b378a82ba3c9e89d3360d83f398a8fadb74a7562c905d6265687bbd6c3d5b21d

Analysis

max time kernel
1678s
max time network
1515s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
18/01/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

53KB
MD5

dd0fbb72969908e8adbe62b580f7a73c
SHA1

d368a1ae651eaec07ff44c87cdd59a2d2f57e68e
SHA256

b378a82ba3c9e89d3360d83f398a8fadb74a7562c905d6265687bbd6c3d5b21d
SHA512

1225217101913102a7c33fd4a27ef8815d4f20cc89333f97adba206484ce9393cf9725a15dad79edda96a3da6630f1d9cf8ef19f9dc1bae5e151a3f53ead8ed5
SSDEEP

1536:J4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNB3Ct:J4dzVTaer344JzthRZijQ1JB3i

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\hwpolicy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\iorate.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hvcrash.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\PktMon.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ramdisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ufx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\MbbCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tbs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\xboxgip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\IndirectKmd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rasl2tp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\urscx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ntfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hvsocket.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sdport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kbdclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cng.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storahci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Wdf01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidi2c.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbprint.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afunix.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpfve.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sbp2port.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volmgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wcifs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\disk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SgrmAgent.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WifiCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\filecrypt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\spaceparser.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BthA2dp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBHUB3.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\refsv1.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdmCompanionFilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpipagr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\Microsoft.Bluetooth.AvrcpTransport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nvdimm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\NDKPerf.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\CEA.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msgpioclx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\processr.sys	cmd.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4344-0-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral1/memory/4344-3-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral1/memory/4344-10-0x0000000140000000-0x0000000140027000-memory.dmp	upx

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AMCE4F~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4FF1~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDDA5~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6E67~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD412~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA81C~1.348\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5C15~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3A48~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AMA81C~1.348\f\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC91F~1.348\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF8C5~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5E30~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAF9C~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA43B~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC91F~1.348\r\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMCB8F~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA81C~1.348\r\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AMC91F~1.348\f\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2C78~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB160~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC513~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFB2A~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3BE9~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM22CA~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC91F~1.348\f\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDA56~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDE84~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM038E~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5B14~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM73DC~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM92CB~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA81C~1.348\f\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6DAE~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7B4A~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM51A4~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2F26~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5E13~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM93FA~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF508~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM52F5~1.1_N\desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe
File opened for modification	C:\Windows\WinSxS\X81547~1.1_N\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\iaspolcy.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\iepeers.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_037.NLS	cmd.exe
File opened for modification	C:\Windows\System32\deviceassociation.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ts_wpdmtp.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\nvm60x64.sys	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\hwvid-migration-replacement-2.man	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wecutil.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\logagent.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\MSFT_NetSwitchTeamMember.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\Kswdmcap.ax	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	cmd.exe
File opened for modification	C:\Windows\System32\diskpart.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\PR7A54~1.INF\prnms008.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\credprovslegacy.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\kstvtune.ax.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\SyncRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\migration\WMIMigrationPlugin.dll	cmd.exe
File opened for modification	C:\Windows\System32\CastLaunch.dll	cmd.exe
File opened for modification	C:\Windows\System32\chgport.exe	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\PeerDist-Server-Migration-Replacement.man	cmd.exe
File opened for modification	C:\Windows\System32\wbem\FunDisc.mof	cmd.exe
File opened for modification	C:\Windows\SysWOW64\kbdnecnt.DLL	cmd.exe
File opened for modification	C:\Windows\System32\dmenterprisediagnostics.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_767b2d723d0fe83b\mdmags64.inf	cmd.exe
File opened for modification	C:\Windows\System32\ieframe.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\Win32_DeviceGuard.mfl	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\nlmcim_uninstall.mfl	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MiracastReceiver.dll	cmd.exe
File opened for modification	C:\Windows\System32\Microsoft.Uev.SyncController.exe	cmd.exe
File opened for modification	C:\Windows\System32\PerceptionSimulation\SimulationControl.xbf	cmd.exe
File opened for modification	C:\Windows\System32\POSyncServices.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dnsapi.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\fwpuclnt.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ifmon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NETRTW~1.INF\rtwlane.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.exe	cmd.exe
File opened for modification	C:\Windows\System32\en-US\bdeunlock.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\p2pnetsh.dll	cmd.exe
File opened for modification	C:\Windows\System32\ShiftJIS.uce	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gamemode.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\mtxoci.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\legacy\client-issuance-spc.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\edpauditapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\AppxPackaging.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Speech\SpeechUX\SpeechUX.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winmsipc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NETATH~2.INF\eeprom_ar6320_3p0_NFA324i_5_RV_0520.bin	cmd.exe
File opened for modification	C:\Windows\System32\fsavailux.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Internal.ShellCommon.PrintExperience.dll	cmd.exe
File opened for modification	C:\Windows\System32\forfiles.exe	cmd.exe
File opened for modification	C:\Windows\System32\wups.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDCA.DLL	cmd.exe
File opened for modification	C:\Windows\System32\en-US\clfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\id-ID\SyncRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\en-US\migres.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.Resource.psd1	cmd.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\bench_16.bin	cmd.exe
File opened for modification	C:\Windows\System32\apisampling.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\srchadmin.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\KBDINUK2.DLL	cmd.exe
File opened for modification	C:\Windows\System32\migration\AppManMigrationPlugin.dll	cmd.exe
File opened for modification	C:\Windows\System32\msvcirt.dll	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingReceiver-Media-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM3A02~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\X8622A~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB1AC~1.493\Cortana.UI\Assets\ICONTA~2.PNG	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB1AC~1.493\Cortana.UI\Assets\SP97CB~1.PNG	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\HYPERV~4.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM69E9~1.120\IOTENT~3.XRM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFFF3~1.318\Cortana.UI\Assets\Icons\MediumTile.scale-150.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO01BA~1.1_N\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF49F~1.1_N\ROUTE.EXE	cmd.exe
File opened for modification	C:\Windows\WinSxS\Backup\AM51E7~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM370F~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMB75D~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO891B~1.1_N\find.exe	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AMDB7A~1.120\f\REAGEN~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFFD6~1.120\SHELLC~1.PRI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF955~1.51_\f\CORESH~1.DLL	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.Primitives.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO237C~1.71_\r\lpk.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-MFPMP-Package~31bf3856ad364e35~amd64~~10.0.22000.120.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\PRD060~1.CDF	cmd.exe
File opened for modification	C:\Windows\WinSxS\WOCD4C~1.1_N\wsp_health_uninstall.mof	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMB7E2~1.MAN	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\HY9E01~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB1AC~1.493\f\webapps\GUIDED~1\network\AREA-C~1\lv-LV\AREA-C~1.JSO	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3655~1.1_N\PSWORK~1.PS1	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AME498~1.376\f\bcd.dll	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AMC9C4~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4572~1.1_N\IEHost.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM3F79~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\WOF3C7~1.1_N\appobj.dll	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AMEB4C~1.493\f\license.rtf	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AMA886~1.120\f\RS_RES~2.PSD	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AM4E9B~1.348\f\PR648E~1.XRM	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO627D~1.282\r\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\X8EE90~1.1_N\ASPDOT~1.JPG	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\MI2298~2.MUM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFFF3~1.318\Cortana.UI\Assets\HCWhite_Search_TraySearchBox_Glyph_100.png	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AME258~1.132\f\EXPLOR~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0636~1.1_N\SETUPP~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\WO1E42~1.MAN	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\MIAF23~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7DC4~1.0_N\MICROS~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\Backup\AMAB98~1.FON	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM858B~1.120\r\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\WO2078~1.348\f\LICENS~1.DLL	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\MI136E~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\MI356E~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAF56~1.1_N\dimsroam.mof	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AME760~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM9BBB~1.MAN	cmd.exe
File opened for modification	C:\Windows\Help\mui\0409\cliconf.chm	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFFF3~1.318\f\webapps\GUIDED~1\network\AREA-C~1\kok-IN\area-content.local.json	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2357~1.184\f\FIREWA~1.MUI	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars47.scale-200.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\Backup\AME65D~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB408~1.1_N\AERO_E~2.CUR	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AME27B~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\X870EB~1.MAN	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AM1F68~2.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AMA7ED~1.MAN	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\AM3B48~1.MAN	cmd.exe
File opened for modification	C:\Windows\WinSxS\MANIFE~1\AM2F71~1.MAN	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\PACKAG~1.3\MI3CA2~1.MUM	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4448	4344	a.exe	80
PID 4344 wrote to memory of 4448	4344	a.exe	80

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6755.tmp\6756.tmp\6757.bat C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies termsrv.dll
  - Drops file in Windows directory
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6755.tmp\6756.tmp\6757.bat

Filesize
32B

MD5
8a52e77785cb9dd817df6cb54468f554

SHA1
c2d347a8e0cad4de8c99e30ce31bac2859f62380

SHA256
d6bd1386aa93fb7b819be777987cdb96231277f00379516ba30d49af883ec63b

SHA512
4fd3f22fca7d4dc9d31a45f15205c6e1000f931f0c5dd9d1af98dee934f95922da0b6b935e0d5121564461a534352181e80d386ba74b8221b681b57911084a6c

Download Submit
memory/4344-0-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/4344-3-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/4344-10-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads