2670e495afec5ecfde3f614f64b6a18de2cf726ff593c553d83f6a37f577afab

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1dc53c355398e1cdff020fe8a8e993.exe
Size

939KB
MD5

8d1dc53c355398e1cdff020fe8a8e993
SHA1

e1e73b78d47cb48cf3412c2aa3e7324e64f97eb8
SHA256

2670e495afec5ecfde3f614f64b6a18de2cf726ff593c553d83f6a37f577afab
SHA512

c8b256ab40f04d75d280a98983053eb7a92eda5287eb39c1ada6c1683e8c6006f284f5c229e5c89f1727796eaebc3053fc4e82ec0a83d44aadde58e7faaf703e
SSDEEP

12288:D8W6g06X0hbb7yt9WC9AVing1PCHKTsut/CAlPKGZ9fJyOq:Dfxkbb7ySIiTsut6lqfAOq

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	exec2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\kernal132 = "C:\\Windows\\system32\\kernal132.exe"	exec2.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	8d1dc53c355398e1cdff020fe8a8e993.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ljth.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	exec2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	kernal132.exe

Executes dropped EXE 4 IoCs

pid	Process
5088	ljth.exe
3496	exec2.exe
4108	exec1.exe
6980	kernal132.exe

Molebox Virtualization software 1 IoCs

Detects file using Molebox Virtualization software.

resource	yara_rule
behavioral2/files/0x0007000000023131-24.dat	molebox

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\melt.bat	exec2.exe
File created	C:\Windows\SysWOW64\kernal132.exe	exec2.exe
File opened for modification	C:\Windows\SysWOW64\kernal132.exe	exec2.exe
File opened for modification	C:\Windows\SysWOW64\cjpg.dll	exec2.exe
File opened for modification	C:\Windows\SysWOW64\srvlog.txt	kernal132.exe
File created	C:\Windows\SysWOW64\ljth.exe	8d1dc53c355398e1cdff020fe8a8e993.exe
File created	C:\Windows\SysWOW64\exec1.exe	ljth.exe
File opened for modification	C:\Windows\SysWOW64\kernal132.Exe	kernal132.exe
File opened for modification	C:\Windows\SysWOW64\melt.bat	kernal132.exe
File created	C:\Windows\SysWOW64\exec2.exe	ljth.exe
File opened for modification	C:\Windows\SysWOW64\exec2.Exe	exec2.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4552	sc.exe
4444	sc.exe
3600	sc.exe
2484	sc.exe
4220	sc.exe
4244	sc.exe
1432	sc.exe
3076	sc.exe
3024	sc.exe
2316	sc.exe
4452	sc.exe
1436	sc.exe
3796	sc.exe
1076	sc.exe
3632	sc.exe
4696	sc.exe
1896	sc.exe
1280	sc.exe
1564	sc.exe
4796	sc.exe
4672	sc.exe
2500	sc.exe
1400	sc.exe
3432	sc.exe
4508	sc.exe
3688	sc.exe
3864	sc.exe
5104	sc.exe
3436	sc.exe
2200	sc.exe
2524	sc.exe
5100	sc.exe
1968	sc.exe
1956	sc.exe
408	sc.exe
4732	sc.exe
2344	sc.exe
1164	sc.exe
4888	sc.exe
4104	sc.exe
1960	sc.exe
2268	sc.exe
572	sc.exe
4492	sc.exe
4608	sc.exe
4464	sc.exe
2064	sc.exe
5004	sc.exe
2396	sc.exe
2636	sc.exe
4472	sc.exe
1268	sc.exe
1512	sc.exe
2996	sc.exe
4584	sc.exe
3096	sc.exe
4088	sc.exe
4044	sc.exe
3480	sc.exe
2992	sc.exe
2464	sc.exe
4408	sc.exe
3652	sc.exe
452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	exec2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	exec2.exe
3496	exec2.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe
6980	kernal132.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6980	kernal132.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6980	kernal132.exe
Token: SeDebugPrivilege	6980	kernal132.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3496	exec2.exe
3496	exec2.exe
6980	kernal132.exe
6980	kernal132.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 5088	3644	8d1dc53c355398e1cdff020fe8a8e993.exe	84
PID 3644 wrote to memory of 5088	3644	8d1dc53c355398e1cdff020fe8a8e993.exe	84
PID 3644 wrote to memory of 5088	3644	8d1dc53c355398e1cdff020fe8a8e993.exe	84
PID 5088 wrote to memory of 3496	5088	ljth.exe	85
PID 5088 wrote to memory of 3496	5088	ljth.exe	85
PID 5088 wrote to memory of 3496	5088	ljth.exe	85
PID 5088 wrote to memory of 4108	5088	ljth.exe	86
PID 5088 wrote to memory of 4108	5088	ljth.exe	86
PID 5088 wrote to memory of 4108	5088	ljth.exe	86
PID 3496 wrote to memory of 4476	3496	exec2.exe	88
PID 3496 wrote to memory of 4476	3496	exec2.exe	88
PID 3496 wrote to memory of 4476	3496	exec2.exe	88
PID 3496 wrote to memory of 1164	3496	exec2.exe	90
PID 3496 wrote to memory of 1164	3496	exec2.exe	90
PID 3496 wrote to memory of 1164	3496	exec2.exe	90
PID 3496 wrote to memory of 4508	3496	exec2.exe	91
PID 3496 wrote to memory of 4508	3496	exec2.exe	91
PID 3496 wrote to memory of 4508	3496	exec2.exe	91
PID 3496 wrote to memory of 4760	3496	exec2.exe	257
PID 3496 wrote to memory of 4760	3496	exec2.exe	257
PID 3496 wrote to memory of 4760	3496	exec2.exe	257
PID 3496 wrote to memory of 1612	3496	exec2.exe	256
PID 3496 wrote to memory of 1612	3496	exec2.exe	256
PID 3496 wrote to memory of 1612	3496	exec2.exe	256
PID 3496 wrote to memory of 1512	3496	exec2.exe	255
PID 3496 wrote to memory of 1512	3496	exec2.exe	255
PID 3496 wrote to memory of 1512	3496	exec2.exe	255
PID 3496 wrote to memory of 2344	3496	exec2.exe	254
PID 3496 wrote to memory of 2344	3496	exec2.exe	254
PID 3496 wrote to memory of 2344	3496	exec2.exe	254
PID 3496 wrote to memory of 4220	3496	exec2.exe	253
PID 3496 wrote to memory of 4220	3496	exec2.exe	253
PID 3496 wrote to memory of 4220	3496	exec2.exe	253
PID 3496 wrote to memory of 3076	3496	exec2.exe	252
PID 3496 wrote to memory of 3076	3496	exec2.exe	252
PID 3496 wrote to memory of 3076	3496	exec2.exe	252
PID 3496 wrote to memory of 2064	3496	exec2.exe	251
PID 3496 wrote to memory of 2064	3496	exec2.exe	251
PID 3496 wrote to memory of 2064	3496	exec2.exe	251
PID 3496 wrote to memory of 4104	3496	exec2.exe	250
PID 3496 wrote to memory of 4104	3496	exec2.exe	250
PID 3496 wrote to memory of 4104	3496	exec2.exe	250
PID 3496 wrote to memory of 1280	3496	exec2.exe	249
PID 3496 wrote to memory of 1280	3496	exec2.exe	249
PID 3496 wrote to memory of 1280	3496	exec2.exe	249
PID 3496 wrote to memory of 8	3496	exec2.exe	248
PID 3496 wrote to memory of 8	3496	exec2.exe	248
PID 3496 wrote to memory of 8	3496	exec2.exe	248
PID 3496 wrote to memory of 4088	3496	exec2.exe	247
PID 3496 wrote to memory of 4088	3496	exec2.exe	247
PID 3496 wrote to memory of 4088	3496	exec2.exe	247
PID 3496 wrote to memory of 1980	3496	exec2.exe	246
PID 3496 wrote to memory of 1980	3496	exec2.exe	246
PID 3496 wrote to memory of 1980	3496	exec2.exe	246
PID 3496 wrote to memory of 1564	3496	exec2.exe	245
PID 3496 wrote to memory of 1564	3496	exec2.exe	245
PID 3496 wrote to memory of 1564	3496	exec2.exe	245
PID 3496 wrote to memory of 5100	3496	exec2.exe	244
PID 3496 wrote to memory of 5100	3496	exec2.exe	244
PID 3496 wrote to memory of 5100	3496	exec2.exe	244
PID 3496 wrote to memory of 648	3496	exec2.exe	243
PID 3496 wrote to memory of 648	3496	exec2.exe	243
PID 3496 wrote to memory of 648	3496	exec2.exe	243
PID 3496 wrote to memory of 2524	3496	exec2.exe	242

C:\Users\Admin\AppData\Local\Temp\8d1dc53c355398e1cdff020fe8a8e993.exe
"C:\Users\Admin\AppData\Local\Temp\8d1dc53c355398e1cdff020fe8a8e993.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\ljth.exe
  "C:\Windows\system32\ljth.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\exec2.exe
    "C:\Windows\System32\exec2.exe"
    3⤵
    - Adds policy Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\melt.bat" "
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\sc.exe
      sc config "alerter" Start= disabled
      4⤵
      Launches sc.exe
      PID:1164
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AlertManger" Start= disabled
      4⤵
      Launches sc.exe
      PID:4508
  - - C:\Windows\SysWOW64\sc.exe
      sc config "kavsvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:4796
  - - C:\Windows\SysWOW64\sc.exe
      sc config "KAVMonitorService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1960
  - - C:\Windows\SysWOW64\sc.exe
      sc config "fsdfwd" Start= disabled
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\sc.exe
      sc config "FSDFWD" Start= disabled
      4⤵
      PID:4260
  - - C:\Windows\SysWOW64\sc.exe
      sc config "KLBLMain" Start= disabled
      4⤵
      Launches sc.exe
      PID:1956
  - - C:\Windows\SysWOW64\sc.exe
      sc config "fsbwsys" Start= disabled
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\sc.exe
      sc config "dvpinit" Start= disabled
      4⤵
      Launches sc.exe
      PID:2996
  - - C:\Windows\SysWOW64\sc.exe
      sc config "dvpapi" Start= disabled
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\sc.exe
      sc config "XCOMM" Start= disabled
      4⤵
      Launches sc.exe
      PID:4672
  - - C:\Windows\SysWOW64\sc.exe
      sc config "wuauserv" Start= disabled
      4⤵
      Launches sc.exe
      PID:452
  - - C:\Windows\SysWOW64\sc.exe
      sc config "vsmon" Start= disabled
      4⤵
      Launches sc.exe
      PID:1896
  - - C:\Windows\SysWOW64\sc.exe
      sc config "VexiraAntivirus" Start= disabled
      4⤵
      Launches sc.exe
      PID:4044
  - - C:\Windows\SysWOW64\sc.exe
      sc config "V3MonSvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:2396
  - - C:\Windows\SysWOW64\sc.exe
      sc config "V3MonNT" Start= disabled
      4⤵
      Launches sc.exe
      PID:3480
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Tmntsrv" Start= disabled
      4⤵
      Launches sc.exe
      PID:4584
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Symantec AntiVirus Client" Start= disabled
      4⤵
      Launches sc.exe
      PID:1968
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SWEEPSRV.SYS" Start= disabled
      4⤵
      Launches sc.exe
      PID:3688
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SweepNet" Start= disabled
      4⤵
      Launches sc.exe
      PID:2316
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SPBBCSvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:2636
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SNDSrvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:2484
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SmcService" Start= disabled
      4⤵
      Launches sc.exe
      PID:4244
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SharedAccess" Start= disabled
      4⤵
      Launches sc.exe
      PID:4452
  - - C:\Windows\SysWOW64\sc.exe
      sc config "sharedaccess" Start= disabled
      4⤵
      Launches sc.exe
      PID:3024
  - - C:\Windows\SysWOW64\sc.exe
      sc config "schscnt" Start= disabled
      4⤵
      Launches sc.exe
      PID:5004
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SBService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1432
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SAVScan" Start= disabled
      4⤵
      Launches sc.exe
      PID:2500
  - - C:\Windows\SysWOW64\sc.exe
      sc config "SAVFMSE" Start= disabled
      4⤵
      Launches sc.exe
      PID:3096
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ravmon8" Start= disabled
      4⤵
      Launches sc.exe
      PID:4552
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PSIMSVC" Start= disabled
      4⤵
      Launches sc.exe
      PID:4472
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PREVSRV" Start= disabled
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PersFW" Start= disabled
      4⤵
      Launches sc.exe
      PID:1436
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PCCPFW" Start= disabled
      4⤵
      Launches sc.exe
      PID:408
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PAVSRV" Start= disabled
      4⤵
      Launches sc.exe
      PID:2268
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PavPrSrv" Start= disabled
      4⤵
      Launches sc.exe
      PID:4444
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PavProt" Start= disabled
      4⤵
      Launches sc.exe
      PID:3796
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Pavkre" Start= disabled
      4⤵
      PID:3116
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PAVFNSVR" Start= disabled
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\sc.exe
      sc config "PASSRV" Start= disabled
      4⤵
      Launches sc.exe
      PID:3864
  - - C:\Windows\SysWOW64\sc.exe
      sc config "OutpostFirewall" Start= disabled
      4⤵
      Launches sc.exe
      PID:572
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NWService" Start= disabled
      4⤵
      Launches sc.exe
      PID:4888
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclnth" Start= disabled
      4⤵
      PID:500
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntg" Start= disabled
      4⤵
      Launches sc.exe
      PID:4732
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntf" Start= disabled
      4⤵
      Launches sc.exe
      PID:1400
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclnte" Start= disabled
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntd" Start= disabled
      4⤵
      Launches sc.exe
      PID:2992
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nwclntc" Start= disabled
      4⤵
      PID:4820
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NVCScheduler" Start= disabled
      4⤵
      Launches sc.exe
      PID:4492
  - - C:\Windows\SysWOW64\sc.exe
      sc config "nvcoas" Start= disabled
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NSCTOP" Start= disabled
      4⤵
      Launches sc.exe
      PID:2464
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NProtectService" Start= disabled
      4⤵
      Launches sc.exe
      PID:5104
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NPFMntor" Start= disabled
      4⤵
      Launches sc.exe
      PID:1076
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Norton Antivirus Server" Start= disabled
      4⤵
      Launches sc.exe
      PID:4608
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Norman ZANDA" Start= disabled
      4⤵
      Launches sc.exe
      PID:3632
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Norman NJeeves" Start= disabled
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NOD32Service" Start= disabled
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NOD32ControlCenter" Start= disabled
      4⤵
      Launches sc.exe
      PID:4408
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NISUM" Start= disabled
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\sc.exe
      sc config "NISSERV" Start= disabled
      4⤵
      Launches sc.exe
      PID:1268
  - - C:\Windows\SysWOW64\sc.exe
      sc config "Network Associates Log Service" Start= disabled
      4⤵
      Launches sc.exe
      PID:3436
  - - C:\Windows\SysWOW64\sc.exe
      sc config "navapsvc" Start= disabled
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MonSvcNT" Start= disabled
      4⤵
      Launches sc.exe
      PID:2200
  - - C:\Windows\SysWOW64\sc.exe
      sc config "MCVSRte" Start= disabled
      4⤵
      Launches sc.exe
      PID:4464
  - - C:\Windows\SysWOW64\sc.exe
      sc config "McTaskManager" Start= disabled
      4⤵
      Launches sc.exe
      PID:4696
  - - C:\Windows\SysWOW64\sc.exe
      sc config "McShield" Start= disabled
      4⤵
      Launches sc.exe
      PID:3652
  - - C:\Windows\SysWOW64\sc.exe
      sc config "McAfeeFramework" Start= disabled
      4⤵
      Launches sc.exe
      PID:3432
  - - C:\Windows\SysWOW64\sc.exe
      sc config "DefWatch" Start= disabled
      4⤵
      Launches sc.exe
      PID:3600
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ccSetMgr" Start= disabled
      4⤵
      Launches sc.exe
      PID:2524
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ccPwdSvc" Start= disabled
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\sc.exe
      sc config "ccEvtMgr" Start= disabled
      4⤵
      Launches sc.exe
      PID:5100
  - - C:\Windows\SysWOW64\sc.exe
      sc config "CAISafe" Start= disabled
      4⤵
      Launches sc.exe
      PID:1564
  - - C:\Windows\SysWOW64\sc.exe
      sc config "BlackICE" Start= disabled
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\sc.exe
      sc config "awhost32" Start= disabled
      4⤵
      Launches sc.exe
      PID:4088
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvxIni" Start= disabled
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AVUPDService" Start= disabled
      4⤵
      Launches sc.exe
      PID:1280
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AVPCC" Start= disabled
      4⤵
      Launches sc.exe
      PID:4104
  - - C:\Windows\SysWOW64\sc.exe
      sc config "avpcc" Start= disabled
      4⤵
      Launches sc.exe
      PID:2064
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvgServ" Start= disabled
      4⤵
      Launches sc.exe
      PID:3076
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvgFsh" Start= disabled
      4⤵
      Launches sc.exe
      PID:4220
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AvgCore" Start= disabled
      4⤵
      Launches sc.exe
      PID:2344
  - - C:\Windows\SysWOW64\sc.exe
      sc config "avg7updsvc" Start= disabled
      4⤵
      Launches sc.exe
      PID:1512
  - - C:\Windows\SysWOW64\sc.exe
      sc config "avg7alrt" Start= disabled
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\sc.exe
      sc config "AVExch32Service" Start= disabled
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\kernal132.exe
      "C:\Windows\system32\kernal132.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\melt.bat" "
        5⤵
        
        PID:7072
- - C:\Windows\SysWOW64\exec1.exe
    "C:\Windows\System32\exec1.exe"
    3⤵
    - Executes dropped EXE
    PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\exec1.exe

Filesize
701KB

MD5
152f4e8e92a62bf2c24462ca42ff83c0

SHA1
0b3aed2dcadbae0775736f3f2914ef7024794bd8

SHA256
88994dd7b62f3f522cda83909cf204b9857acf1bfe3d70219f2b83bfec97d42c

SHA512
e0183b05dd1ddc211cacc225121d73bff38969fcb10406dc019a362bef549d09d1a9151074b3cd8e41e75fc62d16814337ffcdfd3995f0f2f2bbb0f2210a9bd9

Download Submit
C:\Windows\SysWOW64\exec2.exe

Filesize
200KB

MD5
b92d5da02a211dae92ff1fb2f6567646

SHA1
6c7e8adaed92d9a7db096958a854863f8aa6bb95

SHA256
2f51cbf7671780598639ab7ccc6fbcd2171f22648188baa1f6c740e3fb368fe3

SHA512
f6fbad8afaf2b1baba36199b05f9a1fdd98910970c8c6a24d93ec1aae45336d441e087c0a94e6c38882e279cba84768d809ddb5c7c3547a26a2cde2a94cb4023

Download Submit
C:\Windows\SysWOW64\ljth.exe

Filesize
932KB

MD5
2ed22c5b39e666a7b7d20fdc5dd124e3

SHA1
55deb1b62ea2bd18ec70489d17f1b065c487da13

SHA256
5d72746ed9ffdf3cf7a33c83647b8c6e82202735398c25e6e3773231b4375e71

SHA512
0bb15ccdb330129683a16e421bac0502ea15b296d5a513624486fed9ffed036351d692b14bb5e3a21fb4f9bc3a6ac5f416750e7b7f74a69e793fdccc8878f432

Download Submit
C:\Windows\SysWOW64\melt.bat

Filesize
107B

MD5
1de2c1c914398bcd9d3100acfc9eec86

SHA1
8512b95140182caeead8313dfa01f5c53b77a23a

SHA256
868bad56f7a031dba5598498bdab5ce566f2be447f8de222957bcc92f426a501

SHA512
f4d8b94d1fe154a3f0d001fc0a6bb6b7899cfe6e265a6d269cca6e8ea9b6e244f46b576358484245d323858586e4785452cf4943d94767b6008b0f356c8001ec

Download Submit
C:\Windows\SysWOW64\melt.bat

Filesize
115B

MD5
5935d6fcc843eedac962db65a6cce1aa

SHA1
4f602df4e86d7df29c18137a40e68c2dfd2f04d6

SHA256
71a4f42b052d8e07453a8b55be0b1ae5f80b04a9574a941231d95f321c1a7142

SHA512
02cb6bff8beae902e97dc04140cbd6b402f4195519a1df8651a084c6fc9abdd39766711372023f49837f18450667903384a786a0846e208edeb8c92f2c3e18d7

Download Submit
C:\Windows\SysWOW64\srvlog.txt

Filesize
45B

MD5
b2168c7f15107bd4aba420bc728704d4

SHA1
7bd04ecebf5fda062895338ffc59e2d4810ac17d

SHA256
22b3fcb11518b460ca818161739180433332ffb6f4940cf78cec141db51fe0be

SHA512
5a6edc50388a9081f0b1a5493ca714a4be76a61eb3a1131e950c57a5a5f8d23f4bc151f344f34da85d937240e8929bf0e2a0b3df485c0dc6592b6c95ce6f612a

Download Submit
C:\Windows\SysWOW64\srvlog.txt

Filesize
45B

MD5
10a4f65021a566d3123478d4101e3e5a

SHA1
64acbbfc2be521d12f078aecccaed059747862e3

SHA256
c6cdad22510c4c04daaf1acde113f8cb176bb00be9d31d90bccee4296045b073

SHA512
6b11848981451d9b519e49e1e6a05ce1e9815bf9675466fff7fe6d61b8620cdaea3fdbd28cc888941873ee7c7b91486bac1867075147de853975c1cfadcb0699

Download Submit
memory/3644-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4108-38-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/5088-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download