c62e53f2bfcb2e17d5e80112e54f5c923120b258b5e0546073e96d096fae259b

Analysis

max time kernel
168s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56c8ddd07545efef53fb690b68211f4f.exe
Size

82KB
MD5

56c8ddd07545efef53fb690b68211f4f
SHA1

deaad8c777f4f54459d15e8e2bd2a260258b1df3
SHA256

c62e53f2bfcb2e17d5e80112e54f5c923120b258b5e0546073e96d096fae259b
SHA512

a4dd882ccc0b747da51f0ac6d7acf8620b872e522e7c34a9fc650604ea88fab532c9beec0e0ee426b08dab1cf525d99a055b9136d6f4ae4f7fffd4f3add84693
SSDEEP

1536:0h3oDFpr18upjOWOHQRTaTalf34DanAWtHDu:09AF118upKCBaTa94Dan1

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	56c8ddd07545efef53fb690b68211f4f.exe
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\KVSrvXP.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe\MPSVC1.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe\mcnasvc.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe\mcupdmgr.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360delays.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\RsAgent.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe\KISSvc.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe\QQDoctorRtp.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\MPSVC.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\egui.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\livesrv.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\RavMonD.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\McProxy.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\QQDoctor.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\kmailmon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ccSvcHst.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\RavTask.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe\engineserver.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe\LiveUpdate360.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\MpfSrv.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe\defwatch.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\safeboxTray.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\RavMon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\vptray.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe\FrameworkService.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rssafety.exe\rssafety.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\KPFW32.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\bdagent.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe\SHSTAT.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe\KSWebShield.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\avp.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\KPfwSvc.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\RavStub.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\CCenter.exe = "svchost.exe"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3600	extext240687406t.exe

Loads dropped DLL 1 IoCs

pid	Process
948	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RsTray = "C:\\Windows\\system32\\scvhost.exe"	extext240687406t.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	56c8ddd07545efef53fb690b68211f4f.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	56c8ddd07545efef53fb690b68211f4f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scvhost.exe	56c8ddd07545efef53fb690b68211f4f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tete240672078t.dll	56c8ddd07545efef53fb690b68211f4f.exe
File created	C:\Windows\extext240687406t.exe	56c8ddd07545efef53fb690b68211f4f.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2424	sc.exe
2236	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2448	taskkill.exe
3976	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	948	rundll32.exe
Token: SeDebugPrivilege	3600	extext240687406t.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 3396	920	56c8ddd07545efef53fb690b68211f4f.exe	88
PID 920 wrote to memory of 3396	920	56c8ddd07545efef53fb690b68211f4f.exe	88
PID 920 wrote to memory of 3396	920	56c8ddd07545efef53fb690b68211f4f.exe	88
PID 920 wrote to memory of 1476	920	56c8ddd07545efef53fb690b68211f4f.exe	93
PID 920 wrote to memory of 1476	920	56c8ddd07545efef53fb690b68211f4f.exe	93
PID 920 wrote to memory of 1476	920	56c8ddd07545efef53fb690b68211f4f.exe	93
PID 1476 wrote to memory of 2424	1476	cmd.exe	94
PID 1476 wrote to memory of 2424	1476	cmd.exe	94
PID 1476 wrote to memory of 2424	1476	cmd.exe	94
PID 920 wrote to memory of 4476	920	56c8ddd07545efef53fb690b68211f4f.exe	99
PID 920 wrote to memory of 4476	920	56c8ddd07545efef53fb690b68211f4f.exe	99
PID 920 wrote to memory of 4476	920	56c8ddd07545efef53fb690b68211f4f.exe	99
PID 4476 wrote to memory of 3976	4476	cmd.exe	101
PID 4476 wrote to memory of 3976	4476	cmd.exe	101
PID 4476 wrote to memory of 3976	4476	cmd.exe	101
PID 920 wrote to memory of 4772	920	56c8ddd07545efef53fb690b68211f4f.exe	105
PID 920 wrote to memory of 4772	920	56c8ddd07545efef53fb690b68211f4f.exe	105
PID 920 wrote to memory of 4772	920	56c8ddd07545efef53fb690b68211f4f.exe	105
PID 4772 wrote to memory of 2448	4772	cmd.exe	107
PID 4772 wrote to memory of 2448	4772	cmd.exe	107
PID 4772 wrote to memory of 2448	4772	cmd.exe	107
PID 920 wrote to memory of 948	920	56c8ddd07545efef53fb690b68211f4f.exe	110
PID 920 wrote to memory of 948	920	56c8ddd07545efef53fb690b68211f4f.exe	110
PID 920 wrote to memory of 948	920	56c8ddd07545efef53fb690b68211f4f.exe	110
PID 920 wrote to memory of 1768	920	56c8ddd07545efef53fb690b68211f4f.exe	113
PID 920 wrote to memory of 1768	920	56c8ddd07545efef53fb690b68211f4f.exe	113
PID 920 wrote to memory of 1768	920	56c8ddd07545efef53fb690b68211f4f.exe	113
PID 1768 wrote to memory of 1456	1768	cmd.exe	115
PID 1768 wrote to memory of 1456	1768	cmd.exe	115
PID 1768 wrote to memory of 1456	1768	cmd.exe	115
PID 1456 wrote to memory of 624	1456	net.exe	116
PID 1456 wrote to memory of 624	1456	net.exe	116
PID 1456 wrote to memory of 624	1456	net.exe	116
PID 920 wrote to memory of 1596	920	56c8ddd07545efef53fb690b68211f4f.exe	117
PID 920 wrote to memory of 1596	920	56c8ddd07545efef53fb690b68211f4f.exe	117
PID 920 wrote to memory of 1596	920	56c8ddd07545efef53fb690b68211f4f.exe	117
PID 1596 wrote to memory of 4036	1596	cmd.exe	119
PID 1596 wrote to memory of 4036	1596	cmd.exe	119
PID 1596 wrote to memory of 4036	1596	cmd.exe	119
PID 4036 wrote to memory of 2224	4036	net.exe	120
PID 4036 wrote to memory of 2224	4036	net.exe	120
PID 4036 wrote to memory of 2224	4036	net.exe	120
PID 920 wrote to memory of 2052	920	56c8ddd07545efef53fb690b68211f4f.exe	121
PID 920 wrote to memory of 2052	920	56c8ddd07545efef53fb690b68211f4f.exe	121
PID 920 wrote to memory of 2052	920	56c8ddd07545efef53fb690b68211f4f.exe	121
PID 2052 wrote to memory of 2236	2052	cmd.exe	123
PID 2052 wrote to memory of 2236	2052	cmd.exe	123
PID 2052 wrote to memory of 2236	2052	cmd.exe	123
PID 920 wrote to memory of 3600	920	56c8ddd07545efef53fb690b68211f4f.exe	124
PID 920 wrote to memory of 3600	920	56c8ddd07545efef53fb690b68211f4f.exe	124
PID 920 wrote to memory of 3600	920	56c8ddd07545efef53fb690b68211f4f.exe	124
PID 3600 wrote to memory of 640	3600	extext240687406t.exe	125
PID 3600 wrote to memory of 640	3600	extext240687406t.exe	125
PID 3600 wrote to memory of 640	3600	extext240687406t.exe	125
PID 3600 wrote to memory of 4528	3600	extext240687406t.exe	126
PID 3600 wrote to memory of 4528	3600	extext240687406t.exe	126
PID 3600 wrote to memory of 4528	3600	extext240687406t.exe	126
PID 4528 wrote to memory of 2516	4528	cmd.exe	130
PID 4528 wrote to memory of 2516	4528	cmd.exe	130
PID 4528 wrote to memory of 2516	4528	cmd.exe	130
PID 640 wrote to memory of 1320	640	cmd.exe	129
PID 640 wrote to memory of 1320	640	cmd.exe	129
PID 640 wrote to memory of 1320	640	cmd.exe	129
PID 920 wrote to memory of 784	920	56c8ddd07545efef53fb690b68211f4f.exe	133

C:\Users\Admin\AppData\Local\Temp\56c8ddd07545efef53fb690b68211f4f.exe
"C:\Users\Admin\AppData\Local\Temp\56c8ddd07545efef53fb690b68211f4f.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\tete240672078t.dll testall
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2236
- C:\Windows\extext240687406t.exe
  C:\Windows\extext240687406t.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc90a.bat
  2⤵
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc90a.bat

Filesize
2KB

MD5
0aae412c62899e795205dc32d86bfff5

SHA1
2c9487de933d2bd419aece04f43f5bca32835e62

SHA256
38924c6ffb726cf3a6dc22eede220d2e5ac404070a3f8f453f558127d79da189

SHA512
32e3ba22eda6e29509231eb5cee8c19d1c3e00eb485e68bff4fcb5e21ae1b407e52b88f08d371c743e21087f37f5db41cc7f953c40db226ba95853005753e224

Download Submit
C:\Windows\extext240687406t.exe

Filesize
12KB

MD5
4e009ff93e2df09682c750fbe7c2464f

SHA1
73acc80925f07e3346107730d785d8ae12adc6ef

SHA256
a885dfb99355992889b3432c9314a7d002b2d8ff6c8c79f665ee6e4057152d3d

SHA512
b0dcd0b09205ac25b2cdf459314768a000ac1780fc27d171f1c9a35b07d643fe39072199adad9cf0b1e70bda9f8d8ce1d50db967602c128760b72bebc8b98d09

Download Submit
C:\Windows\tete240672078t.dll

Filesize
40KB

MD5
956b20403cc1ae613ca8f8a6099bc4e2

SHA1
9cf339ea6d13c5e2b3e03a76f5261b7f46854c38

SHA256
dff795851e9a94b78befa2e9908eb680901d0af1191bf6db159a5d7be79a18a9

SHA512
6aeefefd3c3887463d06448cb52d8d2c10e52fa469d92f2115605f048f981b26c513360068bd8c3e438eedbaf061923f4625c8ee016fa46b7a384d5072643fcc

Download Submit
F:\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\rav32.exe

Filesize
82KB

MD5
56c8ddd07545efef53fb690b68211f4f

SHA1
deaad8c777f4f54459d15e8e2bd2a260258b1df3

SHA256
c62e53f2bfcb2e17d5e80112e54f5c923120b258b5e0546073e96d096fae259b

SHA512
a4dd882ccc0b747da51f0ac6d7acf8620b872e522e7c34a9fc650604ea88fab532c9beec0e0ee426b08dab1cf525d99a055b9136d6f4ae4f7fffd4f3add84693

Download Submit
memory/920-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/920-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/920-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download