71547cc2abfbf2f4a7471534edca636a4bb553bc069b2baa0bdb72772f75701b

Analysis

max time kernel
133s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c4f21627b35a1871da48f21a7225268.exe
Size

298KB
MD5

4c4f21627b35a1871da48f21a7225268
SHA1

c001abd94dce216e0b3dbe31e12ed44d4ef60f4b
SHA256

71547cc2abfbf2f4a7471534edca636a4bb553bc069b2baa0bdb72772f75701b
SHA512

7645a689980a4b187176c75b34f02d09558237d5a9bf20dd843588065f2e5b3a79f39e86d6513a792a3629238dae3568329c36c08e2c5596fd7f3f256a0f4bae
SSDEEP

6144:CpDDoDdbgLxQCv1L08cQHHJaHcggRDAZfBMKQxs9L/tn:cSGQCvxTa8geAZfBbQQV

Score

10^/10

adware discovery persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tdomgafw = "{ED9DDF22-0514-4C30-AEF9-9B55203E22CA}"	evws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wetkadmr = "{9CF6891C-5AAE-47A9-9A75-7E8BB4BB4420}"	evws.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
976	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2560	evws.exe
2724	evws.exe
2300	knxsrgte.exe
2152	evws.exe

Loads dropped DLL 28 IoCs

pid	Process
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2240	4c4f21627b35a1871da48f21a7225268.exe
2672	cmd.exe
2672	cmd.exe
2560	evws.exe
2560	evws.exe
2672	cmd.exe
2672	cmd.exe
2724	evws.exe
2724	evws.exe
2672	cmd.exe
2672	cmd.exe
2300	knxsrgte.exe
2300	knxsrgte.exe
2672	cmd.exe
2672	cmd.exe
2152	evws.exe
2152	evws.exe
2240	4c4f21627b35a1871da48f21a7225268.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0826898D-C6EA-40BB-B636-9C82B5565312}	regsvr32.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\mkrndofl.dll	cmd.exe
File opened for modification	C:\Windows\mkrndofl.dll	cmd.exe
File opened for modification	C:\Windows\svorbmke.exe	cmd.exe
File opened for modification	C:\Windows\wetkadmr.dll	cmd.exe
File opened for modification	C:\Windows\tdomgafw.dll	cmd.exe
File created	C:\Windows\qvlbodmnwra.dll	cmd.exe
File opened for modification	C:\Windows\knxsrgte.exe	cmd.exe
File created	C:\Windows\svorbmke.exe	cmd.exe
File created	C:\Windows\wetkadmr.dll	cmd.exe
File created	C:\Windows\tdomgafw.dll	cmd.exe
File opened for modification	C:\Windows\qvlbodmnwra.dll	cmd.exe
File created	C:\Windows\knxsrgte.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A88C7880-AD57-4257-BD3A-867EBA77DA2E}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF6891C-5AAE-47A9-9A75-7E8BB4BB4420}	evws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0826898D-C6EA-40BB-B636-9C82B5565312}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CF6891C-5AAE-47A9-9A75-7E8BB4BB4420}\InProcServer32	evws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\HELPDIR\ = "C:\\Windows\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0826898D-C6EA-40BB-B636-9C82B5565312}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A88C7880-AD57-4257-BD3A-867EBA77DA2E}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25533E38-47A2-43E0-B915-48263381C921}\TypeLib\ = "{A88C7880-AD57-4257-BD3A-867EBA77DA2E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25533E38-47A2-43E0-B915-48263381C921}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	evws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\VersionIndependentProgID\ = "mkrndofl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\0\win32\ = "C:\\Windows\\mkrndofl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0826898D-C6EA-40BB-B636-9C82B5565312}\ProgID\ = "DVA.First"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED9DDF22-0514-4C30-AEF9-9B55203E22CA}\InProcServer32	evws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED9DDF22-0514-4C30-AEF9-9B55203E22CA}	evws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A88C7880-AD57-4257-BD3A-867EBA77DA2E}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CurVer\ = "mkrndofl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\TypeLib\ = "{8E63BBC4-4194-4918-98F0-4F55305B186C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A88C7880-AD57-4257-BD3A-867EBA77DA2E}\1.0\0\win32\ = "C:\\Windows\\qvlbodmnwra.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25533E38-47A2-43E0-B915-48263381C921}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0826898D-C6EA-40BB-B636-9C82B5565312}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25533E38-47A2-43E0-B915-48263381C921}\TypeLib\ = "{A88C7880-AD57-4257-BD3A-867EBA77DA2E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0826898D-C6EA-40BB-B636-9C82B5565312}\ = "DVA First"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A88C7880-AD57-4257-BD3A-867EBA77DA2E}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25533E38-47A2-43E0-B915-48263381C921}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25533E38-47A2-43E0-B915-48263381C921}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E63BBC4-4194-4918-98F0-4F55305B186C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25533E38-47A2-43E0-B915-48263381C921}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\ProgID\ = "mkrndofl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	evws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED9DDF22-0514-4C30-AEF9-9B55203E22CA}\InProcServer32\ = "C:\\Windows\\tdomgafw.dll"	evws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25533E38-47A2-43E0-B915-48263381C921}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\TypeLib\ = "{8E63BBC4-4194-4918-98F0-4F55305B186C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0826898D-C6EA-40BB-B636-9C82B5565312}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1\ = "mkrndofl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1\CLSID\ = "{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.bsvq\ = "mkrndofl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CA4E8C5-EA05-46CB-9053-AF3C07CD52B1}\TypeLib\ = "{8E63BBC4-4194-4918-98F0-4F55305B186C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25533E38-47A2-43E0-B915-48263381C921}\ = "_IadbpEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}\ = "Iadbp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5573D4-7C3B-4A7A-B55D-917AEBC03B29}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mkrndofl.ToolBar.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037E0831-A9B3-4AF9-99A7-F6A9E1E6A6D4}\InprocServer32\ = "C:\\Windows\\mkrndofl.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2152	evws.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1736	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2240 wrote to memory of 2672	2240	4c4f21627b35a1871da48f21a7225268.exe	28
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2872	2672	cmd.exe	30
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2560	2672	cmd.exe	37
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2628	2672	cmd.exe	31
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2724	2672	cmd.exe	36
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2300	2672	cmd.exe	35
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2672 wrote to memory of 2152	2672	cmd.exe	34
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33
PID 2240 wrote to memory of 976	2240	4c4f21627b35a1871da48f21a7225268.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c4f21627b35a1871da48f21a7225268.exe
"C:\Users\Admin\AppData\Local\Temp\4c4f21627b35a1871da48f21a7225268.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s mkrndofl.dll
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2872
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s C:\Windows\qvlbodmnwra.dll
    3⤵
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe
    evws.exe revem
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe
    knxsrgte.exe reg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe
    evws.exe C:\Windows\wetkadmr.dll wetkadmr
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe
    evws.exe C:\Windows\tdomgafw.dll tdomgafw
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsjB648.tmp.bat "C:\Users\Admin\AppData\Local\Temp\4c4f21627b35a1871da48f21a7225268.exe"
  2⤵
  - Deletes itself
  PID:976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

Filesize
1KB

MD5
66b193bfc99622e0bbc6c5a2cee12945

SHA1
c1d29192f9e762b37882c332f522f6701977b5fd

SHA256
c910a213d3e3942cc106dc620450b503d79e881128990c7a8935e6a796e3a7d3

SHA512
32c7ee46350e735f2e278dbdecf19629460f2a29cac6102be9befe94ad08177c435bfe1a92395a0534859ea475b090be021ad079af13c8de1f6af8030105c69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe

Filesize
80KB

MD5
2cc8e1acc8ff23b8fdffaffcc318e8aa

SHA1
83fa3a7c197aa700ef220f9f25ef4c0887210010

SHA256
6f4e7afbd52a01b599d388f7f9dbf3348da5dbb3892fd7b74a38cc2040c0036b

SHA512
3e8d4372d756b89512a489b5f92d6f5bef7d085bcee091aa1e0d636d4dc30bcfa0eb0b535b55c4bf2e35856db0cc44a90d1085cb9c3a6af1a5a2fdf5988109f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe

Filesize
69KB

MD5
e1779704a15e7880b60f4511c6a26437

SHA1
e1f61e8e401e0640921660124fe38ff318a3f93a

SHA256
bc6705520aecc423c93267da08d4f2f1ff140b4deca32799bec143249528f5c6

SHA512
eaf99dc42f8f1ac8e7c160e7ac067e152a4a87f5c018a7cb03e60e451d012cf0876cc55a82e37b5f560ed6ee75e5eceaa670b1affc68233839dc6976a0c513cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\mkrndofl.dll

Filesize
58KB

MD5
633a0da3d87c2c50026c84bb4775ab08

SHA1
c15ef7bd83bf11da56c0c69e33e2080986ab9821

SHA256
34156d38d33373276cda814b007a0117ea1f760a059d7573728a40b41fd1d6e7

SHA512
6a29d69b34fafb07ee612a2b9042af32d0a2b82930dc8bd9b7ceedcdcd6d0a561cedc3c1808b1885ac5fb8bd76a18d4cc2bbe7c13880918668fb28f2f4465d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\qvlbodmnwra.dll

Filesize
67KB

MD5
5f334f9e27dbb3a0c286c5c9422d2c7a

SHA1
f3eb3c978238049edb20a49870cb659c9707d407

SHA256
b4fe2ea5b6d6de593685bdc48d2549f5c675ea2c84772140c11514fe5a8973ff

SHA512
84638f5debd2e1243516779e137337b3af637b412d63513b9bada4a7bb64fdb035e096cfa6c1254e4c2ff9f6cd7b5e81271a8e2755a6db48d9657fa4fbe08b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\svorbmke.exe

Filesize
54KB

MD5
ad8809af70bc8b21bf96b3715a5eba64

SHA1
f340ec3bff71e0f6e604f3f37d33dddd38e39f13

SHA256
a3bd8c5b07659242382cb3d6391cb6961b42babcd4fb07fcef3f74e717f735b2

SHA512
bb2d94cf5303d4779d6a59a4b259278507c931ee787aed226c9317aa209595f662559934a9ba9f6f706564a78ddad243547326585a275693dfc8057597899295

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\tdomgafw.dll

Filesize
66KB

MD5
e8235d98e20853d7bb90068469c699eb

SHA1
48138960bcb0b2002abf80f89cbe753ad2a5e121

SHA256
c2e51ce80dff567cca6c50099ca6fcbc3150b95297aacba777fa64a7ccc9c8d8

SHA512
51c7a056230ad52044baf9e7a7e36c1d856ced9d5da60a8d2c9038b08c8b6c08b0190b9e7653a21420503d5b55ecc45f4c0cea3c1bbf35d97868ebba467bf7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac8zt2\wetkadmr.dll

Filesize
152KB

MD5
2e1d46544cc97003720a030f3ce58ceb

SHA1
02a34fc78ef35194ca85b402e61a2d06eb99e11d

SHA256
c6e4fc4145c65670d1d9b14d6be47d579d2b0990d56f58469299f0a70891a5c2

SHA512
6f44c1042552d5befbea61ff421f12772088a1f05e1154ee42d24a58f7526afa8bb66d5e06622657645011d6226856bc4fd77c9bdd54d850e08ad8d8c12cc5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB648.tmp.bat

Filesize
113B

MD5
1275e8d7db5058e817781cf584ea95cd

SHA1
ff760adff4070ffee066207a98c5e2032ddc6118

SHA256
95d2d359f66d6406a838264609ce5e7b0b1928613e9ac13acc128dbdef8c8b4e

SHA512
00f9150122eb14da3625359e7c0efb93151ea9a2db8db9c586c03ad73f1fa582e8a0072d917853745465c71ab781234abba9fd96c92baf3d21d76cb00211e6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB186.tmp\System.dll

Filesize
10KB

MD5
7d85b1f619a3023cc693a88f040826d2

SHA1
09f5d32f8143e7e0d9270430708db1b9fc8871a8

SHA256
dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

SHA512
5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Download Submit
C:\Windows\mkrndofl.dll

Filesize
77KB

MD5
7b420cc17362ede318d2165bc1813c9f

SHA1
d1da39004ac521ecff01da8226c44d31ffa0ca72

SHA256
cb3ba6d2452624ae3cda89328a2f3f54459bb2ad076941570a9eec47d53a7b0c

SHA512
d8a21b81eb1f9ab9b977dddfb9a4e5ff0a1dc4a28e2b4088b1037c910265400c7cd79a9f7ec39687db63332439839ba5f7de668e15fbbf85e3f13c558359c586

Download Submit
C:\Windows\qvlbodmnwra.dll

Filesize
2KB

MD5
d2a7d5cec11aa8c437ca7e87675a47a5

SHA1
8c71a1c85841a9858fba766fadcbf9f600df8727

SHA256
682d15fbbee901c0b35e8e800785ed5cc9aeed78fe1dead67381fa872b19cb84

SHA512
ef6b5c5128f3192de74e0f67315daf8f80f6aa497d79df431dc619e4cafa9ec08bf48d9590cde106c3a7b31356615402946a3e4030efe2dddfe6851bfccb54e8

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
53KB

MD5
aaa41703cc51e41a60efc2f3edd851ca

SHA1
36c74775d8aac0f27c210cde8497c4fb649e839b

SHA256
a98231090f779177e91241950ed5d4b210f7d87f587ad37aef978cc8f8294796

SHA512
e2fabb67038b88a602587900409ba22228ee10eca972d99babaf8720d5e71bd11f005829c4298c26de3416c96f71a8352c2479a33117d13b6e1d3496f9109ede

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
1KB

MD5
d51c67b08aef990f396e63826bf22cf6

SHA1
bc090a21b29db1e068dca923222454f335d0e280

SHA256
dc92c6ce627a555b61901518b898a7b70e23962fe0a88cfd60d393615ef00a0c

SHA512
20f8976dbd2b665e5dd22b0ef780d85fa6f10dd11b24a753314072986f2c84b91941cce069ac97e22817ff4451cb5d7f1d15124be17f308c0d8e785e0ea7cf8c

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
86KB

MD5
d1044c5cdeee566ecf40c57ed2e0dc46

SHA1
e60a39e8914379e6c0a5da2952b47c08be0a07f7

SHA256
6b8e34e6329678f14587a48dd3942700671c4c2d582d23c74ebced6b6f53272e

SHA512
d5c868356f4082b61d9593d8633e98c101b40bcbe939cde290a8ec62bd120afbfe7a3568c1004a3b38564da8b4edd48545aad55f16c2c73c3ae238b7bc5da31e

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
63KB

MD5
f39b5fce2fb671616330438249265caf

SHA1
33110a32a7659ed419cbf98cb6efee1cc7c7c832

SHA256
abd88b6816df22ed5cfcee4c76fc836501d41e7727c531f633ee2597d5047366

SHA512
0042df4089e285d8f76c4688d8d12ee17f2c218544fbdf218c111a2fdcf8b989dfda53cbb69fd1561029190267bda0a5331b8c57b0ca0fa1ed3d699d8a53247a

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
65KB

MD5
c85e0a7c78ebaafe153d4ed33378b583

SHA1
0d81086cadc726b7b1890e3dbd8398f235acd4aa

SHA256
fbe7b04edff5b1507c084c640e986b2a5ed74252184b1860f36444a34dbac47c

SHA512
668feff73b190282bf4e26c772576868a4cc3bd0b22f7b70435a01f8332786201ab0d8e7144f46663a750c02c452e6139fa357ad1772d3ee12571000a1ba5a34

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
31KB

MD5
975a3964b2bfaf69bbc988373b581f6f

SHA1
94bafe559f9c6462b5f3a7968652daf03fb6e639

SHA256
e3bdb8e8dc0aa45cf39f593e43916553ce89e77f726511654ab53de15601e4fb

SHA512
237192ccc6761b3d6db8df5f31bcad2e1bbb94db9c7d8d0e55cae2e5878c9bff192dfb654d80a5e372f76576fa320f881759aa81165a3269e86f3b6b12f0daee

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
74KB

MD5
7bb919f65bd078fffb3e4130c8202e61

SHA1
dce51796e4cb4c575ef26a3af87b04213d02ea1d

SHA256
b40d0a36ef49cb4f39e948dac3d7f3925315a3af7f8159ea1d9c53afbb7c406d

SHA512
f2a5ee20fa009c2e9531a2f392dabdaf16159a257323a51ddf7a0350c6eccf3d19895c8fba52cdc5bf36c85aa673b600c056722578a709461d43e33c837643ba

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
88KB

MD5
1ca1b9ad52b498fb505f7bf378484a67

SHA1
bca0a8de657dbc39010d4dcf2948dfabf1627c1e

SHA256
e37947fda9e7e9e6a46d6c7595259f9c0ccfcd59e96b072f3b2d7e72a87c6e26

SHA512
d5f23d8abc6480ab5405033dedafe44a2991496233e2353adf13bbcd3be9073e96a3f4299c78435cb283cd9c88f19cc07c0001f6f574e17e7ef3376928cc6ce2

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\evws.exe

Filesize
29KB

MD5
5313c0a3753aa7669c7c02462d5b9b49

SHA1
8d65ac07134da37aef5220febee8ba0e0b7a12ec

SHA256
d905bfbb5fe0efea91b16eb6249a33f3f9a09c7f36d7f15f68e437d6a5dea68f

SHA512
3f086bed5bc55e9fe2c4b59e2506557dc300aaf2e198c76f16865c35021336de1d872632c9e1278caa2c0b270b03bd9681f61014c1db7c48101bb90523783a54

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe

Filesize
3KB

MD5
1ae0c7bf2a446f0f0162b9b8e82215e4

SHA1
1c8c1382628117ed1868c5fb5cf378bd9925e27a

SHA256
a6958369f714c1b522e701bfd51591e98dc857e9f286a358f212ed4caa96ee54

SHA512
716aab8f134d64d3d0851516348e4606d92d0fe5bc97cbf1da13e313a121919113d56b7825654b64d70d960bb24d0397461e4561d6d42932761c6063b7bb7c32

Download Submit
\Users\Admin\AppData\Local\Temp\ac8zt2\knxsrgte.exe

Filesize
17KB

MD5
c31211e2800149380bfd9c207602c710

SHA1
13793e7ce7d5f531633011f67ff908efe916f0bf

SHA256
5fe2a7ba962deb8c2782587175e19d79bd4fb259dfe09d61b112b7e19ca1f6bb

SHA512
9cc06ccd5e9a2778742b92bc74a41f803eb59afcac04fbfb6dbaf5a30e169fcb84e2c95073d40814b23867b60826b8c328bec31b54856b787483704383aff5bd

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB186.tmp\blowfish.dll

Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
memory/1736-107-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/1736-108-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/1736-112-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download