d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee

Analysis

max time kernel
206s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe
Size

29KB
MD5

88c6c7b6d8e0d760b604625e77b86b13
SHA1

6d9803604e2cd6b91e2b4a329e6bf28ac86d035f
SHA256

d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee
SHA512

a66f78e143ae224faa05cd9ec04ce6f892664cb65458fbf7973bf4300174cb0471ef3c8d5a14b4c22da72881292d8f267dc02f24717504355993030f48cec652
SSDEEP

384:NsBVL6WfBGw34VdiBOjbTtBHV4+1Ikap+xGEG77dsxK0n7mipC0tjZSouW8eal:NItBGw36cBwt+kaT9sY0n7ltjIouWv

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe

Executes dropped EXE 1 IoCs

pid	Process
4348	extext240684812t.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\KWatch.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ccSvcHst.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe\udaterui.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\MPSVC.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\MpfSrv.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe\ccSetMgr.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\ccapp.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\mfeann.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\mcsysmon.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\QQDoctor.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe\engineserver.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\mcshell.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe\SHSTAT.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\avp.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\RavMon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\RavMonD.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe\mcupdmgr.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\safeboxTray.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\KPFW32.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe\LiveUpdate360.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\KVSrvXP.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uplive.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\KPfwSvc.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\ekrn.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\bdagent.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe\KISSvc.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe\defwatch.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\vptray.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\RsTray.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\McProxy.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\ScanFrm.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\CCenter.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\RavStub.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KavStart.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1964-132-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1964-137-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1964-157-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4204	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RsTray = "C:\\Windows\\system32\\scvhost.exe"	extext240684812t.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tete240658171t.dll	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe
File created	C:\Windows\extext240684812t.exe	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3340	sc.exe
836	sc.exe
3424	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1268	taskkill.exe
2248	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe
4204	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	4204	rundll32.exe
Token: SeDebugPrivilege	4348	extext240684812t.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4428	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	84
PID 1964 wrote to memory of 4428	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	84
PID 1964 wrote to memory of 4428	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	84
PID 1964 wrote to memory of 1812	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	85
PID 1964 wrote to memory of 1812	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	85
PID 1964 wrote to memory of 1812	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	85
PID 1812 wrote to memory of 3424	1812	cmd.exe	87
PID 1812 wrote to memory of 3424	1812	cmd.exe	87
PID 1812 wrote to memory of 3424	1812	cmd.exe	87
PID 1964 wrote to memory of 836	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	89
PID 1964 wrote to memory of 836	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	89
PID 1964 wrote to memory of 836	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	89
PID 1964 wrote to memory of 2760	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	91
PID 1964 wrote to memory of 2760	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	91
PID 1964 wrote to memory of 2760	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	91
PID 2760 wrote to memory of 1268	2760	cmd.exe	93
PID 836 wrote to memory of 2248	836	cmd.exe	94
PID 2760 wrote to memory of 1268	2760	cmd.exe	93
PID 2760 wrote to memory of 1268	2760	cmd.exe	93
PID 836 wrote to memory of 2248	836	cmd.exe	94
PID 836 wrote to memory of 2248	836	cmd.exe	94
PID 1964 wrote to memory of 4204	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	96
PID 1964 wrote to memory of 4204	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	96
PID 1964 wrote to memory of 4204	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	96
PID 1964 wrote to memory of 2116	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	100
PID 1964 wrote to memory of 2116	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	100
PID 1964 wrote to memory of 2116	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	100
PID 2116 wrote to memory of 1292	2116	cmd.exe	102
PID 2116 wrote to memory of 1292	2116	cmd.exe	102
PID 2116 wrote to memory of 1292	2116	cmd.exe	102
PID 1292 wrote to memory of 1396	1292	net.exe	104
PID 1292 wrote to memory of 1396	1292	net.exe	104
PID 1292 wrote to memory of 1396	1292	net.exe	104
PID 1964 wrote to memory of 2096	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	105
PID 1964 wrote to memory of 2096	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	105
PID 1964 wrote to memory of 2096	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	105
PID 2096 wrote to memory of 3140	2096	cmd.exe	107
PID 2096 wrote to memory of 3140	2096	cmd.exe	107
PID 2096 wrote to memory of 3140	2096	cmd.exe	107
PID 3140 wrote to memory of 2260	3140	net.exe	108
PID 3140 wrote to memory of 2260	3140	net.exe	108
PID 3140 wrote to memory of 2260	3140	net.exe	108
PID 1964 wrote to memory of 1496	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	109
PID 1964 wrote to memory of 1496	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	109
PID 1964 wrote to memory of 1496	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	109
PID 1496 wrote to memory of 3340	1496	cmd.exe	111
PID 1496 wrote to memory of 3340	1496	cmd.exe	111
PID 1496 wrote to memory of 3340	1496	cmd.exe	111
PID 1964 wrote to memory of 4348	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	113
PID 1964 wrote to memory of 4348	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	113
PID 1964 wrote to memory of 4348	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	113
PID 4348 wrote to memory of 4032	4348	extext240684812t.exe	116
PID 4348 wrote to memory of 4032	4348	extext240684812t.exe	116
PID 4348 wrote to memory of 4032	4348	extext240684812t.exe	116
PID 1964 wrote to memory of 3632	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	118
PID 1964 wrote to memory of 3632	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	118
PID 1964 wrote to memory of 3632	1964	d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe	118
PID 4032 wrote to memory of 3960	4032	cmd.exe	120
PID 4032 wrote to memory of 3960	4032	cmd.exe	120
PID 4032 wrote to memory of 3960	4032	cmd.exe	120
PID 3960 wrote to memory of 4040	3960	net.exe	121
PID 3960 wrote to memory of 4040	3960	net.exe	121
PID 3960 wrote to memory of 4040	3960	net.exe	121
PID 4348 wrote to memory of 440	4348	extext240684812t.exe	122

C:\Users\Admin\AppData\Local\Temp\d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe
"C:\Users\Admin\AppData\Local\Temp\d9e7e9b4314ded85ad94f6ccc68d105dce44ab5b1cfdc122eed8c0c23e64f7ee.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\tete240658171t.dll testall
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:3340
- C:\Windows\extext240684812t.exe
  C:\Windows\extext240684812t.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        
        PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop SharedAccess
    3⤵
    PID:440
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        
        PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config sharedaccess start= disabled
    3⤵
    PID:4848
  - - C:\Windows\SysWOW64\sc.exe
      sc config sharedaccess start= disabled
      4⤵
      Launches sc.exe
      PID:836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc90a.bat
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc90a.bat

Filesize
2KB

MD5
f3e6c99676b3e634b3c044117875cfa7

SHA1
37c1ea6674ba428419bd232afc4b0bfa0e48d6a1

SHA256
1665054630557ea25291efda7572b9d70e32c27d2d04486a878aa7171ce3db52

SHA512
b5dbce52a2a4f68dcfd408f78c4413256a556fe1b074ee52473f1d4795b03e123504637749b783e7960eae07a889f4c4d758c9fc9dbcd26c62d84391546866b8

Download Submit
C:\Windows\extext240684812t.exe

Filesize
10KB

MD5
ac042ed688eb7caa56655f404ff390df

SHA1
2b6bf1130260c0aa0865ec5644102e2a3b8258b2

SHA256
579fef0a5cd24f0bd8da5f10f61a841ee7e409066fe8ff180b1515e699d2fe6d

SHA512
5ba34eea8247d065eccee6ac3ec5a8c542554d2bf8ec110900074d9b8ab60a61b67a042ac3b16d4ba12cfadf2d99a8715e7bc54d9bd2e81a388ff7a8ff0c519d

Download Submit
C:\Windows\extext240684812t.exe

Filesize
10KB

MD5
ac042ed688eb7caa56655f404ff390df

SHA1
2b6bf1130260c0aa0865ec5644102e2a3b8258b2

SHA256
579fef0a5cd24f0bd8da5f10f61a841ee7e409066fe8ff180b1515e699d2fe6d

SHA512
5ba34eea8247d065eccee6ac3ec5a8c542554d2bf8ec110900074d9b8ab60a61b67a042ac3b16d4ba12cfadf2d99a8715e7bc54d9bd2e81a388ff7a8ff0c519d

Download Submit
C:\Windows\tete240658171t.dll

Filesize
36KB

MD5
2c4156b222b22d48b9fad49d051d1a99

SHA1
c7ba5cd859de1c79573e4792d8830558f24f7315

SHA256
f9a62f276e8e5b3cf492ae60dbf363cd9e53a0be46a88a8c3dfe62ad0508edac

SHA512
a5748948cf104cf3460c5d08bd55125af2d1f2d6d6ca494d756c00c54a8871aee8e6864bd673aa76104c1e8ed273fa9c5f4969ae39017ae84be3f74b5d6e6c31

Download Submit
C:\Windows\tete240658171t.dll

Filesize
36KB

MD5
2c4156b222b22d48b9fad49d051d1a99

SHA1
c7ba5cd859de1c79573e4792d8830558f24f7315

SHA256
f9a62f276e8e5b3cf492ae60dbf363cd9e53a0be46a88a8c3dfe62ad0508edac

SHA512
a5748948cf104cf3460c5d08bd55125af2d1f2d6d6ca494d756c00c54a8871aee8e6864bd673aa76104c1e8ed273fa9c5f4969ae39017ae84be3f74b5d6e6c31

Download Submit
memory/1964-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1964-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1964-132-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download