Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
Resource
win10v2004-20240508-en
General
-
Target
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
-
Size
10.5MB
-
MD5
5bea316bb103be1a4a09fcb057fd975e
-
SHA1
dd9f0b813957d79d75db79f21038e111353b8f8d
-
SHA256
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6
-
SHA512
73e2cfb88e0afd939a383b801779d1a78c09173e5046d0401086cfd37def08efc223a732898a0b624d3b6e732c9d11ce297b9f35a64dfcfe98f006c52da4d9c5
-
SSDEEP
196608:Sw0ZF1Duj95x4pxeseI/f3DpakQ4O1j7sQarVQnzFU/7qRjbWBJ:1UbuJ5x4feYoRRNaqS/7qRjbWX
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
AKernel3.exesystecv3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exepid process 3452 AKernel3.exe 944 systecv3.exe 2696 winrdgv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe -
Loads dropped DLL 4 IoCs
Processes:
winrdlv3.exewinrdlv3.exepid process 1984 winrdlv3.exe 1984 winrdlv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winrdlv3.exedescription ioc process File opened (read-only) \??\H: winrdlv3.exe File opened (read-only) \??\L: winrdlv3.exe File opened (read-only) \??\M: winrdlv3.exe File opened (read-only) \??\Y: winrdlv3.exe File opened (read-only) \??\A: winrdlv3.exe File opened (read-only) \??\B: winrdlv3.exe File opened (read-only) \??\E: winrdlv3.exe File opened (read-only) \??\J: winrdlv3.exe File opened (read-only) \??\P: winrdlv3.exe File opened (read-only) \??\V: winrdlv3.exe File opened (read-only) \??\G: winrdlv3.exe File opened (read-only) \??\O: winrdlv3.exe File opened (read-only) \??\X: winrdlv3.exe File opened (read-only) \??\D: winrdlv3.exe File opened (read-only) \??\F: winrdlv3.exe File opened (read-only) \??\N: winrdlv3.exe File opened (read-only) \??\Q: winrdlv3.exe File opened (read-only) \??\W: winrdlv3.exe File opened (read-only) \??\K: winrdlv3.exe File opened (read-only) \??\R: winrdlv3.exe File opened (read-only) \??\T: winrdlv3.exe File opened (read-only) \??\Z: winrdlv3.exe File opened (read-only) \??\I: winrdlv3.exe File opened (read-only) \??\S: winrdlv3.exe File opened (read-only) \??\U: winrdlv3.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
winrdlv3.exedescription ioc process File opened for modification \??\PhysicalDrive0 winrdlv3.exe -
Drops file in System32 directory 43 IoCs
Processes:
winrdlv3.exesystecv3.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ocular\OBtEmulator winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\SCDT winrdlv3.exe File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607718_1_3_41 winrdlv3.exe File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607718_3_3_6334 winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\OAgentTray winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent\4472 winrdlv3.exe File opened for modification C:\Windows\SysWOW64\sdcenter.dll winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\FtTemp winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\TKS winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\BroHistory winrdlv3.exe File created C:\Windows\SysWOW64\Ocular\msoapphash5.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Deploy winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Rtft winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\ExData winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Download winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent winrdlv3.exe File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607718_2_3_18467 winrdlv3.exe File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607750_4_3_26500 winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\WinPatch winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Dump winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular3Path systecv3.exe File created C:\Windows\SysWOW64\bakstec3.sys systecv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\OAgent.ini winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Files winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Temp winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\PrintData winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Screen winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Data winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular systecv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSTemp winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\msodhash3.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Mails winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Asset winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\TSafeDoc winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\Policy winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSMatch winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular3Path\SCDT winrdlv3.exe File created C:\Windows\SysWOW64\bakrdgv3.sys systecv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\msoapphash5.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\AgentTask winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\SCDT\DocLog winrdlv3.exe File opened for modification C:\Windows\SysWOW64\Ocular\SurvData winrdlv3.exe -
Drops file in Program Files directory 1 IoCs
Processes:
systecv3.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\System\winrdgv3.exe systecv3.exe -
Drops file in Windows directory 15 IoCs
Processes:
winrdlv3.exesystecv3.exewinrdlv3.exedescription ioc process File opened for modification C:\Windows\bakCertList.dat winrdlv3.exe File opened for modification C:\Windows\bakCameraPack.dat systecv3.exe File opened for modification C:\Windows\bakDWM.dat systecv3.exe File opened for modification C:\Windows\bakThirdPartyLib.dat systecv3.exe File opened for modification C:\Windows\bakTKSPack.dat winrdlv3.exe File opened for modification C:\Windows\bakSCClient.dat systecv3.exe File opened for modification C:\Windows\bakDWM.dat winrdlv3.exe File opened for modification C:\Windows\bakThirdPartyLib.dat winrdlv3.exe File opened for modification C:\Windows\bakTKSPack.dat systecv3.exe File opened for modification C:\Windows\bakSCClient.dat winrdlv3.exe File opened for modification C:\Windows\bakTStartMenu.dat winrdlv3.exe File opened for modification C:\Windows\bakCameraPack.dat winrdlv3.exe File opened for modification C:\Windows\bakTStartMenu.dat systecv3.exe File opened for modification C:\Windows\bakCertList.dat systecv3.exe File opened for modification C:\Windows\win.ini winrdlv3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 32 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
winrdlv3.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+ winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+ winrdlv3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver winrdlv3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK winrdlv3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID winrdlv3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service winrdlv3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver winrdlv3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 winrdlv3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver winrdlv3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName winrdlv3.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
winrdgv3.exewinrdlv3.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdlv3.exe -
Modifies registry class 20 IoCs
Processes:
winrdlv3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "0" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "0" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID winrdlv3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000f20c5df75bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000024f61d5b7432e640 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000000000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 010000004400410044005900200048004100520044004400490053004b0044004400300030003000310033000000 winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "2589671583" winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 24f61d5b7432e640 winrdlv3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winrdlv3.exewinrdlv3.exepid process 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 1984 winrdlv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 1984 winrdlv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 1984 winrdlv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 1984 winrdlv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 1984 winrdlv3.exe 1984 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe 4472 winrdlv3.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 668 668 668 668 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
systecv3.exewinrdlv3.exedescription pid process Token: SeDebugPrivilege 944 systecv3.exe Token: SeTcbPrivilege 4472 winrdlv3.exe Token: SeDebugPrivilege 4472 winrdlv3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exeAKernel3.exepid process 3340 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe 3452 AKernel3.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exeAKernel3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exedescription pid process target process PID 3340 wrote to memory of 3452 3340 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 3340 wrote to memory of 3452 3340 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 3340 wrote to memory of 3452 3340 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 3452 wrote to memory of 944 3452 AKernel3.exe systecv3.exe PID 3452 wrote to memory of 944 3452 AKernel3.exe systecv3.exe PID 3452 wrote to memory of 944 3452 AKernel3.exe systecv3.exe PID 2696 wrote to memory of 1984 2696 winrdgv3.exe winrdlv3.exe PID 2696 wrote to memory of 1984 2696 winrdgv3.exe winrdlv3.exe PID 2696 wrote to memory of 1984 2696 winrdgv3.exe winrdlv3.exe PID 1984 wrote to memory of 4472 1984 winrdlv3.exe winrdlv3.exe PID 1984 wrote to memory of 4472 1984 winrdlv3.exe winrdlv3.exe PID 1984 wrote to memory of 4472 1984 winrdlv3.exe winrdlv3.exe PID 4472 wrote to memory of 4992 4472 winrdlv3.exe regsvr32.exe PID 4472 wrote to memory of 4992 4472 winrdlv3.exe regsvr32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
winrdlv3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" winrdlv3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe"C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe-Unpack-logDir"C:\Users\Admin\AppData\Local\Temp\AgentInstall"-v"4.0.0.13"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Program Files (x86)\Common Files\system\systecv3.exe"C:\Program Files (x86)\Common Files\system\systecv3.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:944
-
C:\Program Files (x86)\Common Files\System\winrdgv3.exe"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\winrdlv3.exeC:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor322⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\winrdlv3.exeC:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent323⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4472 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s trmenushl64.dll4⤵PID:4992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:3184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5a5200101cac307b258171be1029c846b
SHA1d0eabc33191065b17589b6290c6e3a103cfb880b
SHA2565f93e8c94746a7729e3e7a93b8436a7d3a6f15123f80ac5ec8b2848b28c42071
SHA512245c893b579769b6456a9684e8dcf41b96832548949d112ea8261b93c9e8f7d1d74b366aa34ca86a5c0fd58e89a43d7ad894565d217cb34c9d73f8fa26bb084f
-
Filesize
8.2MB
MD5674e3c701589408cf61a992619e31a6b
SHA19586bac628f9aecc09ea07cb64d6bfe6274d4f70
SHA2560d712cf727b443ff2d83f92940d7500f5fd133257f167fae4ae03c40b5a14656
SHA512af623d5e5ab13c315586084301013e1bbeb3ba0a45378de849cf5523eb468c95f88704e00081c65d06b638c162c91ce6bb15ab9084d90cf0d90abd34fab86039
-
Filesize
2.3MB
MD5b9e0a7cbd7fdb4d179172dbdd453495a
SHA17f1b18a2bee7defa6db4900982fd3311aabed50d
SHA256cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce
SHA512720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c
-
Filesize
1.7MB
MD597ac3ef2e098c4cb7dd6ec1d14dc28f1
SHA13e78e87eefe45f8403e46d94713b6667aee6d9c9
SHA256a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1
SHA512693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd
-
Filesize
2.1MB
MD50aed8f70a00060f8005efa8d1c668b98
SHA1c75fe3d1a2476da55f526d366f73bedbfd56f32a
SHA256326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671
SHA512738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787
-
Filesize
13.7MB
MD53ae42cb8a028c5be3f57575342bbb56d
SHA12939396b9069d4b46febc047b13ce2c30de7e886
SHA2560e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609
SHA512f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24
-
Filesize
57KB
MD50cbeb75d3090054817ea4df0773afe35
SHA158c543a84dc18e21d86ad2c011d8ac726867fb78
SHA256453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822
SHA512f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c
-
Filesize
1.3MB
MD5889482a07ba13fc6e194a63d275a850a
SHA116a164fded3352abb63722a5c74750cdc438f99a
SHA256799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0
SHA512e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a
-
Filesize
413KB
MD5fb741fceeb80a76f7f0005a1ac60604a
SHA1a6a8d97365634b266f0b5a001038a5a86b9ed2d6
SHA256c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1
SHA5128e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780
-
Filesize
694B
MD55b4a2b067819b70c6c5381d8cd3e7f41
SHA1c42a3feca754c8ba0705dcbb6cbc3009c5dd7328
SHA256c5707a87c6f2158e8bc66b76ec97a8b534ece21c64f9ca1d4de5a52e7066083d
SHA512692304c356ce773c1792bcfcf1de62fdbe1761453e4254a95c3cc2ad0ea871def56181ed84c49bb4076b42628e77444d5d76006b66f7109424be311c20668a3f
-
Filesize
120B
MD59c9a766237d29b84b125ee11ab6baa2e
SHA1aafa9a1d9a4c1964c7b770ee6da761c1badf30cd
SHA2569ebd2b284c09586d99c400eeb81df92e947dd4590cc9db9098340ab54996c8a4
SHA51274e37ef76477c41de1819effa832915aeaff8a6caeaf846314e365010e74accedda551cd718c0f63b6ddd8eec787484667e27cd56bec7133c2ef5e3413c3656b
-
Filesize
2KB
MD53b259f8aea1a1d81a371905633458f5d
SHA1f7740eae1882fd2e0f0fefc034905ef915a89f50
SHA2565d327ac638a9b8809e44e592d3a9d3ba043a36de6bbec54aac6bab96adee5db7
SHA5126cee54681c92a92eb84929de07ef966b1bcbb3a2773571866574b21912c5dc42ae6959b49ae0eb575a5803a65e6c6db3046651329e2c7ffcc4d68904dca56bdf
-
Filesize
4KB
MD5cc326bdfd62060ccae3add4e69541c43
SHA1b9eb0779249c984de1fc86e03af4d7170c6b0de0
SHA256e8bae60d1b46c5c23290a731d53deae396466d11ff1bab76cf19dd730cf7be61
SHA51228ca5c44dba97f1ff375b2bb740b04a9afacc4707f0ed09268908b4504193d215e8ce3e7c4b483f6c6fbc16568a1a12dfbab3b9159f8446368f6a5aa7530777c
-
Filesize
4KB
MD504b38fb45deeedbc5d18c6fd8017222d
SHA1dbc494f1928751dd6f963905f224b169780dd152
SHA2569fed9422465176d4e43e4d3078678b444d138b2c42659091064e63c6a5785e1a
SHA5124a1228518f79bec3bd3f65a46ee3c09883fc884044b682117aa5f100d9cccbea988744d80c7a3b437ba10c028efaf8a0b506ba54ee3e53951c3b5711038e88da
-
Filesize
5KB
MD56cc51ce855dd35f5f7a5a79d86353796
SHA1380a640c311a849e24bfb035238955538ba9b592
SHA256474f3e3223ee28534689cedf030ba2ef32d2767108b0bba5876953558859e70d
SHA512039172b3d22571d30a2a8a2664ada521f144f1401af49d6b12b0edf6e77591ae95c4cee1b5c013fc892297cf047485f6447e4204e949df6f2339dbe886066a53
-
Filesize
1KB
MD581db57351dbcfece486f2bdd857f3cb6
SHA16d4840701bc79390773561a47591e6873a6ebedd
SHA25612d9a5b63786677d7d80dba79d9d18996ddb9d8fd7caf0c1f50e64f7faba214b
SHA5121b82e288eed796a82bb9e48eea5cefac22f8e4fa207b514d41deccd1ce3cc119b767cbc704bdcc230e37dd9f1cf128874d14dda438c423e1b59432bb8e00070f
-
Filesize
1KB
MD51826e8e3820150b8678a720f470d17f2
SHA15916534f7e4f9db556acf81ba7d81f22b45f1ff8
SHA256688030afeddef00a0dd4aae8be4cac0f9d1e55a58d3457a2b28ccd0d46e4f1ba
SHA512e6bbcebdc5f8bca3331da3664f3bf7222276354ab2e7e7b4c6906b5fae7f81180a0e64ad9dfef8d1f18304b537fadbb705bb87f8029455d8a2218289e23cf5a6
-
Filesize
1KB
MD5fc770c1940a1b98fc92a08902c729d74
SHA1a739a734e7d4866033d4d8ead2bdbea55a3a2d6e
SHA2561fd03a6f7033e76e89213346d3abd8af6d68b2f2d80ddc1f077112be78b4987f
SHA512d5893751ad98ae8b492d7e7f7db201f2cd0e422a47cf7816f96fa5c7cb93e1ffab16989f17eb51bcde10810b550a251069f15c3d9574cbbf15ab2780069e5493