73b398cd11d22cbdee1b5ccab59849f5ab3114d26c0020548cf278465a88b963

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Size

484KB
MD5

de48fbfd909d2c24ccacc2e65a4f9a8e
SHA1

741d46975981f5785d0c930113c21c996fc54f18
SHA256

73b398cd11d22cbdee1b5ccab59849f5ab3114d26c0020548cf278465a88b963
SHA512

869ead029cb4b001a750acaa728b28e9a23d6db2169b22dfe579f62c4086d852f2f956b52dc6fe895377dc7a911de6f35c7cd43e98bd10f316cb8c52bf3f03b4
SSDEEP

12288:5ezW4GCJSzsY14+fmw1uF1GSKiZq0iDRtFUBSZtON0aRz6mHG:5kqW0wzdH

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Runtime Process = "C:\\Windows\\CSRSS.EXE"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mswinsck.ocx	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
File opened for modification	C:\Windows\SysWOW64\okl445.dat	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Kazaa\My Shared Folder\	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CSRSS.EXE	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
File created	C:\Windows\CSRSS.EXE	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.0CX	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.0CX\ = "exefile"	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1604	2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	94
PID 2236 wrote to memory of 1604	2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	94
PID 2236 wrote to memory of 1604	2236	de48fbfd909d2c24ccacc2e65a4f9a8e.exe	94
PID 1604 wrote to memory of 2136	1604	cmd.exe	96
PID 1604 wrote to memory of 2136	1604	cmd.exe	96
PID 1604 wrote to memory of 2136	1604	cmd.exe	96
PID 2136 wrote to memory of 4352	2136	net.exe	97
PID 2136 wrote to memory of 4352	2136	net.exe	97
PID 2136 wrote to memory of 4352	2136	net.exe	97
PID 1604 wrote to memory of 3064	1604	cmd.exe	98
PID 1604 wrote to memory of 3064	1604	cmd.exe	98
PID 1604 wrote to memory of 3064	1604	cmd.exe	98
PID 3064 wrote to memory of 4620	3064	net.exe	99
PID 3064 wrote to memory of 4620	3064	net.exe	99
PID 3064 wrote to memory of 4620	3064	net.exe	99
PID 1604 wrote to memory of 3048	1604	cmd.exe	100
PID 1604 wrote to memory of 3048	1604	cmd.exe	100
PID 1604 wrote to memory of 3048	1604	cmd.exe	100
PID 3048 wrote to memory of 2456	3048	net.exe	101
PID 3048 wrote to memory of 2456	3048	net.exe	101
PID 3048 wrote to memory of 2456	3048	net.exe	101
PID 1604 wrote to memory of 3912	1604	cmd.exe	102
PID 1604 wrote to memory of 3912	1604	cmd.exe	102
PID 1604 wrote to memory of 3912	1604	cmd.exe	102
PID 3912 wrote to memory of 2620	3912	net.exe	103
PID 3912 wrote to memory of 2620	3912	net.exe	103
PID 3912 wrote to memory of 2620	3912	net.exe	103
PID 1604 wrote to memory of 1828	1604	cmd.exe	104
PID 1604 wrote to memory of 1828	1604	cmd.exe	104
PID 1604 wrote to memory of 1828	1604	cmd.exe	104
PID 1828 wrote to memory of 2932	1828	net.exe	105
PID 1828 wrote to memory of 2932	1828	net.exe	105
PID 1828 wrote to memory of 2932	1828	net.exe	105
PID 1604 wrote to memory of 4408	1604	cmd.exe	106
PID 1604 wrote to memory of 4408	1604	cmd.exe	106
PID 1604 wrote to memory of 4408	1604	cmd.exe	106
PID 4408 wrote to memory of 2356	4408	net.exe	107
PID 4408 wrote to memory of 2356	4408	net.exe	107
PID 4408 wrote to memory of 2356	4408	net.exe	107
PID 1604 wrote to memory of 3212	1604	cmd.exe	109
PID 1604 wrote to memory of 3212	1604	cmd.exe	109
PID 1604 wrote to memory of 3212	1604	cmd.exe	109
PID 3212 wrote to memory of 860	3212	net.exe	110
PID 3212 wrote to memory of 860	3212	net.exe	110
PID 3212 wrote to memory of 860	3212	net.exe	110
PID 1604 wrote to memory of 1420	1604	cmd.exe	111
PID 1604 wrote to memory of 1420	1604	cmd.exe	111
PID 1604 wrote to memory of 1420	1604	cmd.exe	111
PID 1420 wrote to memory of 4500	1420	net.exe	112
PID 1420 wrote to memory of 4500	1420	net.exe	112
PID 1420 wrote to memory of 4500	1420	net.exe	112
PID 1604 wrote to memory of 4048	1604	cmd.exe	113
PID 1604 wrote to memory of 4048	1604	cmd.exe	113
PID 1604 wrote to memory of 4048	1604	cmd.exe	113
PID 4048 wrote to memory of 5032	4048	net.exe	114
PID 4048 wrote to memory of 5032	4048	net.exe	114
PID 4048 wrote to memory of 5032	4048	net.exe	114
PID 1604 wrote to memory of 3884	1604	cmd.exe	115
PID 1604 wrote to memory of 3884	1604	cmd.exe	115
PID 1604 wrote to memory of 3884	1604	cmd.exe	115
PID 3884 wrote to memory of 2044	3884	net.exe	117
PID 3884 wrote to memory of 2044	3884	net.exe	117
PID 3884 wrote to memory of 2044	3884	net.exe	117
PID 1604 wrote to memory of 3436	1604	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\de48fbfd909d2c24ccacc2e65a4f9a8e.exe
"C:\Users\Admin\AppData\Local\Temp\de48fbfd909d2c24ccacc2e65a4f9a8e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \stop.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:4352
- - C:\Windows\SysWOW64\net.exe
    net stop alerter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop alerter
      4⤵
      PID:4620
- - C:\Windows\SysWOW64\net.exe
    net stop vsmon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vsmon
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\net.exe
    net stop minilog
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop minilog
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\net.exe
    net stop BlackICE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BlackICE
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\net.exe
    net stop SVW3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SVW3
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\net.exe
    net stop NISUM
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NISUM
      4⤵
      PID:860
- - C:\Windows\SysWOW64\net.exe
    net stop NISSERV
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NISSERV
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\net.exe
    net stop NVSVC32
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NVSVC32
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\net.exe
    net stop NAVAP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAVAP
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\net.exe
    net stop NAVENG
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAVENG
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\net.exe
    net stop NAVEX15
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAVEX15
      4⤵
      PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop NAV
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NAV
      4⤵
      PID:3348
- - C:\Windows\SysWOW64\net.exe
    net stop Auto-Protect
    3⤵
    PID:4732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Auto-Protect
      4⤵
      PID:5064
- - C:\Windows\SysWOW64\net.exe
    net stop AvgServ
    3⤵
    PID:3776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AvgServ
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\net.exe
    net stop SweepNet
    3⤵
    PID:4972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SweepNet
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\net.exe
    net stop AvSynMgr
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AvSynMgr
      4⤵
      PID:3604
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\net.exe
    net stop SweepNet
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SweepNet
      4⤵
      PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\stop.bat

Filesize
358B

MD5
80eca32f297879e7233214ccfa8fd802

SHA1
77bf3d64f0d670a034471263ced793a1d6d012d2

SHA256
1fb649fc22cebde183d02b48a609ee7e3daa2db047f87a2c7f9d6c9250cf6646

SHA512
3b42a3836c538e94bfef4f0ac5c1d1f9cc4e4b776b296d9299ed7bedd78df832c4d4c78a83c02d0815913c53ee4b0bfe3d2cc75b6762fdf3e1afff1a261135f9

Download Submit