ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42

Analysis

max time kernel
103s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Size

90KB
MD5

4a88ae4b043e5e626c39a51d7e380b5a
SHA1

a833330f04fa886dc9e401766e7a1673f2a740f6
SHA256

ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42
SHA512

83b12a847cd4f639b13db4f7f6ce13965a4757415e698c9ea470680adf5de672479cc9c8927b8a18be012002adc18083b0894226c803626e23025dcc844ac9f9
SSDEEP

1536:VmZWGE/gxwXe4U7bPPa/q4udgeApY06+5wHNxd9m1pLyg+eu+ixh8NJVnKu9ypLI:UZW8wPU/PPWCvmYXhhe2si/8pnfyf2qE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5060	wmnet.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Down.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpFile.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxup.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extdb.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esslibupdate.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxup.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Down.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360deepscan.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extdb.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpFile.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360deepscan.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esslibupdate.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ÐÞ¸´¹¤¾ß.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ÐÞ¸´¹¤¾ß.exe\Debugger = "TASKMAN.EXE"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SOUNDMAN = "C:\\Progra~1\\Realtek\\ADPPath\\RTHDCPL.exe"	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\ADPPath\RTHDCPL.exe	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Token: SeDebugPrivilege	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Token: SeDebugPrivilege	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Token: SeDebugPrivilege	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Token: SeDebugPrivilege	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
Token: SeDebugPrivilege	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 5024	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	81
PID 5028 wrote to memory of 5024	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	81
PID 5028 wrote to memory of 5024	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	81
PID 5028 wrote to memory of 2188	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	82
PID 5028 wrote to memory of 2188	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	82
PID 5028 wrote to memory of 2188	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	82
PID 5028 wrote to memory of 1588	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	85
PID 5028 wrote to memory of 1588	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	85
PID 5028 wrote to memory of 1588	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	85
PID 5028 wrote to memory of 5060	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	87
PID 5028 wrote to memory of 5060	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	87
PID 5028 wrote to memory of 5060	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	87
PID 5024 wrote to memory of 1352	5024	net.exe	88
PID 5024 wrote to memory of 1352	5024	net.exe	88
PID 5024 wrote to memory of 1352	5024	net.exe	88
PID 2188 wrote to memory of 3136	2188	net.exe	90
PID 2188 wrote to memory of 3136	2188	net.exe	90
PID 2188 wrote to memory of 3136	2188	net.exe	90
PID 5028 wrote to memory of 4360	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	89
PID 5028 wrote to memory of 4360	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	89
PID 5028 wrote to memory of 4360	5028	ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe	89
PID 1588 wrote to memory of 1220	1588	net.exe	91
PID 1588 wrote to memory of 1220	1588	net.exe	91
PID 1588 wrote to memory of 1220	1588	net.exe	91

C:\Users\Admin\AppData\Local\Temp\ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe
"C:\Users\Admin\AppData\Local\Temp\ef0b0aedc0cf0e39e5c1ac3c905127649bbce354e445825af80fdc207c5c1b42.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1352
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3136
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:1220
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\wmiprvse.exe
  2⤵
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
34KB

MD5
3d9abc0931ba2fe5e0ece6f31336e4c5

SHA1
5ed3751d91a899ac1a1606941c7001135d7adde5

SHA256
5f1b9bacb3801decc2287473efac54cb85e438cf50024c55189b30974a29c89e

SHA512
885857b18e7f51014887254553dea8a5760a87f2551ef8ae204b9e2ec0a14a4fafc875f286d23428e8492b4a398df12def927eaa1aff9e7440ccdf8df6b38c35

Download Submit
memory/5028-135-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/5028-138-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/5028-146-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download