c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Size

2.4MB
MD5

c87448263c359baea3f3ed2e28715ff7
SHA1

8b47fbf4fae750166b1e26278592048db75c49b0
SHA256

c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750
SHA512

0d8a42f9cd41abf51ca5dadf158a98983e18504c70241c562fa1567e8c19764626200aac5cfb1a767e1533899f5cfd5e8e288a8ea667aeaedad2afca8591cdc5
SSDEEP

49152:ci39+084E6W4W8Vm/h549aXZmMApkw7n8MbiSY6tR/e/MdX0w/7lkHi:r+HVb4W8Qr49un4kw7XbNrGUX0wjv

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2160	sg.tmp
5004	devcon.exe
4868	devcon.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00080000000233f2-39.dat	vmprotect

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\SET34DD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\8686.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\SET34CB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\8686.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\SET34CC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\8686.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\SET34CB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\SET34CC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{50cfaa2b-4cdf-274d-9518-d9c2c556b936}\SET34DD.tmp	DrvInst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeRestorePrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: 33	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeIncBasePriorityPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: 33	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeIncBasePriorityPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: 33	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeIncBasePriorityPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeRestorePrivilege	2160	sg.tmp
Token: 35	2160	sg.tmp
Token: SeSecurityPrivilege	2160	sg.tmp
Token: SeSecurityPrivilege	2160	sg.tmp
Token: 33	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeIncBasePriorityPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeAuditPrivilege	5072	svchost.exe
Token: SeSecurityPrivilege	5072	svchost.exe
Token: SeLoadDriverPrivilege	4868	devcon.exe
Token: SeLoadDriverPrivilege	1912	DrvInst.exe
Token: SeLoadDriverPrivilege	1912	DrvInst.exe
Token: SeLoadDriverPrivilege	1912	DrvInst.exe
Token: SeDebugPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: 33	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeIncBasePriorityPrivilege	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeBackupPrivilege	2648	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeRestorePrivilege	2648	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: 33	2648	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
Token: SeIncBasePriorityPrivilege	2648	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2088	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	82
PID 4420 wrote to memory of 2088	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	82
PID 4420 wrote to memory of 2160	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	85
PID 4420 wrote to memory of 2160	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	85
PID 4420 wrote to memory of 2160	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	85
PID 4420 wrote to memory of 3584	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	89
PID 4420 wrote to memory of 3584	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	89
PID 3584 wrote to memory of 5004	3584	cmd.exe	91
PID 3584 wrote to memory of 5004	3584	cmd.exe	91
PID 3584 wrote to memory of 4868	3584	cmd.exe	92
PID 3584 wrote to memory of 4868	3584	cmd.exe	92
PID 5072 wrote to memory of 4160	5072	svchost.exe	94
PID 5072 wrote to memory of 4160	5072	svchost.exe	94
PID 5072 wrote to memory of 1912	5072	svchost.exe	95
PID 5072 wrote to memory of 1912	5072	svchost.exe	95
PID 4420 wrote to memory of 2648	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	96
PID 4420 wrote to memory of 2648	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	96
PID 4420 wrote to memory of 2648	4420	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	96
PID 2648 wrote to memory of 60	2648	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	97
PID 2648 wrote to memory of 60	2648	c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe	97

C:\Users\Admin\AppData\Local\Temp\c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
"C:\Users\Admin\AppData\Local\Temp\c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\~4931716377771185275~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~2834711785748136225"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\install.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\devcon.exe
    devcon remove root\8686
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5004
- - C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\devcon.exe
    devcon install 8686.inf root\8686
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Users\Admin\AppData\Local\Temp\c09e4c9f876923566d81a87d8d2886b1dda4eeb00ad2723f84c6e85e6b97d750.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~478999775075739328.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~478999775075739328.cmd"
    3⤵
    PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{dff7165a-f77b-a048-b696-ec8ee8bf9f26}\8686.inf" "9" "406a81efb" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\users\admin\appdata\local\temp\~2834711785748136225"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:4160
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "3" "1" "ROOT\SYSTEM\0001" "" "" "406a81efb" "0000000000000154"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{dff7165a-f77b-a048-b696-ec8ee8bf9f26}\8686.sys

Filesize
789KB

MD5
b74a395e25cf0b674a50d51531fcb9f4

SHA1
c78773406eefaead7e57a42ff765d2f8b23c4009

SHA256
8597e4253174a7b9242e17f2a519c5dc4fe7647710c40b9f749bef0679d9ec4f

SHA512
48fd762b1753c24df17d30158e126947c2d27c9b26b73fee398dcbc45559069c3871bb9b6ef4e6d9548ef5e4cb50b3f60a6ffe20c6949fd677d733c6df56931b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\11.ico

Filesize
200KB

MD5
8b609308f7adcada13671b49fb0018f6

SHA1
d083dfdb0841c546b589025032e7c3ef881fff2c

SHA256
2fb750f603cd1b1a7c69c664bbdb9c23a1f54089523ee9258a3cdc3e83a90eba

SHA512
469887f00143d4e15ed651bf8483ab5ce8458211a8f2c91ec37b392290be94c6576e9040463f676ae609510c133ead4575760ee95e028ac00d86d27a0468d22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\8686.inf

Filesize
1KB

MD5
24e883da9115f35760a672d1c6379aaf

SHA1
92a30f1cc2b3cd23c056f187b66898cf5166be77

SHA256
2f977f29ee3a9ae52b77dad1e7c2f6f73159bf46ae46530590836d7c3e2c8025

SHA512
0795518b47d8249e96ed1e6d97ef678d52ff37f1ee12d29d7a4a31af5ca6aa12aca675e2f4759342d153736366d77e091f8e2f3f6181359427e1bdb77953b414

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2834711785748136225\install.cmd

Filesize
114B

MD5
34cfbe8616526ac08cc76113afc63c01

SHA1
0e371eeb7aeedacffedefc0d94b299b53106cd92

SHA256
b7d7855c84fa32df3497ace0c98ae7217fa88f054a7035119e790b6e4dcf1a09

SHA512
7fe12945fefd20bd943f551cfbe85823aa143e9da0b00ecdbd5f3f21dfa83ea7a19bca760ef98c67bad8a90c7fb345129372e2798ca220d15a67c2b12761abcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~478999775075739328.cmd

Filesize
373B

MD5
f06d56f8018a579f2f197968bfc5a279

SHA1
44dbcd87d4352dc36873bbcd26013e816043d358

SHA256
59fce5412f010d4aaed97f5c51f5851e9ed9943ec49d350b47bf5dfbda214cb9

SHA512
e85a8662e7cf60678608e5ce850d807cf2e5a2a66e8fcbfd123817de46033e6cae9cd8f4f6e94ec60b6fb459bb030c9b1dae2c0c9056495e949c729905e3b83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4931716377771185275~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\??\c:\users\admin\appdata\local\temp\~2834711785748136225\8686.cat

Filesize
11KB

MD5
15d8be7af42afe3fa46bc11898cdf4aa

SHA1
0f6d74d791c009207bc4cf1f2baf5253353a724b

SHA256
dd2c790c7a52ec41640cd65d18df93997743e69b285606fc1b25d06b79f70f51

SHA512
0a5b6ff13a9d694c1bb0961f3b294d0cda58cbfb0c988ed8db3be032cc8509c23d35f52defae1db7ea71d1eb015dbaff4cc565c46421f1c94cf613d784c00222

Download Submit