0f03d81bf6f3c68d07e13d1fb837273fb1fddb3719ed428caa5c9781cfabf25e

Analysis

max time kernel
24s
max time network
17s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06/02/2023, 21:01

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SetupExitLag_v4239.exe
Size

18.3MB
MD5

473499d54eeb5f4abb893ce5b7eeb954
SHA1

3b276b4cc513ee36444180e02bc6858427c49dc8
SHA256

0f03d81bf6f3c68d07e13d1fb837273fb1fddb3719ed428caa5c9781cfabf25e
SHA512

8aa367a35cf827f5643bbc336b36307092b6b5fe1c31dbf56183b1c901a7fef865093639585a5d76401605855f5ed5fe22b6581a1acec57a7bdea2391320a28a
SSDEEP

393216:FjMT6W+wfoK9hA1ZvomzyaMHl4vFQg0jlN+gRjGajQq1daNFEU+:Fbq90lwHKygILpRZDOGf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3864	SetupExitLag_v4239.tmp
4080	DriverCacheCleaner.exe
3492	certinst.exe
3412	snetcfg.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_74752af70c6e7e55\ndextlag.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_ded82fc1c2b41e6b\netvwififlt.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_739e9ec110147b31\netbrdg.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_9b48be32f09b1fb6\netnwifi.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\SETB366.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\ndextlag_lwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\SETB367.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_286311b3ad406c73\netrass.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_ecd984f601508a74\netserv.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_e610f6f65afdc230\netnb.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\SETB366.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_74752af70c6e7e55\ndextlag.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_960a76222168b3fa\ndiscap.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_56290c9e296b5be9\netpacer.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_74752af70c6e7e55\ndextlag_lwf.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\ndextlag.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\ndextlag.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\SETB378.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\SETB378.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_74752af70c6e7e55\ndextlag_lwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_23069e5b67ce90a4\c_netservice.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\Temp\{d8da18bd-a8fd-084e-ac3e-edf178993b76}\SETB367.tmp	DrvInst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C9EF70FC04EF0F94FF7C8B3FD14AC98E2F9A404	certinst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C9EF70FC04EF0F94FF7C8B3FD14AC98E2F9A404\Blob = 0300000001000000140000003c9ef70fc04ef0f94ff7c8b3fd14ac98e2f9a40420000000010000003f0500003082053b30820423a00302010202100e4aa136f842cf069fa2b1d13b47803d300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3135303933303030303030305a170d3138313030343132303030305a308183310b30090603550406130256473110300e06035504081307546f72746f6c613112301006035504071309526f616420546f776e31263024060355040a131d4d61696e6c696e65204e657420486f6c64696e6773204c696d69746564312630240603550403131d4d61696e6c696e65204e657420486f6c64696e6773204c696d6974656430820122300d06092a864886f70d01010105000382010f003082010a0282010100a46dc66517dbbdbf031f53bd6d7e83fe56a812de44ab1ab8808e80b70f189aa81817f459b70a4da4a2bcf187781e72621801ea2eb06328ad8cdcbfdac90790d61445ac84999f9f8f834b2272bc90f95082b9dd87060babbb48dadf1cdfc511746991866726fd5681fbff11d032f29906cf07199ed2f9608d2d8b16014df5e1c09ec11b3748d235b0b70c7a1dd37a938c9f8f031a7aaaa535759c460744cc9b429a70fc3b3454a814dcdad2d4d0cfab2992ddf484ad85ddbd52c4d86d25b6deeabaabde33f9a3eb74dbd472bfeeb75d22db89315b422e26defcf8c713832da4062349c68e3d1fe8b76fe340fbc0b55b1429b8b79a4755d82ebbb4d3ab17018d770203010001a38201b8308201b4301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414fad831e9141f3ca65be6d36d9820545085201d04300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c304b0603551d2004443042303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c010430818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d010105050003820101005d31723227361d4d6fe738208f585ea3771a40c1b0efafcaad239dafe052b820dbb7d217899daddf9407b4dd8232962f9b3e640d4b0ac84e040f7c113c47e5bded0cd96a1b98d240b8f9e29553124c5a4fa406e45384a46f968fe772ea05d69fc0af258a38217b9e68710585c5655f8a0e72dd713c22765f8a4d36b4819abfa0e69fc27efc0fda7f3e51311fe11e048ce2868ab4d8c33912548fcc6d54ae173ca292002d2238b67d68cb3b56a474f32bc7ad8e6e75a86e2618c0c08fd9006257e32ef3de6e579806c1d9ebdc0abd4d80d161946295ff2d7e75938af270f110c856bbdd66b3cae08b8eaf895520bf9b68e4e18315ba59db9daae06ff1d897417f	certinst.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeAuditPrivilege	4872	svchost.exe
Token: SeSecurityPrivilege	4872	svchost.exe
Token: SeShutdownPrivilege	1800	svchost.exe
Token: SeCreatePagefilePrivilege	1800	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 3864	2668	SetupExitLag_v4239.exe	66
PID 2668 wrote to memory of 3864	2668	SetupExitLag_v4239.exe	66
PID 2668 wrote to memory of 3864	2668	SetupExitLag_v4239.exe	66
PID 3864 wrote to memory of 4080	3864	SetupExitLag_v4239.tmp	67
PID 3864 wrote to memory of 4080	3864	SetupExitLag_v4239.tmp	67
PID 3864 wrote to memory of 4080	3864	SetupExitLag_v4239.tmp	67
PID 3864 wrote to memory of 3492	3864	SetupExitLag_v4239.tmp	69
PID 3864 wrote to memory of 3492	3864	SetupExitLag_v4239.tmp	69
PID 3864 wrote to memory of 3412	3864	SetupExitLag_v4239.tmp	71
PID 3864 wrote to memory of 3412	3864	SetupExitLag_v4239.tmp	71
PID 4872 wrote to memory of 5040	4872	svchost.exe	74
PID 4872 wrote to memory of 5040	4872	svchost.exe	74

C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4239.exe
"C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4239.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\is-4P9AV.tmp\SetupExitLag_v4239.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4P9AV.tmp\SetupExitLag_v4239.tmp" /SL5="$B0060,18769793,227328,C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4239.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\DriverCacheCleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\DriverCacheCleaner.exe"
    3⤵
    - Executes dropped EXE
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\tools\amd64\certinst.exe
    "C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\tools\amd64\certinst.exe" C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\root.cer
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:3492
- - C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe
    "C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe" -v -l ndextlag_lwf.inf -c s -i nt_ndextlag
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a4de0481-101c-8843-b664-7e8f49143213}\ndextlag_lwf.inf" "9" "49ef4f4d3" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\lwf\win10\amd64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5040

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4P9AV.tmp\SetupExitLag_v4239.tmp

Filesize
1.2MB

MD5
ce09dd687a3aed7cdb87e8a285fc10cb

SHA1
f5e05189f92b38341ebfdb92e01088b100ad4862

SHA256
a27f666ebe1d7b5ca33b0676470fca993df8bedbeda0828d397ddd3856455363

SHA512
3f5bb5d86a42dc9a90cc8d54cbf85408afad574d32893d4a5ab1c7fe1c5e733e83898b5884b1827a414073b7f3c45e42ee67a0a61093247bcd0eb4b5b8957f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\DriverCacheCleaner.exe

Filesize
200KB

MD5
690378fc7d9b6ab25daeeea96049ff71

SHA1
c8b1579ed0da6b6194670d9d1f99db39a476ae85

SHA256
f5448fd3bc9b33597d24c6d6f3f576bc642a64aa1cb9a83877b1c58dce6f383c

SHA512
bdc83e9e700f92496807d0f617fa1ecca6b3da4f28bd3ac2231eec9cffbacf41b228dd28d2d5983be9a9dd07e246b2dc70d701b999cdcd24751dec816aafc700

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\DriverCacheCleaner.exe

Filesize
200KB

MD5
690378fc7d9b6ab25daeeea96049ff71

SHA1
c8b1579ed0da6b6194670d9d1f99db39a476ae85

SHA256
f5448fd3bc9b33597d24c6d6f3f576bc642a64aa1cb9a83877b1c58dce6f383c

SHA512
bdc83e9e700f92496807d0f617fa1ecca6b3da4f28bd3ac2231eec9cffbacf41b228dd28d2d5983be9a9dd07e246b2dc70d701b999cdcd24751dec816aafc700

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WINPKF~1\lwf\win10\amd64\ndextlag.cat

Filesize
10KB

MD5
07233c93bcf5e88dd77cfeed420fd49a

SHA1
4ca449033cbf525d724384350ef7f41e8e5434de

SHA256
3e0dfbaa29d24e891565fad018d5e74ee78bab72a2f23f07116d0a4faf8ac967

SHA512
358490f72ab0d5cfb98cc5fffa9e4251d64fe4ac41d9114a0c163a6b64c963fdad823df64f5618529258b51f258ab83d8c6cfb9850f3b7beda386d67ff9b820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WINPKF~1\lwf\win10\amd64\ndextlag.sys

Filesize
47KB

MD5
5c6b0075104b71bc4f957e84cbcf7439

SHA1
fe72de312330a07a73c45b2a9979875b6c67c9f8

SHA256
9712b1d5db9198c01cd1de36a821cbac849b27d5a1100a5e12ec057d475c31ad

SHA512
a11b764ea160dd6c1d816bf53f1caa335df83b147e7583822066781c2ced3042ec374eb0186ee754b381a11905a9d40450c065626caf7ca49544268073684afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\lwf\win10\amd64\ndextlag_lwf.inf

Filesize
2KB

MD5
560b7a74f86e5e9706f891349cbd0b40

SHA1
c8609aa1f96f8c05e5e4a8f5c11303adbf145cb6

SHA256
be7dcb994db84ab2e9a39127cf5bbee8be03c87c66a17559296e8465ed13bff3

SHA512
dd952a971a8824087aec15b1ca8bf7cd6059214865f97644be84a975df43d172240dff0df6765b7871988ef877b47142e0ab07a9d537b0b791c428684301d7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe

Filesize
15KB

MD5
3b646b9d750aadd3dc5e26d08ea5b285

SHA1
a396e740a34da1112621efca0b7309dba9706cf5

SHA256
c80d994761ec106e15232ca38aeda7e673d82888644fc8e71d6943c2af26f3e7

SHA512
4e448d4d2b10d44f09e337856c3e133e99a41448fb132fb675805c140d22bd85602ee130b6204a6a17f5391946156c133a975e0f411dd1f38abd30cd53635d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe

Filesize
15KB

MD5
3b646b9d750aadd3dc5e26d08ea5b285

SHA1
a396e740a34da1112621efca0b7309dba9706cf5

SHA256
c80d994761ec106e15232ca38aeda7e673d82888644fc8e71d6943c2af26f3e7

SHA512
4e448d4d2b10d44f09e337856c3e133e99a41448fb132fb675805c140d22bd85602ee130b6204a6a17f5391946156c133a975e0f411dd1f38abd30cd53635d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\root.cer

Filesize
1KB

MD5
04fc6a1705148f92caf75715640e831a

SHA1
3c9ef70fc04ef0f94ff7c8b3fd14ac98e2f9a404

SHA256
77905966359b8c8894e0ef9a6e91025d4f1904218f672a4e7cd02fdf4cd635af

SHA512
1dc1677039fb2625d200f0b6c77a594b865e2dcb81435fd89b95fb631264a992e6675177c98ad217019ce964f2512a2bde609c7265c3708dc0526430b756a398

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\tools\amd64\certinst.exe

Filesize
112KB

MD5
9d7c89df581aa64f04eab76c2fa22104

SHA1
a71c857390a7fd1bccf820fbdbb6023acc2f0bd3

SHA256
4d04a96e8d3505a7139275d63ea3147343f43af50ba38638a7eb212b60ff09b3

SHA512
204bde8918ee9019f1f19dd58237b3eebb5f20635564ddcd809efba5051879bed3f99abb4204368824f6037e59af0f03fa435ada5028b22072f111fc4c04dd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSE2M.tmp\WinpkFilter\tools\amd64\certinst.exe

Filesize
112KB

MD5
9d7c89df581aa64f04eab76c2fa22104

SHA1
a71c857390a7fd1bccf820fbdbb6023acc2f0bd3

SHA256
4d04a96e8d3505a7139275d63ea3147343f43af50ba38638a7eb212b60ff09b3

SHA512
204bde8918ee9019f1f19dd58237b3eebb5f20635564ddcd809efba5051879bed3f99abb4204368824f6037e59af0f03fa435ada5028b22072f111fc4c04dd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A4DE0~1\ndextlag.cat

Filesize
10KB

MD5
07233c93bcf5e88dd77cfeed420fd49a

SHA1
4ca449033cbf525d724384350ef7f41e8e5434de

SHA256
3e0dfbaa29d24e891565fad018d5e74ee78bab72a2f23f07116d0a4faf8ac967

SHA512
358490f72ab0d5cfb98cc5fffa9e4251d64fe4ac41d9114a0c163a6b64c963fdad823df64f5618529258b51f258ab83d8c6cfb9850f3b7beda386d67ff9b820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A4DE0~1\ndextlag.sys

Filesize
47KB

MD5
5c6b0075104b71bc4f957e84cbcf7439

SHA1
fe72de312330a07a73c45b2a9979875b6c67c9f8

SHA256
9712b1d5db9198c01cd1de36a821cbac849b27d5a1100a5e12ec057d475c31ad

SHA512
a11b764ea160dd6c1d816bf53f1caa335df83b147e7583822066781c2ced3042ec374eb0186ee754b381a11905a9d40450c065626caf7ca49544268073684afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{a4de0481-101c-8843-b664-7e8f49143213}\ndextlag_lwf.inf

Filesize
2KB

MD5
560b7a74f86e5e9706f891349cbd0b40

SHA1
c8609aa1f96f8c05e5e4a8f5c11303adbf145cb6

SHA256
be7dcb994db84ab2e9a39127cf5bbee8be03c87c66a17559296e8465ed13bff3

SHA512
dd952a971a8824087aec15b1ca8bf7cd6059214865f97644be84a975df43d172240dff0df6765b7871988ef877b47142e0ab07a9d537b0b791c428684301d7bf

Download Submit
C:\Windows\INF\oem2.inf

Filesize
2KB

MD5
560b7a74f86e5e9706f891349cbd0b40

SHA1
c8609aa1f96f8c05e5e4a8f5c11303adbf145cb6

SHA256
be7dcb994db84ab2e9a39127cf5bbee8be03c87c66a17559296e8465ed13bff3

SHA512
dd952a971a8824087aec15b1ca8bf7cd6059214865f97644be84a975df43d172240dff0df6765b7871988ef877b47142e0ab07a9d537b0b791c428684301d7bf

Download Submit
C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_74752af70c6e7e55\ndextlag_lwf.inf

Filesize
2KB

MD5
560b7a74f86e5e9706f891349cbd0b40

SHA1
c8609aa1f96f8c05e5e4a8f5c11303adbf145cb6

SHA256
be7dcb994db84ab2e9a39127cf5bbee8be03c87c66a17559296e8465ed13bff3

SHA512
dd952a971a8824087aec15b1ca8bf7cd6059214865f97644be84a975df43d172240dff0df6765b7871988ef877b47142e0ab07a9d537b0b791c428684301d7bf

Download Submit
memory/2668-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-155-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-177-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-181-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-182-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-172-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-167-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-166-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-164-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-184-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3864-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download