8e40e5d864f3975506f64dac8cc926eb55e43b8ed118d302221e49c3b542a862

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Size

30KB
MD5

0d0c6bd947ec1b70a1a356bbd9a846d4
SHA1

d2603c024136fec692b3dae4616bdb0941a545ab
SHA256

8e40e5d864f3975506f64dac8cc926eb55e43b8ed118d302221e49c3b542a862
SHA512

f1923398e85e04a06ee5d8ab6436891ee386038efae7d85f05e95598832460b119803fca88d9ba38f6119d50cef3f2b978145dde2366226bcf77ac13100fadca
SSDEEP

768:4JFdv+H9bIclkUW3FG+ihLSnRtAGNii4GNGO+eJl5:4fIH9b+UW3MfwAwLGO+e75

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sipxsl\ImagePath = "\\??\\C:\\Windows\\Fonts\\sipxsl.fon"	rundll32.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2944	avpp.pif

Loads dropped DLL 7 IoCs

pid	Process
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\linkinfo.dll	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
File created	C:\Windows\SysWOW64\psp.ini	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\avpp.pif	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
File opened for modification	C:\Program Files\avpp.pif	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\sipxsl.fon	rundll32.exe
File created	C:\Windows\fonts\fangdapp.sys	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
File created	C:\Windows\fonts\naks.sys	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
268	sc.exe
2832	sc.exe
2888	sc.exe
2756	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
2944	avpp.pif
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
2704	rundll32.exe
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe
Token: SeDebugPrivilege	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2944	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	28
PID 3060 wrote to memory of 2944	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	28
PID 3060 wrote to memory of 2944	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	28
PID 3060 wrote to memory of 2944	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	28
PID 2944 wrote to memory of 2848	2944	avpp.pif	29
PID 2944 wrote to memory of 2848	2944	avpp.pif	29
PID 2944 wrote to memory of 2848	2944	avpp.pif	29
PID 2944 wrote to memory of 2848	2944	avpp.pif	29
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 2848 wrote to memory of 2704	2848	cmd.exe	31
PID 3060 wrote to memory of 1032	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	32
PID 3060 wrote to memory of 1032	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	32
PID 3060 wrote to memory of 1032	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	32
PID 3060 wrote to memory of 1032	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	32
PID 3060 wrote to memory of 2544	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	34
PID 3060 wrote to memory of 2544	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	34
PID 3060 wrote to memory of 2544	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	34
PID 3060 wrote to memory of 2544	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	34
PID 3060 wrote to memory of 1312	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	36
PID 3060 wrote to memory of 1312	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	36
PID 3060 wrote to memory of 1312	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	36
PID 3060 wrote to memory of 1312	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	36
PID 2544 wrote to memory of 268	2544	cmd.exe	38
PID 2544 wrote to memory of 268	2544	cmd.exe	38
PID 2544 wrote to memory of 268	2544	cmd.exe	38
PID 2544 wrote to memory of 268	2544	cmd.exe	38
PID 3060 wrote to memory of 464	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	37
PID 3060 wrote to memory of 464	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	37
PID 3060 wrote to memory of 464	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	37
PID 3060 wrote to memory of 464	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	37
PID 3060 wrote to memory of 1020	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	39
PID 3060 wrote to memory of 1020	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	39
PID 3060 wrote to memory of 1020	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	39
PID 3060 wrote to memory of 1020	3060	0d0c6bd947ec1b70a1a356bbd9a846d4.exe	39
PID 1032 wrote to memory of 1472	1032	cmd.exe	40
PID 1032 wrote to memory of 1472	1032	cmd.exe	40
PID 1032 wrote to memory of 1472	1032	cmd.exe	40
PID 1032 wrote to memory of 1472	1032	cmd.exe	40
PID 1312 wrote to memory of 2832	1312	cmd.exe	45
PID 1312 wrote to memory of 2832	1312	cmd.exe	45
PID 1312 wrote to memory of 2832	1312	cmd.exe	45
PID 1312 wrote to memory of 2832	1312	cmd.exe	45
PID 1020 wrote to memory of 2756	1020	cmd.exe	47
PID 1020 wrote to memory of 2756	1020	cmd.exe	47
PID 1020 wrote to memory of 2756	1020	cmd.exe	47
PID 1020 wrote to memory of 2756	1020	cmd.exe	47
PID 464 wrote to memory of 2888	464	cmd.exe	46
PID 464 wrote to memory of 2888	464	cmd.exe	46
PID 464 wrote to memory of 2888	464	cmd.exe	46
PID 464 wrote to memory of 2888	464	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\0d0c6bd947ec1b70a1a356bbd9a846d4.exe
"C:\Users\Admin\AppData\Local\Temp\0d0c6bd947ec1b70a1a356bbd9a846d4.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files\avpp.pif
  "C:\Program Files\avpp.pif"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rundll32 Runt.dll,RundllTest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 Runt.dll,RundllTest
      4⤵
      Sets service image path in registry
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: LoadsDriver
      PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net1 start server
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\net1.exe
    net1 start server
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RavCCenter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\sc.exe
    sc delete RavCCenter
    3⤵
    - Launches sc.exe
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RsScanSrv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\sc.exe
    sc delete RsScanSrv
    3⤵
    - Launches sc.exe
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RavTask
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\sc.exe
    sc delete RavTask
    3⤵
    - Launches sc.exe
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RsRavMon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\sc.exe
    sc delete RsRavMon
    3⤵
    - Launches sc.exe
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\avpp.pif

Filesize
8KB

MD5
d874e0abe7608f3af802df26be1f35a0

SHA1
720de6f1c1617a4d886f6e2cb9e6a739658a7569

SHA256
8ff4959c30f3abf65f150e133840ff32d20be16e840f9db7a0682ca47aecf93d

SHA512
c4c17cddbeba4be47927772c8a4cc616b702f53b8dda80ee8a9db75ae0e37871a3b3ff98bb12b8e3de8ab6def8072393871d82d3ecd0164429d5b7b924d4eea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
9348f8390c2dd2d8e6f3bbdf80208c19

SHA1
a648947f16261821c7da0c5080ea617cfd241e3d

SHA256
5030d4ef9ad976109abcab889db482ce107993bd05946b8863df152a9d98daf9

SHA512
a9139622b07769d0c13bc06713f6b310a448d8d0a1f207f4574d9d1e6678b7e570dd05342782c58d6af013523cdd81e18d76b09b04b8555c840eb3f645dfc227

Download Submit
\Users\Admin\AppData\Local\Temp\dllD5D5.tmp

Filesize
12KB

MD5
7af2ec55554e0f82b6119147e9e0d586

SHA1
42d978c115c0259e76b5b53159e8b5062b858896

SHA256
4a401f98f7ec31be66b621046eeb534defbe6659cd22fe91a7895add279dbd19

SHA512
86ddfa67d6c1b292fd9f7e7c26778c982b0f9041719df3cb3cc23ca5dbfe875d17eba9a22b6fdeb3ca1eeb0ce7ccb9682db876b39a7ea515a1485c081945c18f

Download Submit
memory/2704-20-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2944-13-0x0000000013140000-0x0000000013143000-memory.dmp

Filesize
12KB

Download
memory/3060-10-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/3060-0-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/3060-23-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/3060-33-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/3060-32-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/3060-12-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/3060-36-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/3060-41-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/3060-53-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download