10610c3fc548a44290ec4ea10b56697b048b13b8623cc8a54c63b8662f57ad22

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4455857cfdff1e4bdc45b298ab8cd147.exe
Size

127KB
MD5

4455857cfdff1e4bdc45b298ab8cd147
SHA1

4a6ad6272c7e2f8be8536352174ad8c3da8cfbc7
SHA256

10610c3fc548a44290ec4ea10b56697b048b13b8623cc8a54c63b8662f57ad22
SHA512

7915486b2db98cafd6c3c1fd3c5b5c4177b4e666a53cb420a43f02593f7bfd6666fcc2f497d1ae8a7a2eb1bbe44b19149684849136806434f0fbed183136cdf3
SSDEEP

3072:1Eya3SGkz1E0KbTM6+9cP4eNTQh7M+uk+:1RaZcW69um79uk

Score

10^/10

persistence upx vmprotect

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\Userinit.exe,C:\\Program Files\\Common Files\\System\\secuers32.exe"	4455857cfdff1e4bdc45b298ab8cd147.exe

Executes dropped EXE 7 IoCs

pid	Process
2752	KNLPS.EXE
1252	KNLPS.EXE
2336	KNLPS.EXE
1900	server32.exe
1696	secuers32.exe
2648	KNLPS.EXE
2492	KNLPS.EXE

Loads dropped DLL 4 IoCs

pid	Process
1868	4455857cfdff1e4bdc45b298ab8cd147.exe
1868	4455857cfdff1e4bdc45b298ab8cd147.exe
1868	4455857cfdff1e4bdc45b298ab8cd147.exe
1868	4455857cfdff1e4bdc45b298ab8cd147.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1868-9-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/files/0x0006000000005a5a-40.dat	upx
behavioral1/memory/1868-54-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1868-48-0x0000000002150000-0x00000000021A2000-memory.dmp	upx
behavioral1/memory/1900-58-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1696-57-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1900-75-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1696-74-0x0000000000400000-0x0000000000452000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b0000000122f0-17.dat	vmprotect

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\secuers32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe
File opened for modification	C:\Program Files\Common Files\System\secuers32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe
File created	C:\Program Files\Common Files\System\server32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe
File opened for modification	C:\Program Files\Common Files\System\server32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1868	4455857cfdff1e4bdc45b298ab8cd147.exe
Token: SeSystemtimePrivilege	1696	secuers32.exe
Token: SeSystemtimePrivilege	1900	server32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1868	4455857cfdff1e4bdc45b298ab8cd147.exe
1696	secuers32.exe
1900	server32.exe
1696	secuers32.exe
1900	server32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2588	1868	4455857cfdff1e4bdc45b298ab8cd147.exe	28
PID 1868 wrote to memory of 2588	1868	4455857cfdff1e4bdc45b298ab8cd147.exe	28
PID 1868 wrote to memory of 2588	1868	4455857cfdff1e4bdc45b298ab8cd147.exe	28
PID 1868 wrote to memory of 2588	1868	4455857cfdff1e4bdc45b298ab8cd147.exe	28
PID 2588 wrote to memory of 2716	2588	WScript.exe	29
PID 2588 wrote to memory of 2716	2588	WScript.exe	29
PID 2588 wrote to memory of 2716	2588	WScript.exe	29
PID 2588 wrote to memory of 2716	2588	WScript.exe	29
PID 2716 wrote to memory of 2752	2716	cmd.exe	31
PID 2716 wrote to memory of 2752	2716	cmd.exe	31
PID 2716 wrote to memory of 2752	2716	cmd.exe	31
PID 2716 wrote to memory of 2752	2716	cmd.exe	31
PID 2716 wrote to memory of 2484	2716	cmd.exe	32
PID 2716 wrote to memory of 2484	2716	cmd.exe	32
PID 2716 wrote to memory of 2484	2716	cmd.exe	32
PID 2716 wrote to memory of 2484	2716	cmd.exe	32
PID 2716 wrote to memory of 2436	2716	cmd.exe	33
PID 2716 wrote to memory of 2436	2716	cmd.exe	33
PID 2716 wrote to memory of 2436	2716	cmd.exe	33
PID 2716 wrote to memory of 2436	2716	cmd.exe	33
PID 2716 wrote to memory of 2432	2716	cmd.exe	34
PID 2716 wrote to memory of 2432	2716	cmd.exe	34
PID 2716 wrote to memory of 2432	2716	cmd.exe	34
PID 2716 wrote to memory of 2432	2716	cmd.exe	34
PID 2716 wrote to memory of 2452	2716	cmd.exe	35
PID 2716 wrote to memory of 2452	2716	cmd.exe	35
PID 2716 wrote to memory of 2452	2716	cmd.exe	35
PID 2716 wrote to memory of 2452	2716	cmd.exe	35
PID 2716 wrote to memory of 2500	2716	cmd.exe	36
PID 2716 wrote to memory of 2500	2716	cmd.exe	36
PID 2716 wrote to memory of 2500	2716	cmd.exe	36
PID 2716 wrote to memory of 2500	2716	cmd.exe	36
PID 2716 wrote to memory of 2512	2716	cmd.exe	37
PID 2716 wrote to memory of 2512	2716	cmd.exe	37
PID 2716 wrote to memory of 2512	2716	cmd.exe	37
PID 2716 wrote to memory of 2512	2716	cmd.exe	37
PID 2716 wrote to memory of 1468	2716	cmd.exe	38
PID 2716 wrote to memory of 1468	2716	cmd.exe	38
PID 2716 wrote to memory of 1468	2716	cmd.exe	38
PID 2716 wrote to memory of 1468	2716	cmd.exe	38
PID 2716 wrote to memory of 2760	2716	cmd.exe	39
PID 2716 wrote to memory of 2760	2716	cmd.exe	39
PID 2716 wrote to memory of 2760	2716	cmd.exe	39
PID 2716 wrote to memory of 2760	2716	cmd.exe	39
PID 2716 wrote to memory of 2764	2716	cmd.exe	40
PID 2716 wrote to memory of 2764	2716	cmd.exe	40
PID 2716 wrote to memory of 2764	2716	cmd.exe	40
PID 2716 wrote to memory of 2764	2716	cmd.exe	40
PID 2716 wrote to memory of 2896	2716	cmd.exe	41
PID 2716 wrote to memory of 2896	2716	cmd.exe	41
PID 2716 wrote to memory of 2896	2716	cmd.exe	41
PID 2716 wrote to memory of 2896	2716	cmd.exe	41
PID 2716 wrote to memory of 2972	2716	cmd.exe	42
PID 2716 wrote to memory of 2972	2716	cmd.exe	42
PID 2716 wrote to memory of 2972	2716	cmd.exe	42
PID 2716 wrote to memory of 2972	2716	cmd.exe	42
PID 2716 wrote to memory of 3048	2716	cmd.exe	43
PID 2716 wrote to memory of 3048	2716	cmd.exe	43
PID 2716 wrote to memory of 3048	2716	cmd.exe	43
PID 2716 wrote to memory of 3048	2716	cmd.exe	43
PID 2716 wrote to memory of 3064	2716	cmd.exe	44
PID 2716 wrote to memory of 3064	2716	cmd.exe	44
PID 2716 wrote to memory of 3064	2716	cmd.exe	44
PID 2716 wrote to memory of 3064	2716	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\4455857cfdff1e4bdc45b298ab8cd147.exe
"C:\Users\Admin\AppData\Local\Temp\4455857cfdff1e4bdc45b298ab8cd147.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\misec.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - \??\c:\KNLPS.EXE
      c:\KNLPS.EXE -l
      4⤵
      Executes dropped EXE
      PID:2752
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Ravmon.exe" c:\listpid.sys
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "RavmonD.exe" c:\listpid.sys
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "CCenter.exe" c:\listpid.sys
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Safe.exe" c:\listpid.sys
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Tray.exe" c:\listpid.sys
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwmain.exe" c:\listpid.sys
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kavstart.exe" c:\listpid.sys
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kwatch.exe" c:\listpid.sys
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kasmain.exe" c:\listpid.sys
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kissvc.exe" c:\listpid.sys
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwsrv.exe" c:\listpid.sys
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfw32.EXE" c:\listpid.sys
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravtask.EXE" c:\listpid.sys
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravstub.EXE" c:\listpid.sys
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.EXE" c:\listpid.sys
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvxp.kxp" c:\listpid.sys
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rav.exe" c:\listpid.sys
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "scan32.exe" c:\listpid.sys
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvmonxp.kxp" c:\listpid.sys
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.exe" c:\listpid.sys
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvcenter.kxp" c:\listpid.sys
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvol.exe" c:\listpid.sys
      4⤵
      PID:1600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\misec.bat" "
    3⤵
    PID:1588
  - - \??\c:\KNLPS.EXE
      c:\KNLPS.EXE -l
      4⤵
      Executes dropped EXE
      PID:1252
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Ravmon.exe" c:\listpid.sys
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "RavmonD.exe" c:\listpid.sys
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "CCenter.exe" c:\listpid.sys
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Safe.exe" c:\listpid.sys
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Tray.exe" c:\listpid.sys
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwmain.exe" c:\listpid.sys
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kavstart.exe" c:\listpid.sys
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kwatch.exe" c:\listpid.sys
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kasmain.exe" c:\listpid.sys
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kissvc.exe" c:\listpid.sys
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwsrv.exe" c:\listpid.sys
      4⤵
      PID:852
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfw32.EXE" c:\listpid.sys
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravtask.EXE" c:\listpid.sys
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravstub.EXE" c:\listpid.sys
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.EXE" c:\listpid.sys
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvxp.kxp" c:\listpid.sys
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rav.exe" c:\listpid.sys
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "scan32.exe" c:\listpid.sys
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvmonxp.kxp" c:\listpid.sys
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.exe" c:\listpid.sys
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvcenter.kxp" c:\listpid.sys
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvol.exe" c:\listpid.sys
      4⤵
      PID:2768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
  2⤵
  PID:544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\misec.bat" "
    3⤵
    PID:1788
  - - \??\c:\KNLPS.EXE
      c:\KNLPS.EXE -l
      4⤵
      Executes dropped EXE
      PID:2336
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Ravmon.exe" c:\listpid.sys
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "RavmonD.exe" c:\listpid.sys
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "CCenter.exe" c:\listpid.sys
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Safe.exe" c:\listpid.sys
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Tray.exe" c:\listpid.sys
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwmain.exe" c:\listpid.sys
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kavstart.exe" c:\listpid.sys
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kwatch.exe" c:\listpid.sys
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kasmain.exe" c:\listpid.sys
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kissvc.exe" c:\listpid.sys
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwsrv.exe" c:\listpid.sys
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfw32.EXE" c:\listpid.sys
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravtask.EXE" c:\listpid.sys
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravstub.EXE" c:\listpid.sys
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.EXE" c:\listpid.sys
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvxp.kxp" c:\listpid.sys
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rav.exe" c:\listpid.sys
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "scan32.exe" c:\listpid.sys
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvmonxp.kxp" c:\listpid.sys
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.exe" c:\listpid.sys
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvcenter.kxp" c:\listpid.sys
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvol.exe" c:\listpid.sys
      4⤵
      PID:2240
- C:\Program Files\Common Files\System\secuers32.exe
  "C:\Program Files\Common Files\System\secuers32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
    3⤵
    PID:1188
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\misec.bat" "
      4⤵
      PID:2876
- C:\Program Files\Common Files\System\server32.exe
  "C:\Program Files\Common Files\System\server32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\misec.bat" "
      4⤵
      PID:2776

C:\Windows\SysWOW64\findstr.exe
findstr /i "CCenter.exe" c:\listpid.sys
1⤵
PID:2232

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvxp.kxp" c:\listpid.sys
1⤵
PID:2760

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvcenter.kxp" c:\listpid.sys
1⤵
PID:3064

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvol.exe" c:\listpid.sys
1⤵
PID:2388

C:\Windows\SysWOW64\findstr.exe
findstr /i "avp.exe" c:\listpid.sys
1⤵
PID:2236

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvsrvxp.exe" c:\listpid.sys
1⤵
PID:2900

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvmonxp.kxp" c:\listpid.sys
1⤵
PID:3056

C:\Windows\SysWOW64\findstr.exe
findstr /i "scan32.exe" c:\listpid.sys
1⤵
PID:2896

C:\Windows\SysWOW64\findstr.exe
findstr /i "rav.exe" c:\listpid.sys
1⤵
PID:2764

C:\Windows\SysWOW64\findstr.exe
findstr /i "KPfwSvc.EXE" c:\listpid.sys
1⤵
PID:1468

C:\Windows\SysWOW64\findstr.exe
findstr /i "RavmonD.exe" c:\listpid.sys
1⤵
PID:2512

C:\Windows\SysWOW64\findstr.exe
findstr /i "360Safe.exe" c:\listpid.sys
1⤵
PID:2456

\??\c:\KNLPS.EXE
c:\KNLPS.EXE -l
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\findstr.exe
findstr /i "RavmonD.exe" c:\listpid.sys
1⤵
PID:2672

C:\Windows\SysWOW64\findstr.exe
findstr /i "Ravmon.exe" c:\listpid.sys
1⤵
PID:2600

\??\c:\KNLPS.EXE
c:\KNLPS.EXE -l
1⤵
- Executes dropped EXE
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSSHELL.VBS

Filesize
71B

MD5
1311bbedaa0d934eaed1b7424ad9bec8

SHA1
39f84f577f51c121fed67bb7c108159fadfe5b6c

SHA256
2be12ec85010289d1dd9c5fe74ed7cd340ccb995d937e91ded754b76281ae882

SHA512
9d165f6def00a0f8852159e0b7cc62581ff647577748be7f77c2a60c4e7b16a0d00f929fa92fa4c47645e2f4d6158726af76c11788121e35799018e190aff19a

Download Submit
C:\knlps.sys

Filesize
7KB

MD5
994ebf9f717cbf9e7c066879402b67d9

SHA1
e73ecd01475acd135378e9c40c0cda8a6bf33d67

SHA256
181e3306caf5b77776b5a4a60f351ee017e6184de1394d666230b67249e9ca0d

SHA512
83bb065ffc8fe6ed4b287041d8f3b5798f998959eb7e9b0988d12a551e9e02180e8853c2079d1e444fcfa6eaa2b3ecc2523f4d9a91f9702de72be1818fc8bb40

Download Submit
C:\misec.bat

Filesize
1KB

MD5
4c582825358621118b4e4bf4fbb5bc30

SHA1
3bde3348c1440dd78892bbedbf6850480eb6e5ee

SHA256
e13b237f453582faa778648c41d41a8df7c35880afc49c4ebd7dc1b431481e4d

SHA512
9c420f886a1cf05a8ed776f86f1fb3f750d76e60c31d27e66ee9031158e9a065c0ec6509d867e4e7787192404b25f3e8db1a7df267e2dcb6aa0d838b9630bac8

Download Submit
\??\c:\KNLPS.EXE

Filesize
56KB

MD5
70ab8f4b1bc6b9e00e970b74e7e4c203

SHA1
eaed6dff7188f565f172e469d56ac92ff4d299b4

SHA256
bb3d8b238e20508cd7d728299b9f696146d751fae33ae2eca074e88537cc6d6d

SHA512
24ce7c6c1f64a601aa7f8cf71bb3d0be60fcb4fb05b15effe92dbde13f4e1a70c5fd6e227ff2be3bf39fb888916fd8a9e7cc8770563ed77d155613c3ee011317

Download Submit
\??\c:\listpid.sys

Filesize
262B

MD5
77c905d328d8dfbb460faa12bf08e01e

SHA1
f714453198c25613fa42a7e2a6df6b3c7e620b22

SHA256
a024df62a121cb63b4c733e7250953013bc76bbe547e0fd7543826ea45fc2409

SHA512
a384b18d1ca2ec46e01085a64f07970657b00b192d1789624d74e9f38f08c7e63d808dc00bb4f5cf7692c006eb77934d4442626f8c68a3a03bec7e90d1cf1fc8

Download Submit
\Program Files\Common Files\System\secuers32.exe

Filesize
127KB

MD5
4455857cfdff1e4bdc45b298ab8cd147

SHA1
4a6ad6272c7e2f8be8536352174ad8c3da8cfbc7

SHA256
10610c3fc548a44290ec4ea10b56697b048b13b8623cc8a54c63b8662f57ad22

SHA512
7915486b2db98cafd6c3c1fd3c5b5c4177b4e666a53cb420a43f02593f7bfd6666fcc2f497d1ae8a7a2eb1bbe44b19149684849136806434f0fbed183136cdf3

Download Submit
memory/1252-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1696-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1696-74-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1788-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1868-48-0x0000000002150000-0x00000000021A2000-memory.dmp

Filesize
328KB

Download
memory/1868-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1868-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1868-54-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1868-56-0x0000000002150000-0x00000000021A2000-memory.dmp

Filesize
328KB

Download
memory/1900-58-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1900-75-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2336-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2492-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2492-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2648-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2648-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-14-0x0000000000130000-0x000000000013E000-memory.dmp

Filesize
56KB

Download
memory/2752-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2776-67-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2876-61-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads