73b398cd11d22cbdee1b5ccab59849f5ab3114d26c0020548cf278465a88b963

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Size

484KB
MD5

de48fbfd909d2c24ccacc2e65a4f9a8e
SHA1

741d46975981f5785d0c930113c21c996fc54f18
SHA256

73b398cd11d22cbdee1b5ccab59849f5ab3114d26c0020548cf278465a88b963
SHA512

869ead029cb4b001a750acaa728b28e9a23d6db2169b22dfe579f62c4086d852f2f956b52dc6fe895377dc7a911de6f35c7cd43e98bd10f316cb8c52bf3f03b4
SSDEEP

12288:5ezW4GCJSzsY14+fmw1uF1GSKiZq0iDRtFUBSZtON0aRz6mHG:5kqW0wzdH

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runtime Process = "C:\\Windows\\CSRSS.EXE"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mswinsck.ocx	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
File opened for modification	C:\Windows\SysWOW64\okl445.dat	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Kazaa\My Shared Folder\	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CSRSS.EXE	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
File opened for modification	C:\Windows\CSRSS.EXE	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2600	2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	28
PID 2032 wrote to memory of 2600	2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	28
PID 2032 wrote to memory of 2600	2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	28
PID 2032 wrote to memory of 2600	2032	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	28
PID 2600 wrote to memory of 2692	2600	cmd.exe	30
PID 2600 wrote to memory of 2692	2600	cmd.exe	30
PID 2600 wrote to memory of 2692	2600	cmd.exe	30
PID 2600 wrote to memory of 2692	2600	cmd.exe	30
PID 2692 wrote to memory of 2720	2692	net.exe	31
PID 2692 wrote to memory of 2720	2692	net.exe	31
PID 2692 wrote to memory of 2720	2692	net.exe	31
PID 2692 wrote to memory of 2720	2692	net.exe	31
PID 2600 wrote to memory of 2716	2600	cmd.exe	32
PID 2600 wrote to memory of 2716	2600	cmd.exe	32
PID 2600 wrote to memory of 2716	2600	cmd.exe	32
PID 2600 wrote to memory of 2716	2600	cmd.exe	32
PID 2716 wrote to memory of 2672	2716	net.exe	33
PID 2716 wrote to memory of 2672	2716	net.exe	33
PID 2716 wrote to memory of 2672	2716	net.exe	33
PID 2716 wrote to memory of 2672	2716	net.exe	33
PID 2600 wrote to memory of 2616	2600	cmd.exe	34
PID 2600 wrote to memory of 2616	2600	cmd.exe	34
PID 2600 wrote to memory of 2616	2600	cmd.exe	34
PID 2600 wrote to memory of 2616	2600	cmd.exe	34
PID 2616 wrote to memory of 2584	2616	net.exe	35
PID 2616 wrote to memory of 2584	2616	net.exe	35
PID 2616 wrote to memory of 2584	2616	net.exe	35
PID 2616 wrote to memory of 2584	2616	net.exe	35
PID 2600 wrote to memory of 2468	2600	cmd.exe	36
PID 2600 wrote to memory of 2468	2600	cmd.exe	36
PID 2600 wrote to memory of 2468	2600	cmd.exe	36
PID 2600 wrote to memory of 2468	2600	cmd.exe	36
PID 2468 wrote to memory of 2084	2468	net.exe	37
PID 2468 wrote to memory of 2084	2468	net.exe	37
PID 2468 wrote to memory of 2084	2468	net.exe	37
PID 2468 wrote to memory of 2084	2468	net.exe	37
PID 2600 wrote to memory of 2576	2600	cmd.exe	38
PID 2600 wrote to memory of 2576	2600	cmd.exe	38
PID 2600 wrote to memory of 2576	2600	cmd.exe	38
PID 2600 wrote to memory of 2576	2600	cmd.exe	38
PID 2576 wrote to memory of 2880	2576	net.exe	39
PID 2576 wrote to memory of 2880	2576	net.exe	39
PID 2576 wrote to memory of 2880	2576	net.exe	39
PID 2576 wrote to memory of 2880	2576	net.exe	39
PID 2600 wrote to memory of 2756	2600	cmd.exe	40
PID 2600 wrote to memory of 2756	2600	cmd.exe	40
PID 2600 wrote to memory of 2756	2600	cmd.exe	40
PID 2600 wrote to memory of 2756	2600	cmd.exe	40
PID 2756 wrote to memory of 2736	2756	net.exe	41
PID 2756 wrote to memory of 2736	2756	net.exe	41
PID 2756 wrote to memory of 2736	2756	net.exe	41
PID 2756 wrote to memory of 2736	2756	net.exe	41
PID 2600 wrote to memory of 2740	2600	cmd.exe	42
PID 2600 wrote to memory of 2740	2600	cmd.exe	42
PID 2600 wrote to memory of 2740	2600	cmd.exe	42
PID 2600 wrote to memory of 2740	2600	cmd.exe	42
PID 2740 wrote to memory of 2652	2740	net.exe	43
PID 2740 wrote to memory of 2652	2740	net.exe	43
PID 2740 wrote to memory of 2652	2740	net.exe	43
PID 2740 wrote to memory of 2652	2740	net.exe	43
PID 2600 wrote to memory of 2844	2600	cmd.exe	44
PID 2600 wrote to memory of 2844	2600	cmd.exe	44
PID 2600 wrote to memory of 2844	2600	cmd.exe	44
PID 2600 wrote to memory of 2844	2600	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\de48fbfd909d2c24ccacc2e65a4f9a8e.exe
"C:\Users\Admin\AppData\Local\Temp\de48fbfd909d2c24ccacc2e65a4f9a8e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \stop.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\net.exe
    net stop alerter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop alerter
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\net.exe
    net stop vsmon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vsmon
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\net.exe
    net stop minilog
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop minilog
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\net.exe
    net stop BlackICE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BlackICE
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\net.exe
    net stop SVW3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SVW3
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\net.exe
    net stop NISUM
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NISUM
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\net.exe
    net stop NISSERV
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NISSERV
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\net.exe
    net stop NVSVC32
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NVSVC32
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\net.exe
    net stop NAVAP
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAVAP
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\net.exe
    net stop NAVENG
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAVENG
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\net.exe
    net stop NAVEX15
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAVEX15
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\net.exe
    net stop NAV
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAV
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\net.exe
    net stop Auto-Protect
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Auto-Protect
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\net.exe
    net stop AvgServ
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AvgServ
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\net.exe
    net stop SweepNet
    3⤵
    PID:2960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SweepNet
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\net.exe
    net stop AvSynMgr
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AvSynMgr
      4⤵
      PID:2972
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\net.exe
    net stop SweepNet
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SweepNet
      4⤵
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\stop.bat

Filesize
358B

MD5
80eca32f297879e7233214ccfa8fd802

SHA1
77bf3d64f0d670a034471263ced793a1d6d012d2

SHA256
1fb649fc22cebde183d02b48a609ee7e3daa2db047f87a2c7f9d6c9250cf6646

SHA512
3b42a3836c538e94bfef4f0ac5c1d1f9cc4e4b776b296d9299ed7bedd78df832c4d4c78a83c02d0815913c53ee4b0bfe3d2cc75b6762fdf3e1afff1a261135f9

Download Submit
\Windows\SysWOW64\Mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit