a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a

Analysis

max time kernel
68s
max time network
57s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
Size

717KB
MD5

06ddd79ee01a6d04b9ad59b6dc5dead5
SHA1

4fad06bac3ca4cbdf8b893800646842a6629abe2
SHA256

a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a
SHA512

2abc71f7c5a2a77a333a3498a50710c529d132d3485d33ffbe59431ca124c3f72ef3f2953d13ca5ca5b1037c4f747cb085c2d2e799b18303b88940336a41c790
SSDEEP

12288:wrgNANdEly2170FRY7kq5rfE5DWcoRdXu7Z4Wp9CbpLUR8o:zIur17YNKfEB3oK4Wp9CbqR

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19
PID 1760 created 1264	1760	RkRealTech.exe	19

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1528-72-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1624-76-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 9 IoCs

pid	Process
1528	RtkSYUdp.exe
1624	RtkSYUdp.exe
2004	RtkSYUdp.exe
1796	RtkSYUdp.exe
1972	RtkSYUdp.exe
1780	RtkSYUdp.exe
360	RtkSYUdp.exe
1948	RtkSYUdp.exe
1760	RkRealTech.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-55-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/files/0x0007000000012708-70.dat	upx
behavioral1/files/0x0007000000012708-68.dat	upx
behavioral1/memory/1528-72-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0007000000012708-74.dat	upx
behavioral1/memory/1624-76-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0007000000012708-78.dat	upx
behavioral1/files/0x0007000000012708-81.dat	upx
behavioral1/files/0x0007000000012708-84.dat	upx
behavioral1/files/0x0007000000012708-91.dat	upx
behavioral1/files/0x0007000000012708-94.dat	upx
behavioral1/files/0x0007000000012708-97.dat	upx
behavioral1/memory/1488-102-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1488-105-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
836	cmd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\Ð¡ÓÎÏ·.ico	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\4399Ð¡ÓÎÏ·.tmp	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RkRealTech.exe	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
File created	C:\Windows\RtkSYUdp.exe	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m"	regedit.exe

Runs regedit.exe 12 IoCs

pid	Process
964	regedit.exe
1972	regedit.exe
1840	regedit.exe
360	regedit.exe
632	regedit.exe
1016	regedit.exe
1112	regedit.exe
1460	regedit.exe
1992	regedit.exe
604	regedit.exe
336	regedit.exe
1984	regedit.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe
1760	RkRealTech.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 632	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	29
PID 1488 wrote to memory of 632	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	29
PID 1488 wrote to memory of 632	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	29
PID 1488 wrote to memory of 632	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	29
PID 1488 wrote to memory of 560	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	30
PID 1488 wrote to memory of 560	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	30
PID 1488 wrote to memory of 560	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	30
PID 1488 wrote to memory of 560	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	30
PID 1488 wrote to memory of 1016	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	32
PID 1488 wrote to memory of 1016	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	32
PID 1488 wrote to memory of 1016	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	32
PID 1488 wrote to memory of 1016	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	32
PID 1488 wrote to memory of 316	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	33
PID 1488 wrote to memory of 316	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	33
PID 1488 wrote to memory of 316	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	33
PID 1488 wrote to memory of 316	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	33
PID 1488 wrote to memory of 1740	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	35
PID 1488 wrote to memory of 1740	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	35
PID 1488 wrote to memory of 1740	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	35
PID 1488 wrote to memory of 1740	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	35
PID 1740 wrote to memory of 1528	1740	cmd.exe	37
PID 1740 wrote to memory of 1528	1740	cmd.exe	37
PID 1740 wrote to memory of 1528	1740	cmd.exe	37
PID 1740 wrote to memory of 1528	1740	cmd.exe	37
PID 1740 wrote to memory of 1624	1740	cmd.exe	38
PID 1740 wrote to memory of 1624	1740	cmd.exe	38
PID 1740 wrote to memory of 1624	1740	cmd.exe	38
PID 1740 wrote to memory of 1624	1740	cmd.exe	38
PID 1740 wrote to memory of 2004	1740	cmd.exe	39
PID 1740 wrote to memory of 2004	1740	cmd.exe	39
PID 1740 wrote to memory of 2004	1740	cmd.exe	39
PID 1740 wrote to memory of 2004	1740	cmd.exe	39
PID 1740 wrote to memory of 1796	1740	cmd.exe	40
PID 1740 wrote to memory of 1796	1740	cmd.exe	40
PID 1740 wrote to memory of 1796	1740	cmd.exe	40
PID 1740 wrote to memory of 1796	1740	cmd.exe	40
PID 1740 wrote to memory of 1972	1740	cmd.exe	41
PID 1740 wrote to memory of 1972	1740	cmd.exe	41
PID 1740 wrote to memory of 1972	1740	cmd.exe	41
PID 1740 wrote to memory of 1972	1740	cmd.exe	41
PID 1740 wrote to memory of 1780	1740	cmd.exe	42
PID 1740 wrote to memory of 1780	1740	cmd.exe	42
PID 1740 wrote to memory of 1780	1740	cmd.exe	42
PID 1740 wrote to memory of 1780	1740	cmd.exe	42
PID 1740 wrote to memory of 360	1740	cmd.exe	43
PID 1740 wrote to memory of 360	1740	cmd.exe	43
PID 1740 wrote to memory of 360	1740	cmd.exe	43
PID 1740 wrote to memory of 360	1740	cmd.exe	43
PID 1740 wrote to memory of 1948	1740	cmd.exe	44
PID 1740 wrote to memory of 1948	1740	cmd.exe	44
PID 1740 wrote to memory of 1948	1740	cmd.exe	44
PID 1740 wrote to memory of 1948	1740	cmd.exe	44
PID 1488 wrote to memory of 1760	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	47
PID 1488 wrote to memory of 1760	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	47
PID 1488 wrote to memory of 1760	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	47
PID 1488 wrote to memory of 1760	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	47
PID 1488 wrote to memory of 836	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	49
PID 1488 wrote to memory of 836	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	49
PID 1488 wrote to memory of 836	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	49
PID 1488 wrote to memory of 836	1488	a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe	49
PID 1760 wrote to memory of 336	1760	RkRealTech.exe	51
PID 1760 wrote to memory of 336	1760	RkRealTech.exe	51
PID 1760 wrote to memory of 336	1760	RkRealTech.exe	51
PID 1760 wrote to memory of 336	1760	RkRealTech.exe	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe
  "C:\Users\Admin\AppData\Local\Temp\a7f8fd21c5def8b786e315681fb287f262d213cce64c63d1c43f846d0364469a.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    PID:560
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      PID:1528
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      PID:1624
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      PID:2004
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1796
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1972
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1780
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      PID:360
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1948
- - C:\Windows\RkRealTech.exe
    C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1264 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Deletes itself
    PID:836
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      PID:1720
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:336
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:964
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1984
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1112
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1972
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1840
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1460
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1992
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:360
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
361B

MD5
ee6683d37b35aefab668378230f6e956

SHA1
a0aa06d7d10963af58b44ddee5f8c177ff061917

SHA256
fb8e749b925ec65d3844e7ee48055fa6375b9fe988169fa8135ecb277452c2e2

SHA512
7ca13b1ef07a4763406aaac8a841baafd3a1054dbdd1b3a51a1a1f2a8247d47f17ce826e8ebe2468ed0d3399c7634452d89a6a99e8ab3eeec9653614ae8f33c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
689B

MD5
5d2c89a4a58564e79940bbe31f205cdc

SHA1
8e3f0f6d29912c96567cc646730f052ce3394848

SHA256
a8dccea5dc4e0cb2cda3789d506df061a0ff0cdbc39914eae854da73002ff403

SHA512
e4050f27fecc244cf63a35584ec45193ceb48620c22b994d97f53160adb88d5dbcfb24e3161c5ce29f8732cea8253b50b8ab28ed648845093885439de3e2e236

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
98d7f7eb2ab8df60b86f3eab6cc2d8be

SHA1
a86c8759d8dd00f7d5d64e3c5c0d467ce1f41547

SHA256
cfc8943e4bee67b768f0c7044a094fbb8d5405333e364e87e36afa47ea57e7e0

SHA512
a00934cbd3d20e0058ef844935cc31a652a9726441307dfd776bd2cf08baa16a8004350d4690024d5e626a596823ab7a3a86d72b9cb86b681d1b8e8cda9b5668

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
9a35457882cfac822ef87461827a1353

SHA1
50b3b3aa4977b1c0c3a47ff270046c0d28d24892

SHA256
ed098a6824ec01530f9e358adef713f30625374af01c7a2d4d951eb3bf2ac8cb

SHA512
c2257110abec6952749110605a1aecf10ae15340fc96c833663eda1103975b29c3744d5abbe83fd1c197233360470c1317af277a4e36c1f836e87f511723b67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
3KB

MD5
25db315b7c4e03440fc39a45d0e696f4

SHA1
e676a65ddced682543871402c65745615866813b

SHA256
afebbcbfd45e044083133fd2f575f9cee59dbff403ae376b2d2307a89b97a26c

SHA512
d10afe733da4f6c33e2859078ca307e40cf15c0e2ddde9e48b8cb3962491cc73e6b47d2fb98c56d233bef268cf1d45ac68d5835885a8b5395ee4b0c6dd0ad3d4

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
4cc976fa2973e1db566df8bb150d5452

SHA1
1a7c809bec7e43140e6983fdacd99a6a52ff7e20

SHA256
7e82aaabbffecb2886043c8acb10fbf37bb0a60c862bd82a8856656934654fd8

SHA512
6e0967c9cdec524bcae32729a2a31511426bd06f1f19e3a7bf2fa88d6d0ba07442c7e1823006295892a744d73e792fdc04d5aa2ff76d511a7001d7885f45d731

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
4cc976fa2973e1db566df8bb150d5452

SHA1
1a7c809bec7e43140e6983fdacd99a6a52ff7e20

SHA256
7e82aaabbffecb2886043c8acb10fbf37bb0a60c862bd82a8856656934654fd8

SHA512
6e0967c9cdec524bcae32729a2a31511426bd06f1f19e3a7bf2fa88d6d0ba07442c7e1823006295892a744d73e792fdc04d5aa2ff76d511a7001d7885f45d731

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/1488-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1488-105-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1488-102-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1488-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1528-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1624-76-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1740-90-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/1740-89-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/1740-87-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/1740-88-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download