79f396d4f64eee0c40b1ac582735492b1fb5cbb7c25afe80c43d8dce52fe8445

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c6aa9597c5e55230fd300ff686336d5.exe
Size

64KB
MD5

5c6aa9597c5e55230fd300ff686336d5
SHA1

2844419bf1e42db371927ea21dc3f5741062a134
SHA256

79f396d4f64eee0c40b1ac582735492b1fb5cbb7c25afe80c43d8dce52fe8445
SHA512

435dca4c31f3e3fb7b8256c6254f0be788bcc7f78278576d06a64166b29d45f8bf9a3113a77929a18e5b99304c10a9063f3d011ee0b09172884970a3389a4b98
SSDEEP

1536:vjT8FsWAuPRoyn56J0wvV/5yJhrzd2d1PTChYACEcLsn:fDWA8iyU7yjdk8YJEcL2

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	5c6aa9597c5e55230fd300ff686336d5.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe\MPMon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe\antiarp.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\RavMonD.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe\ccEvtMgr.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe\naPrdMgr.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\xcommsvr.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe\QQDoctorRtp.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\avp.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\RsTray.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\RavMon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\vptray.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe\KISSvc.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe\engineserver.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rssafety.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\MpfSrv.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe\MPSVC2.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe\KSWebShield.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\KWatch.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\bdagent.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegGuide.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\mcshell.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\mcsysmon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\ccSvcHst.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\360tray.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\kmailmon.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe\mcinsupd.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\KPFW32.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\AgentSvr.exe = "svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KavStart.exe = "svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrUpdate.exe\DrUpdate.exe = "svchost.exe"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	extext240647953t.exe

Loads dropped DLL 1 IoCs

pid	Process
4252	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1396-1-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000100000000002c-22.dat	upx
behavioral2/memory/1396-23-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1396-39-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RsTray = "C:\\Windows\\system32\\scvhost.exe"	extext240647953t.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	5c6aa9597c5e55230fd300ff686336d5.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	5c6aa9597c5e55230fd300ff686336d5.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scvhost.exe	5c6aa9597c5e55230fd300ff686336d5.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tete240643625t.dll	5c6aa9597c5e55230fd300ff686336d5.exe
File created	C:\Windows\extext240647953t.exe	5c6aa9597c5e55230fd300ff686336d5.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
224	sc.exe
1772	sc.exe
5080	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3180	taskkill.exe
4380	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	4252	rundll32.exe
Token: SeDebugPrivilege	3068	extext240647953t.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3268	1396	5c6aa9597c5e55230fd300ff686336d5.exe	20
PID 1396 wrote to memory of 3268	1396	5c6aa9597c5e55230fd300ff686336d5.exe	20
PID 1396 wrote to memory of 3268	1396	5c6aa9597c5e55230fd300ff686336d5.exe	20
PID 1396 wrote to memory of 2248	1396	5c6aa9597c5e55230fd300ff686336d5.exe	38
PID 1396 wrote to memory of 2248	1396	5c6aa9597c5e55230fd300ff686336d5.exe	38
PID 1396 wrote to memory of 2248	1396	5c6aa9597c5e55230fd300ff686336d5.exe	38
PID 2248 wrote to memory of 224	2248	cmd.exe	37
PID 2248 wrote to memory of 224	2248	cmd.exe	37
PID 2248 wrote to memory of 224	2248	cmd.exe	37
PID 1396 wrote to memory of 4716	1396	5c6aa9597c5e55230fd300ff686336d5.exe	97
PID 1396 wrote to memory of 4716	1396	5c6aa9597c5e55230fd300ff686336d5.exe	97
PID 1396 wrote to memory of 4716	1396	5c6aa9597c5e55230fd300ff686336d5.exe	97
PID 4716 wrote to memory of 3180	4716	cmd.exe	99
PID 4716 wrote to memory of 3180	4716	cmd.exe	99
PID 4716 wrote to memory of 3180	4716	cmd.exe	99
PID 1396 wrote to memory of 1512	1396	5c6aa9597c5e55230fd300ff686336d5.exe	101
PID 1396 wrote to memory of 1512	1396	5c6aa9597c5e55230fd300ff686336d5.exe	101
PID 1396 wrote to memory of 1512	1396	5c6aa9597c5e55230fd300ff686336d5.exe	101
PID 1512 wrote to memory of 4380	1512	cmd.exe	103
PID 1512 wrote to memory of 4380	1512	cmd.exe	103
PID 1512 wrote to memory of 4380	1512	cmd.exe	103
PID 1396 wrote to memory of 4252	1396	5c6aa9597c5e55230fd300ff686336d5.exe	107
PID 1396 wrote to memory of 4252	1396	5c6aa9597c5e55230fd300ff686336d5.exe	107
PID 1396 wrote to memory of 4252	1396	5c6aa9597c5e55230fd300ff686336d5.exe	107
PID 1396 wrote to memory of 1448	1396	5c6aa9597c5e55230fd300ff686336d5.exe	109
PID 1396 wrote to memory of 1448	1396	5c6aa9597c5e55230fd300ff686336d5.exe	109
PID 1396 wrote to memory of 1448	1396	5c6aa9597c5e55230fd300ff686336d5.exe	109
PID 1448 wrote to memory of 2312	1448	cmd.exe	110
PID 1448 wrote to memory of 2312	1448	cmd.exe	110
PID 1448 wrote to memory of 2312	1448	cmd.exe	110
PID 2312 wrote to memory of 1644	2312	net.exe	111
PID 2312 wrote to memory of 1644	2312	net.exe	111
PID 2312 wrote to memory of 1644	2312	net.exe	111
PID 1396 wrote to memory of 4076	1396	5c6aa9597c5e55230fd300ff686336d5.exe	112
PID 1396 wrote to memory of 4076	1396	5c6aa9597c5e55230fd300ff686336d5.exe	112
PID 1396 wrote to memory of 4076	1396	5c6aa9597c5e55230fd300ff686336d5.exe	112
PID 4076 wrote to memory of 3540	4076	cmd.exe	114
PID 4076 wrote to memory of 3540	4076	cmd.exe	114
PID 4076 wrote to memory of 3540	4076	cmd.exe	114
PID 3540 wrote to memory of 2928	3540	net.exe	115
PID 3540 wrote to memory of 2928	3540	net.exe	115
PID 3540 wrote to memory of 2928	3540	net.exe	115
PID 1396 wrote to memory of 3176	1396	5c6aa9597c5e55230fd300ff686336d5.exe	116
PID 1396 wrote to memory of 3176	1396	5c6aa9597c5e55230fd300ff686336d5.exe	116
PID 1396 wrote to memory of 3176	1396	5c6aa9597c5e55230fd300ff686336d5.exe	116
PID 3176 wrote to memory of 1772	3176	cmd.exe	118
PID 3176 wrote to memory of 1772	3176	cmd.exe	118
PID 3176 wrote to memory of 1772	3176	cmd.exe	118
PID 1396 wrote to memory of 3068	1396	5c6aa9597c5e55230fd300ff686336d5.exe	119
PID 1396 wrote to memory of 3068	1396	5c6aa9597c5e55230fd300ff686336d5.exe	119
PID 1396 wrote to memory of 3068	1396	5c6aa9597c5e55230fd300ff686336d5.exe	119
PID 3068 wrote to memory of 1236	3068	extext240647953t.exe	120
PID 3068 wrote to memory of 1236	3068	extext240647953t.exe	120
PID 3068 wrote to memory of 1236	3068	extext240647953t.exe	120
PID 1236 wrote to memory of 2588	1236	cmd.exe	122
PID 1236 wrote to memory of 2588	1236	cmd.exe	122
PID 1236 wrote to memory of 2588	1236	cmd.exe	122
PID 2588 wrote to memory of 1864	2588	net.exe	123
PID 2588 wrote to memory of 1864	2588	net.exe	123
PID 2588 wrote to memory of 1864	2588	net.exe	123
PID 3068 wrote to memory of 4776	3068	extext240647953t.exe	124
PID 3068 wrote to memory of 4776	3068	extext240647953t.exe	124
PID 3068 wrote to memory of 4776	3068	extext240647953t.exe	124
PID 4776 wrote to memory of 4212	4776	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\5c6aa9597c5e55230fd300ff686336d5.exe
"C:\Users\Admin\AppData\Local\Temp\5c6aa9597c5e55230fd300ff686336d5.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill.exe /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\tete240643625t.dll testall
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config sharedaccess start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\sc.exe
    sc config sharedaccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1772
- C:\Windows\extext240647953t.exe
  C:\Windows\extext240647953t.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        
        PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        
        PID:220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config sharedaccess start= disabled
    3⤵
    PID:3452
  - - C:\Windows\SysWOW64\sc.exe
      sc config sharedaccess start= disabled
      4⤵
      Launches sc.exe
      PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc90a.bat
  2⤵
  PID:4928

C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
1⤵
- Launches sc.exe
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc90a.bat

Filesize
2KB

MD5
95369592b488037a69111c9b3c7a8424

SHA1
a8f191e013c5e81ae1c4da596d967ea93fe6a2c5

SHA256
09e662aea466d8ec2b18e414085e0ab86313b632f342ea290f8a07e17dd4c41d

SHA512
9a62af630aaa0de081e3c1ba68b669cf94cc48d244d726d9ee5335272b16c21ed7390b770823f3c549830f75e4dcc0c34b99aeca7643752bb90dccc838c63610

Download Submit
C:\Windows\extext240647953t.exe

Filesize
10KB

MD5
973806259fdac708a1b92089a54675f8

SHA1
99fe99b1810dfae64d1b014927607a77d8383c16

SHA256
834450311e20086974ba80854180fdce4c2b8beb98c1c407a30dec3a8126c96c

SHA512
2da4491bd928b4c071acc311c2b05e63241a173eb1050cf0fe51799279d5bf9a268a8235aa822b8f053185d6cd7f8dba9317eb93322a8576586fd2542f1b9f80

Download Submit
C:\Windows\tete240643625t.dll

Filesize
36KB

MD5
2c4156b222b22d48b9fad49d051d1a99

SHA1
c7ba5cd859de1c79573e4792d8830558f24f7315

SHA256
f9a62f276e8e5b3cf492ae60dbf363cd9e53a0be46a88a8c3dfe62ad0508edac

SHA512
a5748948cf104cf3460c5d08bd55125af2d1f2d6d6ca494d756c00c54a8871aee8e6864bd673aa76104c1e8ed273fa9c5f4969ae39017ae84be3f74b5d6e6c31

Download Submit
F:\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\rav32.exe

Filesize
64KB

MD5
5c6aa9597c5e55230fd300ff686336d5

SHA1
2844419bf1e42db371927ea21dc3f5741062a134

SHA256
79f396d4f64eee0c40b1ac582735492b1fb5cbb7c25afe80c43d8dce52fe8445

SHA512
435dca4c31f3e3fb7b8256c6254f0be788bcc7f78278576d06a64166b29d45f8bf9a3113a77929a18e5b99304c10a9063f3d011ee0b09172884970a3389a4b98

Download Submit
memory/1396-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1396-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1396-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1396-39-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download