10610c3fc548a44290ec4ea10b56697b048b13b8623cc8a54c63b8662f57ad22

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4455857cfdff1e4bdc45b298ab8cd147.exe
Size

127KB
MD5

4455857cfdff1e4bdc45b298ab8cd147
SHA1

4a6ad6272c7e2f8be8536352174ad8c3da8cfbc7
SHA256

10610c3fc548a44290ec4ea10b56697b048b13b8623cc8a54c63b8662f57ad22
SHA512

7915486b2db98cafd6c3c1fd3c5b5c4177b4e666a53cb420a43f02593f7bfd6666fcc2f497d1ae8a7a2eb1bbe44b19149684849136806434f0fbed183136cdf3
SSDEEP

3072:1Eya3SGkz1E0KbTM6+9cP4eNTQh7M+uk+:1RaZcW69um79uk

Score

10^/10

persistence upx vmprotect

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\Userinit.exe,C:\\Program Files\\Common Files\\System\\secuers32.exe"	4455857cfdff1e4bdc45b298ab8cd147.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4455857cfdff1e4bdc45b298ab8cd147.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	server32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	secuers32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
4620	KNLPS.EXE
2540	KNLPS.EXE
3724	KNLPS.EXE
4124	secuers32.exe
3032	server32.exe
948	KNLPS.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3516-9-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/files/0x000800000002322c-42.dat	upx
behavioral2/memory/3516-47-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3032-49-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4124-48-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/4124-57-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/3032-58-0x0000000000400000-0x0000000000452000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00090000000231f6-17.dat	vmprotect

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\secuers32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe
File opened for modification	C:\Program Files\Common Files\System\secuers32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe
File created	C:\Program Files\Common Files\System\server32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe
File opened for modification	C:\Program Files\Common Files\System\server32.exe	4455857cfdff1e4bdc45b298ab8cd147.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	4455857cfdff1e4bdc45b298ab8cd147.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	secuers32.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	server32.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3516	4455857cfdff1e4bdc45b298ab8cd147.exe
Token: SeSystemtimePrivilege	4124	secuers32.exe
Token: SeSystemtimePrivilege	3032	server32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3516	4455857cfdff1e4bdc45b298ab8cd147.exe
4124	secuers32.exe
3032	server32.exe
4124	secuers32.exe
3032	server32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 5100	3516	4455857cfdff1e4bdc45b298ab8cd147.exe	98
PID 3516 wrote to memory of 5100	3516	4455857cfdff1e4bdc45b298ab8cd147.exe	98
PID 3516 wrote to memory of 5100	3516	4455857cfdff1e4bdc45b298ab8cd147.exe	98
PID 5100 wrote to memory of 2928	5100	WScript.exe	127
PID 5100 wrote to memory of 2928	5100	WScript.exe	127
PID 5100 wrote to memory of 2928	5100	WScript.exe	127
PID 2928 wrote to memory of 4620	2928	cmd.exe	125
PID 2928 wrote to memory of 4620	2928	cmd.exe	125
PID 2928 wrote to memory of 4620	2928	cmd.exe	125
PID 2928 wrote to memory of 3628	2928	cmd.exe	124
PID 2928 wrote to memory of 3628	2928	cmd.exe	124
PID 2928 wrote to memory of 3628	2928	cmd.exe	124
PID 2928 wrote to memory of 628	2928	cmd.exe	100
PID 2928 wrote to memory of 628	2928	cmd.exe	100
PID 2928 wrote to memory of 628	2928	cmd.exe	100
PID 2928 wrote to memory of 4836	2928	cmd.exe	99
PID 2928 wrote to memory of 4836	2928	cmd.exe	99
PID 2928 wrote to memory of 4836	2928	cmd.exe	99
PID 2928 wrote to memory of 4768	2928	cmd.exe	123
PID 2928 wrote to memory of 4768	2928	cmd.exe	123
PID 2928 wrote to memory of 4768	2928	cmd.exe	123
PID 2928 wrote to memory of 5008	2928	cmd.exe	122
PID 2928 wrote to memory of 5008	2928	cmd.exe	122
PID 2928 wrote to memory of 5008	2928	cmd.exe	122
PID 2928 wrote to memory of 3376	2928	cmd.exe	121
PID 2928 wrote to memory of 3376	2928	cmd.exe	121
PID 2928 wrote to memory of 3376	2928	cmd.exe	121
PID 2928 wrote to memory of 2328	2928	cmd.exe	120
PID 2928 wrote to memory of 2328	2928	cmd.exe	120
PID 2928 wrote to memory of 2328	2928	cmd.exe	120
PID 2928 wrote to memory of 2800	2928	cmd.exe	101
PID 2928 wrote to memory of 2800	2928	cmd.exe	101
PID 2928 wrote to memory of 2800	2928	cmd.exe	101
PID 2928 wrote to memory of 4148	2928	cmd.exe	119
PID 2928 wrote to memory of 4148	2928	cmd.exe	119
PID 2928 wrote to memory of 4148	2928	cmd.exe	119
PID 2928 wrote to memory of 2924	2928	cmd.exe	118
PID 2928 wrote to memory of 2924	2928	cmd.exe	118
PID 2928 wrote to memory of 2924	2928	cmd.exe	118
PID 2928 wrote to memory of 1108	2928	cmd.exe	117
PID 2928 wrote to memory of 1108	2928	cmd.exe	117
PID 2928 wrote to memory of 1108	2928	cmd.exe	117
PID 2928 wrote to memory of 980	2928	cmd.exe	103
PID 2928 wrote to memory of 980	2928	cmd.exe	103
PID 2928 wrote to memory of 980	2928	cmd.exe	103
PID 2928 wrote to memory of 4968	2928	cmd.exe	102
PID 2928 wrote to memory of 4968	2928	cmd.exe	102
PID 2928 wrote to memory of 4968	2928	cmd.exe	102
PID 2928 wrote to memory of 516	2928	cmd.exe	116
PID 2928 wrote to memory of 516	2928	cmd.exe	116
PID 2928 wrote to memory of 516	2928	cmd.exe	116
PID 2928 wrote to memory of 4852	2928	cmd.exe	115
PID 2928 wrote to memory of 4852	2928	cmd.exe	115
PID 2928 wrote to memory of 4852	2928	cmd.exe	115
PID 2928 wrote to memory of 3024	2928	cmd.exe	114
PID 2928 wrote to memory of 3024	2928	cmd.exe	114
PID 2928 wrote to memory of 3024	2928	cmd.exe	114
PID 2928 wrote to memory of 1680	2928	cmd.exe	113
PID 2928 wrote to memory of 1680	2928	cmd.exe	113
PID 2928 wrote to memory of 1680	2928	cmd.exe	113
PID 2928 wrote to memory of 2208	2928	cmd.exe	112
PID 2928 wrote to memory of 2208	2928	cmd.exe	112
PID 2928 wrote to memory of 2208	2928	cmd.exe	112
PID 2928 wrote to memory of 4428	2928	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\4455857cfdff1e4bdc45b298ab8cd147.exe
"C:\Users\Admin\AppData\Local\Temp\4455857cfdff1e4bdc45b298ab8cd147.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\misec.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
  2⤵
  - Checks computer location settings
  PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\misec.bat" "
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "CCenter.exe" c:\listpid.sys
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Safe.exe" c:\listpid.sys
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Tray.exe" c:\listpid.sys
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwmain.exe" c:\listpid.sys
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kavstart.exe" c:\listpid.sys
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kwatch.exe" c:\listpid.sys
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kasmain.exe" c:\listpid.sys
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kissvc.exe" c:\listpid.sys
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwsrv.exe" c:\listpid.sys
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfw32.EXE" c:\listpid.sys
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravtask.EXE" c:\listpid.sys
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravstub.EXE" c:\listpid.sys
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.EXE" c:\listpid.sys
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvxp.kxp" c:\listpid.sys
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rav.exe" c:\listpid.sys
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "scan32.exe" c:\listpid.sys
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvmonxp.kxp" c:\listpid.sys
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.exe" c:\listpid.sys
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvcenter.kxp" c:\listpid.sys
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvol.exe" c:\listpid.sys
      4⤵
      PID:4600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
  2⤵
  - Checks computer location settings
  PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\misec.bat" "
    3⤵
    PID:3684
  - - \??\c:\KNLPS.EXE
      c:\KNLPS.EXE -l
      4⤵
      Executes dropped EXE
      PID:3724
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Ravmon.exe" c:\listpid.sys
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "RavmonD.exe" c:\listpid.sys
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "CCenter.exe" c:\listpid.sys
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Safe.exe" c:\listpid.sys
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "360Tray.exe" c:\listpid.sys
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:4168
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwmain.exe" c:\listpid.sys
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kavstart.exe" c:\listpid.sys
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kwatch.exe" c:\listpid.sys
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kasmain.exe" c:\listpid.sys
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kissvc.exe" c:\listpid.sys
      4⤵
      PID:3140
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rfwsrv.exe" c:\listpid.sys
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfw32.EXE" c:\listpid.sys
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravtask.EXE" c:\listpid.sys
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "ravstub.EXE" c:\listpid.sys
      4⤵
      PID:1108
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "KPfwSvc.EXE" c:\listpid.sys
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.EXE" c:\listpid.sys
      4⤵
      PID:664
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvxp.kxp" c:\listpid.sys
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "rav.exe" c:\listpid.sys
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "scan32.exe" c:\listpid.sys
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvmonxp.kxp" c:\listpid.sys
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvsrvxp.exe" c:\listpid.sys
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvcenter.kxp" c:\listpid.sys
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "avp.exe" c:\listpid.sys
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "kvol.exe" c:\listpid.sys
      4⤵
      PID:1460
- C:\Program Files\Common Files\System\secuers32.exe
  "C:\Program Files\Common Files\System\secuers32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
    3⤵
    - Checks computer location settings
    PID:3196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\misec.bat" "
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "Ravmon.exe" c:\listpid.sys
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kasmain.exe" c:\listpid.sys
        5⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kissvc.exe" c:\listpid.sys
        5⤵
        
        PID:4468
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "rfwsrv.exe" c:\listpid.sys
        5⤵
        
        PID:3788
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "KPfwSvc.EXE" c:\listpid.sys
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "KPfw32.EXE" c:\listpid.sys
        5⤵
        
        PID:3140
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "ravtask.EXE" c:\listpid.sys
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "ravstub.EXE" c:\listpid.sys
        5⤵
        
        PID:4568
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "KPfwSvc.EXE" c:\listpid.sys
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kvsrvxp.EXE" c:\listpid.sys
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kvxp.kxp" c:\listpid.sys
        5⤵
        
        PID:1108
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "rav.exe" c:\listpid.sys
        5⤵
        
        PID:4116
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "scan32.exe" c:\listpid.sys
        5⤵
        
        PID:664
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kvmonxp.kxp" c:\listpid.sys
        5⤵
        
        PID:980
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kvsrvxp.exe" c:\listpid.sys
        5⤵
        
        PID:636
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kvcenter.kxp" c:\listpid.sys
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "avp.exe" c:\listpid.sys
        5⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kvol.exe" c:\listpid.sys
        5⤵
        
        PID:4676
- C:\Program Files\Common Files\System\server32.exe
  "C:\Program Files\Common Files\System\server32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3032
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MSSHELL.VBS"
    3⤵
    - Checks computer location settings
    PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\misec.bat" "
      4⤵
      PID:3600
    - - \??\c:\KNLPS.EXE
        
        c:\KNLPS.EXE -l
        5⤵
        Executes dropped EXE
        
        PID:948
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "kwatch.exe" c:\listpid.sys
        5⤵
        
        PID:2516

C:\Windows\SysWOW64\findstr.exe
findstr /i "CCenter.exe" c:\listpid.sys
1⤵
PID:4836

C:\Windows\SysWOW64\findstr.exe
findstr /i "RavmonD.exe" c:\listpid.sys
1⤵
PID:628

C:\Windows\SysWOW64\findstr.exe
findstr /i "kavstart.exe" c:\listpid.sys
1⤵
PID:2800

C:\Windows\SysWOW64\findstr.exe
findstr /i "KPfwSvc.EXE" c:\listpid.sys
1⤵
PID:4968

C:\Windows\SysWOW64\findstr.exe
findstr /i "rfwsrv.exe" c:\listpid.sys
1⤵
PID:980

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvol.exe" c:\listpid.sys
1⤵
PID:4688

C:\Windows\SysWOW64\findstr.exe
findstr /i "avp.exe" c:\listpid.sys
1⤵
PID:2648

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvcenter.kxp" c:\listpid.sys
1⤵
PID:3928

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvsrvxp.exe" c:\listpid.sys
1⤵
PID:1132

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvmonxp.kxp" c:\listpid.sys
1⤵
PID:1996

C:\Windows\SysWOW64\findstr.exe
findstr /i "scan32.exe" c:\listpid.sys
1⤵
PID:1640

C:\Windows\SysWOW64\findstr.exe
findstr /i "rav.exe" c:\listpid.sys
1⤵
PID:1632

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvxp.kxp" c:\listpid.sys
1⤵
PID:4428

C:\Windows\SysWOW64\findstr.exe
findstr /i "kvsrvxp.EXE" c:\listpid.sys
1⤵
PID:2208

C:\Windows\SysWOW64\findstr.exe
findstr /i "KPfwSvc.EXE" c:\listpid.sys
1⤵
PID:1680

C:\Windows\SysWOW64\findstr.exe
findstr /i "ravstub.EXE" c:\listpid.sys
1⤵
PID:3024

C:\Windows\SysWOW64\findstr.exe
findstr /i "ravtask.EXE" c:\listpid.sys
1⤵
PID:4852

C:\Windows\SysWOW64\findstr.exe
findstr /i "KPfw32.EXE" c:\listpid.sys
1⤵
PID:516

C:\Windows\SysWOW64\findstr.exe
findstr /i "kissvc.exe" c:\listpid.sys
1⤵
PID:1108

C:\Windows\SysWOW64\findstr.exe
findstr /i "kasmain.exe" c:\listpid.sys
1⤵
PID:2924

C:\Windows\SysWOW64\findstr.exe
findstr /i "kwatch.exe" c:\listpid.sys
1⤵
PID:4148

C:\Windows\SysWOW64\findstr.exe
findstr /i "rfwmain.exe" c:\listpid.sys
1⤵
PID:2328

C:\Windows\SysWOW64\findstr.exe
findstr /i "avp.exe" c:\listpid.sys
1⤵
PID:3376

C:\Windows\SysWOW64\findstr.exe
findstr /i "360Tray.exe" c:\listpid.sys
1⤵
PID:5008

C:\Windows\SysWOW64\findstr.exe
findstr /i "360Safe.exe" c:\listpid.sys
1⤵
PID:4768

C:\Windows\SysWOW64\findstr.exe
findstr /i "Ravmon.exe" c:\listpid.sys
1⤵
PID:3628

\??\c:\KNLPS.EXE
c:\KNLPS.EXE -l
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWOW64\findstr.exe
findstr /i "RavmonD.exe" c:\listpid.sys
1⤵
PID:4768

C:\Windows\SysWOW64\findstr.exe
findstr /i "Ravmon.exe" c:\listpid.sys
1⤵
PID:4832

\??\c:\KNLPS.EXE
c:\KNLPS.EXE -l
1⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSSHELL.VBS

Filesize
71B

MD5
1311bbedaa0d934eaed1b7424ad9bec8

SHA1
39f84f577f51c121fed67bb7c108159fadfe5b6c

SHA256
2be12ec85010289d1dd9c5fe74ed7cd340ccb995d937e91ded754b76281ae882

SHA512
9d165f6def00a0f8852159e0b7cc62581ff647577748be7f77c2a60c4e7b16a0d00f929fa92fa4c47645e2f4d6158726af76c11788121e35799018e190aff19a

Download Submit
C:\Program Files\Common Files\System\secuers32.exe

Filesize
127KB

MD5
4455857cfdff1e4bdc45b298ab8cd147

SHA1
4a6ad6272c7e2f8be8536352174ad8c3da8cfbc7

SHA256
10610c3fc548a44290ec4ea10b56697b048b13b8623cc8a54c63b8662f57ad22

SHA512
7915486b2db98cafd6c3c1fd3c5b5c4177b4e666a53cb420a43f02593f7bfd6666fcc2f497d1ae8a7a2eb1bbe44b19149684849136806434f0fbed183136cdf3

Download Submit
C:\knlps.sys

Filesize
7KB

MD5
994ebf9f717cbf9e7c066879402b67d9

SHA1
e73ecd01475acd135378e9c40c0cda8a6bf33d67

SHA256
181e3306caf5b77776b5a4a60f351ee017e6184de1394d666230b67249e9ca0d

SHA512
83bb065ffc8fe6ed4b287041d8f3b5798f998959eb7e9b0988d12a551e9e02180e8853c2079d1e444fcfa6eaa2b3ecc2523f4d9a91f9702de72be1818fc8bb40

Download Submit
C:\misec.bat

Filesize
1KB

MD5
4c582825358621118b4e4bf4fbb5bc30

SHA1
3bde3348c1440dd78892bbedbf6850480eb6e5ee

SHA256
e13b237f453582faa778648c41d41a8df7c35880afc49c4ebd7dc1b431481e4d

SHA512
9c420f886a1cf05a8ed776f86f1fb3f750d76e60c31d27e66ee9031158e9a065c0ec6509d867e4e7787192404b25f3e8db1a7df267e2dcb6aa0d838b9630bac8

Download Submit
\??\c:\KNLPS.EXE

Filesize
56KB

MD5
70ab8f4b1bc6b9e00e970b74e7e4c203

SHA1
eaed6dff7188f565f172e469d56ac92ff4d299b4

SHA256
bb3d8b238e20508cd7d728299b9f696146d751fae33ae2eca074e88537cc6d6d

SHA512
24ce7c6c1f64a601aa7f8cf71bb3d0be60fcb4fb05b15effe92dbde13f4e1a70c5fd6e227ff2be3bf39fb888916fd8a9e7cc8770563ed77d155613c3ee011317

Download Submit
\??\c:\listpid.sys

Filesize
262B

MD5
77c905d328d8dfbb460faa12bf08e01e

SHA1
f714453198c25613fa42a7e2a6df6b3c7e620b22

SHA256
a024df62a121cb63b4c733e7250953013bc76bbe547e0fd7543826ea45fc2409

SHA512
a384b18d1ca2ec46e01085a64f07970657b00b192d1789624d74e9f38f08c7e63d808dc00bb4f5cf7692c006eb77934d4442626f8c68a3a03bec7e90d1cf1fc8

Download Submit
memory/948-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2540-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3032-49-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3032-58-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3516-47-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3516-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3516-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3724-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3724-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4124-48-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4124-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4620-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4620-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads