650e998ab6939520c0df713f7026acf2afa7cabac128fcd98ce4b868c39edc60f1d9
SSDEEP

12288:DSYr8EeBHl8irqPEWGwfz/NQt0lmmFRxRIMmSN3FUoAjc:Dn7kFLrqV7z7m2RxRIMmC3Cc

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 1 IoCs

Processes:

RkRealTech.exe

description pid process target process

PID 4744 created 2720 4744 RkRealTech.exe Explorer.EXE

description	pid	process	target process
PID 4744 created 2720	4744	RkRealTech.exe	Explorer.EXE

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3268-150-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1224-153-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 9 IoCs

Processes:

RkRealTech.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exeRtkSYUdp.exe

pid	process
4744	RkRealTech.exe
3268	RtkSYUdp.exe
1224	RtkSYUdp.exe
4476	RtkSYUdp.exe
4652	RtkSYUdp.exe
2084	RtkSYUdp.exe
1484	RtkSYUdp.exe
1016	RtkSYUdp.exe
3472	RtkSYUdp.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4444-132-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
behavioral2/memory/3268-150-0x0000000000400000-0x0000000000415000-memory.dmp	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
behavioral2/memory/1224-153-0x0000000000400000-0x0000000000415000-memory.dmp	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
C:\Windows\RtkSYUdp.exe	upx
behavioral2/memory/4444-168-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/4444-170-0x0000000000400000-0x00000000004BB000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

Processes:

RtkSYUdp.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini RtkSYUdp.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description ioc process

File opened for modification \??\PhysicalDrive0 dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Drops file in Program Files directory 2 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Drops file in Windows directory 2 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
File created	C:\Windows\RkRealTech.exe	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
File created	C:\Windows\RtkSYUdp.exe	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4488 2232 WerFault.exe regedit.exe

pid	pid_target	process	target process
4488	2232	WerFault.exe	regedit.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\version Vector	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Modifies registry class 46 IoCs

Processes:

regedit.exeregedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880"	regedit.exe

Runs regedit.exe 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

820 regedit.exe
4196 regedit.exe
2232 regedit.exe

pid	process
820	regedit.exe
4196	regedit.exe
2232	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exeRkRealTech.exe

pid	process
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4744	RkRealTech.exe
4744	RkRealTech.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

pid	process
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exeRkRealTech.execmd.execmd.exe

description	pid	process	target process
PID 4444 wrote to memory of 820	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 4444 wrote to memory of 820	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 4444 wrote to memory of 820	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 4444 wrote to memory of 448	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 448	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 448	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 4196	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 4444 wrote to memory of 4196	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 4444 wrote to memory of 4196	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	regedit.exe
PID 4444 wrote to memory of 3328	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 3328	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 3328	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 4712	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 4712	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 4712	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 4744	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 4444 wrote to memory of 4744	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 4444 wrote to memory of 4744	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	RkRealTech.exe
PID 4744 wrote to memory of 2232	4744	RkRealTech.exe	regedit.exe
PID 4744 wrote to memory of 2232	4744	RkRealTech.exe	regedit.exe
PID 4744 wrote to memory of 2232	4744	RkRealTech.exe	regedit.exe
PID 4712 wrote to memory of 3268	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 3268	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 3268	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1224	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1224	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1224	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 4476	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 4476	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 4476	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 4652	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 4652	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 4652	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 2084	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 2084	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 2084	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1484	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1484	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1484	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1016	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1016	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 1016	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 3472	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 3472	4712	cmd.exe	RtkSYUdp.exe
PID 4712 wrote to memory of 3472	4712	cmd.exe	RtkSYUdp.exe
PID 4444 wrote to memory of 608	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 608	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 4444 wrote to memory of 608	4444	dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe	cmd.exe
PID 608 wrote to memory of 4856	608	cmd.exe	reg.exe
PID 608 wrote to memory of 4856	608	cmd.exe	reg.exe
PID 608 wrote to memory of 4856	608	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe
"C:\Users\Admin\AppData\Local\Temp\dc20b38fa55aa52580125dab374b46217136a532c805d7aefcfdbce14d3dfad5.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
3⤵
- Modifies registry class
- Runs regedit.exe
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
3⤵
PID:448

C:\Windows\SysWOW64\regedit.exe
C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
3⤵
- Modifies registry class
- Runs regedit.exe
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
3⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
4⤵
- Executes dropped EXE
PID:3268

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
4⤵
- Executes dropped EXE
PID:1224

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:4476

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
4⤵
- Executes dropped EXE
PID:4652

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\MICROS~1.LNK"
4⤵
- Executes dropped EXE
PID:2084

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
4⤵
- Executes dropped EXE
PID:1484

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
4⤵
- Executes dropped EXE
PID:1016

C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
4⤵
- Executes dropped EXE
PID:3472

C:\Windows\RkRealTech.exe
C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 2720 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
3⤵
- Suspicious use of NtCreateProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
4⤵
PID:4856

\Windows\SysWOW64\regedit.exe
2⤵
- Runs regedit.exe
PID:2232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2232 -s 8
3⤵
- Program crash
PID:4488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2232 -ip 2232
1⤵
PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
695B

MD5
1628e9b0aa52303b1baa2ad5c0f5acd5

SHA1
0a216aefb39c88b84dbc55929623794e8256ad50

SHA256
03e9a1c433eecc84315d45bf4236f548e197bd8e0b43713d137034c264701043

SHA512
21299ad7a19a21876152cb45bc32db4a5d6bece7d961fdb9fb0dd7dae7b4f632437877339e4a1a89356ecd5e651805c83850967136738e144f068bbcb2096e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
95457d5629ea8e2e826c36393a3479a6

SHA1
0190011fc3613e735179a9501e72d732cb92ac3c

SHA256
ec3b4324057e9bd22e0542473afbdcd45f1077f91c862d208e8b3a4e1ced6c45

SHA512
9c4c7340307412863dfece7847532b6976cb7096c47fd3e8a557c8d3413a642a26a1645f460db4bcbda009bd322b082df80c0786bbf14a968038b19324d6d4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
b4e81aea49564bb7383d456efd1b7d0e

SHA1
b74ab01b5f75518ad2116a88f34213012788182a

SHA256
2394167858fa79c41577042435144f7d2b567eef272059061868fac4d3ceefc7

SHA512
90ce5900e45a6338c1ec211bd9df86678eac3e6dd4968c45b2e32677f965abc8ac3ce1c28ab8f0c54f509016f5426d163bbb3d5f672020c496d8430db6ba286f

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
4KB

MD5
e65d0630e7c3363eff81fd64109c3dac

SHA1
062d18f42ff35760bed198d51c1056a42c22bfba

SHA256
286db12cc30d8834f18cbc2d72aab3cbc8ab4c515dc8f4e124c82eaa61e4061d

SHA512
d4921c73729c5a00f9f2348d93cd0db827ea17cb45295f0f0b05d99597a241dab7703b674dd107e7a9d15854765b279af7d4f6b7ab8c44a1e658e361c63c0559

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
c4d74a5318041d91b2b62f40654b4a9e

SHA1
2569a80a0a43bd16903d45f256da43ddabb14fd0

SHA256
ca192baae8857e254274e6353fb2fdfc0337ee4798fe3ab9bdffd66c8962da05

SHA512
d626e0fabfa35adfa25c4789806490f543eeb8be1736b657d7d528df601a726a1dac329120f69648a52917f1fc79030052b849e896fb22c00a2814ec3a85ade7

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
c4d74a5318041d91b2b62f40654b4a9e

SHA1
2569a80a0a43bd16903d45f256da43ddabb14fd0

SHA256
ca192baae8857e254274e6353fb2fdfc0337ee4798fe3ab9bdffd66c8962da05

SHA512
d626e0fabfa35adfa25c4789806490f543eeb8be1736b657d7d528df601a726a1dac329120f69648a52917f1fc79030052b849e896fb22c00a2814ec3a85ade7

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/448-135-0x0000000000000000-mapping.dmp

Download
memory/608-167-0x0000000000000000-mapping.dmp

Download
memory/820-133-0x0000000000000000-mapping.dmp

Download
memory/1016-162-0x0000000000000000-mapping.dmp

Download
memory/1224-153-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1224-151-0x0000000000000000-mapping.dmp

Download
memory/1484-160-0x0000000000000000-mapping.dmp

Download
memory/2084-158-0x0000000000000000-mapping.dmp

Download
memory/3268-147-0x0000000000000000-mapping.dmp

Download
memory/3268-150-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3328-138-0x0000000000000000-mapping.dmp

Download
memory/3472-164-0x0000000000000000-mapping.dmp

Download
memory/4196-136-0x0000000000000000-mapping.dmp

Download
memory/4444-132-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4444-168-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4444-170-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4476-154-0x0000000000000000-mapping.dmp

Download
memory/4652-156-0x0000000000000000-mapping.dmp

Download
memory/4712-140-0x0000000000000000-mapping.dmp

Download
memory/4744-141-0x0000000000000000-mapping.dmp

Download
memory/4856-171-0x0000000000000000-mapping.dmp

Download