d0024fbc2f166639aab20236e9fad73d58c7579a13921db27ba2902290f81c1d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9754ed1850613133670ce6744da7bf2c.exe
Size

304KB
MD5

9754ed1850613133670ce6744da7bf2c
SHA1

5f6a5ee9f74fee0a69a96ee68b43ac1f06279bcf
SHA256

d0024fbc2f166639aab20236e9fad73d58c7579a13921db27ba2902290f81c1d
SHA512

fa6a95fb66bb9539aee13e7f5aae044ce966cabc5d0e68f3948337bc123b6f14664999c1d2a08b8f4a0919a57e1d80b00f3dfd1a2f5c585107f78f36381859d9
SSDEEP

6144:ascPtZKAWVNHZ2iSgSVn5+7jIdUDETTq7xPRU3P:rMoVNHZ1vSVI78dfaNPRWP

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%/system32/winamptürk.exe = "C:\\Windows\\system32\\winamptürk.exe:*:Enabled:winamptürk.exe"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winamptürk.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%/system32/winamptürk.exe = "C:\\Windows\\system32\\winamptürk.exe:*:Enabled:winamptürk.exe"	winamptürk.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winamptürk.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%/system32/winamptürk.exe = "C:\\Windows\\system32\\winamptürk.exe:*:Enabled:winamptürk.exe"	winamptürk.exe

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/2832-23-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2832-24-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
2832	ntkernelloader.exe
1916	winamptürk.exe
2320	winamptürk.exe

Loads dropped DLL 12 IoCs

pid	Process
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
2216	9754ed1850613133670ce6744da7bf2c.exe
1916	winamptürk.exe
1916	winamptürk.exe
1916	winamptürk.exe
2320	winamptürk.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015cee-15.dat	upx
behavioral1/memory/2832-23-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2832-24-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gcServ = "C:\\Windows\\system32\\winamptürk.exe"	9754ed1850613133670ce6744da7bf2c.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	9754ed1850613133670ce6744da7bf2c.exe
File created	C:\Windows\SysWOW64\micdriverz.dll	ntkernelloader.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	winamptürk.exe
File created	C:\Windows\SysWOW64\winamptürk.exe	winamptürk.exe
File created	C:\Windows\SysWOW64\winamptürk.exe	winamptürk.exe
File created	C:\Windows\SysWOW64\winamptürk.exe	9754ed1850613133670ce6744da7bf2c.exe
File opened for modification	C:\Windows\SysWOW64\winamptürk.exe	9754ed1850613133670ce6744da7bf2c.exe
File opened for modification	C:\Windows\SysWOW64\ntkernelloader.exe	9754ed1850613133670ce6744da7bf2c.exe
File created	C:\Windows\SysWOW64\optrves.dll	9754ed1850613133670ce6744da7bf2c.exe
File opened for modification	C:\Windows\SysWOW64\optrves.dll	winamptürk.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	winamptürk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.ocx, 1"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.ocx"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	9754ed1850613133670ce6744da7bf2c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	9754ed1850613133670ce6744da7bf2c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	9754ed1850613133670ce6744da7bf2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	9754ed1850613133670ce6744da7bf2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	9754ed1850613133670ce6744da7bf2c.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2216	9754ed1850613133670ce6744da7bf2c.exe
1916	winamptürk.exe
2320	winamptürk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2216	9754ed1850613133670ce6744da7bf2c.exe
1916	winamptürk.exe
2320	winamptürk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2832	2216	9754ed1850613133670ce6744da7bf2c.exe	30
PID 2216 wrote to memory of 2832	2216	9754ed1850613133670ce6744da7bf2c.exe	30
PID 2216 wrote to memory of 2832	2216	9754ed1850613133670ce6744da7bf2c.exe	30
PID 2216 wrote to memory of 2832	2216	9754ed1850613133670ce6744da7bf2c.exe	30
PID 2216 wrote to memory of 1916	2216	9754ed1850613133670ce6744da7bf2c.exe	33
PID 2216 wrote to memory of 1916	2216	9754ed1850613133670ce6744da7bf2c.exe	33
PID 2216 wrote to memory of 1916	2216	9754ed1850613133670ce6744da7bf2c.exe	33
PID 2216 wrote to memory of 1916	2216	9754ed1850613133670ce6744da7bf2c.exe	33
PID 1916 wrote to memory of 2320	1916	winamptürk.exe	34
PID 1916 wrote to memory of 2320	1916	winamptürk.exe	34
PID 1916 wrote to memory of 2320	1916	winamptürk.exe	34
PID 1916 wrote to memory of 2320	1916	winamptürk.exe	34

C:\Users\Admin\AppData\Local\Temp\9754ed1850613133670ce6744da7bf2c.exe
"C:\Users\Admin\AppData\Local\Temp\9754ed1850613133670ce6744da7bf2c.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\ntkernelloader.exe
  C:\Windows\system32\ntkernelloader.exe /stext C:\Windows\system32\micdriverz.dll
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2832
- C:\Windows\SysWOW64\winamptürk.exe
  C:\Windows\system32\winamptürk.exe
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\winamptürk.exe
    C:\Windows\system32\winamptürk.exe
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\optrves.dll

Filesize
817B

MD5
b0e872e65b6a664b0b7e3c6bf4d87fd5

SHA1
d75d49aff1351d190d74ef79c0b07a1013443ccd

SHA256
b29c6b65afab0a73391c00da6dd493f5b00f038358564384e399aaa2a14a2fe5

SHA512
3a8cc159477f5259f1bf5fc0f34e85d6ca275a8cccdf42646fd1d2ab430d375512682d4ee73eea5824af57416eab57f98675734e6ecc75a330b0a92bbeaba12f

Download Submit
C:\Windows\SysWOW64\optrves.dll

Filesize
1KB

MD5
cab6d4b23d59ddcedf4113462386fb93

SHA1
97c42bda1852ca0ac228dc8cd1233e48565e31b1

SHA256
4093e7689e66d53346ef1cf219928ae05949f099c3aa592b87aea6c0627c3905

SHA512
ed89795d01dc3dad52f4cebb5e047b07cab600f8cb9eeeb213a74eb967ca3b3dc32ee51d25dc6b2036f0051711eaac475f0404e9fd73511a5fc7eb19420bfa14

Download Submit
\Windows\SysWOW64\mswinsck.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
\Windows\SysWOW64\ntkernelloader.exe

Filesize
43KB

MD5
588ab9262f42d01d153257ce3b71ebfe

SHA1
09e06a95a39ed524b8c85cb26bc9e8ce6ad57bfa

SHA256
4fce527ab68ba2d951f35ece37bff7ca3eb4b83e37ff903c49c0d6f4882610b8

SHA512
a08492b26aa2b0c4f2c6ebba51a160e8905392b528f3b38bd757553c9187de7891d8aeee75c7f9296d869d38590ecc71facb9512e8dee42f8f9729cc31de1b6d

Download Submit
\Windows\SysWOW64\winamptürk.exe

Filesize
304KB

MD5
9754ed1850613133670ce6744da7bf2c

SHA1
5f6a5ee9f74fee0a69a96ee68b43ac1f06279bcf

SHA256
d0024fbc2f166639aab20236e9fad73d58c7579a13921db27ba2902290f81c1d

SHA512
fa6a95fb66bb9539aee13e7f5aae044ce966cabc5d0e68f3948337bc123b6f14664999c1d2a08b8f4a0919a57e1d80b00f3dfd1a2f5c585107f78f36381859d9

Download Submit
memory/2216-22-0x0000000002500000-0x000000000251B000-memory.dmp

Filesize
108KB

Download
memory/2216-26-0x0000000002500000-0x000000000251B000-memory.dmp

Filesize
108KB

Download
memory/2832-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2832-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads