c62e53f2bfcb2e17d5e80112e54f5c923120b258b5e0546073e96d096fae259b

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c8ddd07545efef53fb690b68211f4f.exe
Size

82KB
MD5

56c8ddd07545efef53fb690b68211f4f
SHA1

deaad8c777f4f54459d15e8e2bd2a260258b1df3
SHA256

c62e53f2bfcb2e17d5e80112e54f5c923120b258b5e0546073e96d096fae259b
SHA512

a4dd882ccc0b747da51f0ac6d7acf8620b872e522e7c34a9fc650604ea88fab532c9beec0e0ee426b08dab1cf525d99a055b9136d6f4ae4f7fffd4f3add84693
SSDEEP

1536:0h3oDFpr18upjOWOHQRTaTalf34DanAWtHDu:09AF118upKCBaTa94Dan1

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	56c8ddd07545efef53fb690b68211f4f.exe
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\RsTray.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\vptray.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\RavTask.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\QQDoctor.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\mcshield.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe\MPMon.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrUpdate.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360delays.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe\naPrdMgr.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\mcmscsvc.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe\antiarp.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\CCenter.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\xcommsvr.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rssafety.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\MPSVC.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe\defwatch.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ccSvcHst.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KAVStart.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\ekrn.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\mcshell.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\rfwsrv.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegGuide.exe\RegGuide.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\avp.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe\360Safebox.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\KPfwSvc.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\RsAgent.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\mfeann.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KavStart.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\KPFW32.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uplive.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe\MPSVC2.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rssafety.exe\rssafety.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\KVSrvXP.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	extext259458132t.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	56c8ddd07545efef53fb690b68211f4f.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	56c8ddd07545efef53fb690b68211f4f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scvhost.exe	56c8ddd07545efef53fb690b68211f4f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tete259450598t.dll	56c8ddd07545efef53fb690b68211f4f.exe
File created	C:\Windows\extext259458132t.exe	56c8ddd07545efef53fb690b68211f4f.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2044	sc.exe
2720	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2860	taskkill.exe
3024	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
304	rundll32.exe
304	rundll32.exe
304	rundll32.exe
304	rundll32.exe
304	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	304	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2892	1436	56c8ddd07545efef53fb690b68211f4f.exe	28
PID 1436 wrote to memory of 2892	1436	56c8ddd07545efef53fb690b68211f4f.exe	28
PID 1436 wrote to memory of 2892	1436	56c8ddd07545efef53fb690b68211f4f.exe	28
PID 1436 wrote to memory of 2892	1436	56c8ddd07545efef53fb690b68211f4f.exe	28
PID 1436 wrote to memory of 2136	1436	56c8ddd07545efef53fb690b68211f4f.exe	29
PID 1436 wrote to memory of 2136	1436	56c8ddd07545efef53fb690b68211f4f.exe	29
PID 1436 wrote to memory of 2136	1436	56c8ddd07545efef53fb690b68211f4f.exe	29
PID 1436 wrote to memory of 2136	1436	56c8ddd07545efef53fb690b68211f4f.exe	29
PID 2136 wrote to memory of 2720	2136	cmd.exe	31
PID 2136 wrote to memory of 2720	2136	cmd.exe	31
PID 2136 wrote to memory of 2720	2136	cmd.exe	31
PID 2136 wrote to memory of 2720	2136	cmd.exe	31
PID 1436 wrote to memory of 2824	1436	56c8ddd07545efef53fb690b68211f4f.exe	32
PID 1436 wrote to memory of 2824	1436	56c8ddd07545efef53fb690b68211f4f.exe	32
PID 1436 wrote to memory of 2824	1436	56c8ddd07545efef53fb690b68211f4f.exe	32
PID 1436 wrote to memory of 2824	1436	56c8ddd07545efef53fb690b68211f4f.exe	32
PID 2824 wrote to memory of 2860	2824	cmd.exe	34
PID 2824 wrote to memory of 2860	2824	cmd.exe	34
PID 2824 wrote to memory of 2860	2824	cmd.exe	34
PID 2824 wrote to memory of 2860	2824	cmd.exe	34
PID 1436 wrote to memory of 2888	1436	56c8ddd07545efef53fb690b68211f4f.exe	36
PID 1436 wrote to memory of 2888	1436	56c8ddd07545efef53fb690b68211f4f.exe	36
PID 1436 wrote to memory of 2888	1436	56c8ddd07545efef53fb690b68211f4f.exe	36
PID 1436 wrote to memory of 2888	1436	56c8ddd07545efef53fb690b68211f4f.exe	36
PID 2888 wrote to memory of 3024	2888	cmd.exe	38
PID 2888 wrote to memory of 3024	2888	cmd.exe	38
PID 2888 wrote to memory of 3024	2888	cmd.exe	38
PID 2888 wrote to memory of 3024	2888	cmd.exe	38
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 304	1436	56c8ddd07545efef53fb690b68211f4f.exe	41
PID 1436 wrote to memory of 2020	1436	56c8ddd07545efef53fb690b68211f4f.exe	42
PID 1436 wrote to memory of 2020	1436	56c8ddd07545efef53fb690b68211f4f.exe	42
PID 1436 wrote to memory of 2020	1436	56c8ddd07545efef53fb690b68211f4f.exe	42
PID 1436 wrote to memory of 2020	1436	56c8ddd07545efef53fb690b68211f4f.exe	42
PID 2020 wrote to memory of 2444	2020	cmd.exe	44
PID 2020 wrote to memory of 2444	2020	cmd.exe	44
PID 2020 wrote to memory of 2444	2020	cmd.exe	44
PID 2020 wrote to memory of 2444	2020	cmd.exe	44
PID 2444 wrote to memory of 1468	2444	net.exe	45
PID 2444 wrote to memory of 1468	2444	net.exe	45
PID 2444 wrote to memory of 1468	2444	net.exe	45
PID 2444 wrote to memory of 1468	2444	net.exe	45
PID 1436 wrote to memory of 1660	1436	56c8ddd07545efef53fb690b68211f4f.exe	46
PID 1436 wrote to memory of 1660	1436	56c8ddd07545efef53fb690b68211f4f.exe	46
PID 1436 wrote to memory of 1660	1436	56c8ddd07545efef53fb690b68211f4f.exe	46
PID 1436 wrote to memory of 1660	1436	56c8ddd07545efef53fb690b68211f4f.exe	46
PID 1660 wrote to memory of 1316	1660	cmd.exe	48
PID 1660 wrote to memory of 1316	1660	cmd.exe	48
PID 1660 wrote to memory of 1316	1660	cmd.exe	48
PID 1660 wrote to memory of 1316	1660	cmd.exe	48
PID 1316 wrote to memory of 1624	1316	net.exe	49
PID 1316 wrote to memory of 1624	1316	net.exe	49
PID 1316 wrote to memory of 1624	1316	net.exe	49
PID 1316 wrote to memory of 1624	1316	net.exe	49
PID 1436 wrote to memory of 1732	1436	56c8ddd07545efef53fb690b68211f4f.exe	50
PID 1436 wrote to memory of 1732	1436	56c8ddd07545efef53fb690b68211f4f.exe	50
PID 1436 wrote to memory of 1732	1436	56c8ddd07545efef53fb690b68211f4f.exe	50
PID 1436 wrote to memory of 1732	1436	56c8ddd07545efef53fb690b68211f4f.exe	50
PID 1732 wrote to memory of 2044	1732	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\56c8ddd07545efef53fb690b68211f4f.exe
"C:\Users\Admin\AppData\Local\Temp\56c8ddd07545efef53fb690b68211f4f.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\tete259450598t.dll testall
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2044
- C:\Windows\extext259458132t.exe
  C:\Windows\extext259458132t.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c afc90a.bat
  2⤵
  - Deletes itself
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc90a.bat

Filesize
2KB

MD5
0aae412c62899e795205dc32d86bfff5

SHA1
2c9487de933d2bd419aece04f43f5bca32835e62

SHA256
38924c6ffb726cf3a6dc22eede220d2e5ac404070a3f8f453f558127d79da189

SHA512
32e3ba22eda6e29509231eb5cee8c19d1c3e00eb485e68bff4fcb5e21ae1b407e52b88f08d371c743e21087f37f5db41cc7f953c40db226ba95853005753e224

Download Submit
C:\Windows\extext259458132t.exe

Filesize
12KB

MD5
4e009ff93e2df09682c750fbe7c2464f

SHA1
73acc80925f07e3346107730d785d8ae12adc6ef

SHA256
a885dfb99355992889b3432c9314a7d002b2d8ff6c8c79f665ee6e4057152d3d

SHA512
b0dcd0b09205ac25b2cdf459314768a000ac1780fc27d171f1c9a35b07d643fe39072199adad9cf0b1e70bda9f8d8ce1d50db967602c128760b72bebc8b98d09

Download Submit
C:\Windows\tete259450598t.dll

Filesize
40KB

MD5
956b20403cc1ae613ca8f8a6099bc4e2

SHA1
9cf339ea6d13c5e2b3e03a76f5261b7f46854c38

SHA256
dff795851e9a94b78befa2e9908eb680901d0af1191bf6db159a5d7be79a18a9

SHA512
6aeefefd3c3887463d06448cb52d8d2c10e52fa469d92f2115605f048f981b26c513360068bd8c3e438eedbaf061923f4625c8ee016fa46b7a384d5072643fcc

Download Submit
F:\AUTORUN.INF

Filesize
304B

MD5
99588afd717ec63824f97ee400c447c2

SHA1
be44b900e6da111806097b72e6cbbd75b20fc34a

SHA256
9d9699dd55fccc743cf30232755d98fc9a006ea81bcead9fbf0c176d9b2a6f3b

SHA512
18eaa762824d342d542ddfbbc8ab1d0699b2c61c0d9966be581a80f21a5a165a0e9963f2dee6937465ea39ebfff2455593c26ce37af22c79254b251905060ba4

Download Submit
F:\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\rav32.exe

Filesize
82KB

MD5
56c8ddd07545efef53fb690b68211f4f

SHA1
deaad8c777f4f54459d15e8e2bd2a260258b1df3

SHA256
c62e53f2bfcb2e17d5e80112e54f5c923120b258b5e0546073e96d096fae259b

SHA512
a4dd882ccc0b747da51f0ac6d7acf8620b872e522e7c34a9fc650604ea88fab532c9beec0e0ee426b08dab1cf525d99a055b9136d6f4ae4f7fffd4f3add84693

Download Submit
memory/1436-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1436-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1436-38-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download