a7395353081ee0eec72fde17588572abbe480a87fe1a0957162c646d97b7d19c

Analysis

max time kernel
22s
max time network
23s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 10:39

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Re-Loader Activator 3.0 2/SetupComplete.cmd
Size

331B
MD5

21a93c0f93ee99f60adf82478fc19c65
SHA1

1c7771aa4e2873ec92db5b78af1cc5c3f544c3cc
SHA256

353413c1c76ef3fb63ee05414474a1b90537b34e0d1584bd79d159a0b0602aea
SHA512

19254d21228497ea2adc596cc597e54448d1dd6ded4990ebd153b519af196bf9c84321272c4d94c535d18bb1a655e80a856f4cedb4b3ab6e49858b744dcb0eb9

Score

8^/10

defense_evasion discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppSvc.exe	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppSvc.exe\Debugger = "[email protected]"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSppSvc.exe	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSppSvc.exe\Debugger = "[email protected]"	[email protected]

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1140	netsh.exe
860	netsh.exe
1052	netsh.exe
3036	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
1928	brset.exe
1948	bootsect.exe
696	[email protected]
1736	[email protected]
1684	[email protected]

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppSvc.exe	[email protected]
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OsppSvc.exe	[email protected]

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat	sppsvc.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\[email protected]	[email protected]
File opened for modification	C:\Windows\[email protected]	[email protected]
File opened for modification	C:\Windows\[email protected]	[email protected]

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
996	sc.exe
492	sc.exe
620	sc.exe
1820	sc.exe
2568	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brset.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2256	taskkill.exe
588	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\slui.exe	[email protected]

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2764	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2784	vssvc.exe
Token: SeAuditPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeRestorePrivilege	2304	DrvInst.exe
Token: SeLoadDriverPrivilege	2304	DrvInst.exe
Token: SeLoadDriverPrivilege	2304	DrvInst.exe
Token: SeLoadDriverPrivilege	2304	DrvInst.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeShutdownPrivilege	676	shutdown.exe
Token: SeRemoteShutdownPrivilege	676	shutdown.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3024	2676	cmd.exe	31
PID 2676 wrote to memory of 3024	2676	cmd.exe	31
PID 2676 wrote to memory of 3024	2676	cmd.exe	31
PID 3024 wrote to memory of 1928	3024	[email protected]	38
PID 3024 wrote to memory of 1928	3024	[email protected]	38
PID 3024 wrote to memory of 1928	3024	[email protected]	38
PID 3024 wrote to memory of 1928	3024	[email protected]	38
PID 3024 wrote to memory of 1948	3024	[email protected]	40
PID 3024 wrote to memory of 1948	3024	[email protected]	40
PID 3024 wrote to memory of 1948	3024	[email protected]	40
PID 3024 wrote to memory of 1948	3024	[email protected]	40
PID 3024 wrote to memory of 2256	3024	[email protected]	43
PID 3024 wrote to memory of 2256	3024	[email protected]	43
PID 3024 wrote to memory of 2256	3024	[email protected]	43
PID 3024 wrote to memory of 588	3024	[email protected]	45
PID 3024 wrote to memory of 588	3024	[email protected]	45
PID 3024 wrote to memory of 588	3024	[email protected]	45
PID 3024 wrote to memory of 2568	3024	[email protected]	47
PID 3024 wrote to memory of 2568	3024	[email protected]	47
PID 3024 wrote to memory of 2568	3024	[email protected]	47
PID 3024 wrote to memory of 1140	3024	[email protected]	49
PID 3024 wrote to memory of 1140	3024	[email protected]	49
PID 3024 wrote to memory of 1140	3024	[email protected]	49
PID 3024 wrote to memory of 996	3024	[email protected]	51
PID 3024 wrote to memory of 996	3024	[email protected]	51
PID 3024 wrote to memory of 996	3024	[email protected]	51
PID 3024 wrote to memory of 492	3024	[email protected]	53
PID 3024 wrote to memory of 492	3024	[email protected]	53
PID 3024 wrote to memory of 492	3024	[email protected]	53
PID 3024 wrote to memory of 620	3024	[email protected]	55
PID 3024 wrote to memory of 620	3024	[email protected]	55
PID 3024 wrote to memory of 620	3024	[email protected]	55
PID 3024 wrote to memory of 1820	3024	[email protected]	57
PID 3024 wrote to memory of 1820	3024	[email protected]	57
PID 3024 wrote to memory of 1820	3024	[email protected]	57
PID 3024 wrote to memory of 860	3024	[email protected]	59
PID 3024 wrote to memory of 860	3024	[email protected]	59
PID 3024 wrote to memory of 860	3024	[email protected]	59
PID 3024 wrote to memory of 1052	3024	[email protected]	61
PID 3024 wrote to memory of 1052	3024	[email protected]	61
PID 3024 wrote to memory of 1052	3024	[email protected]	61
PID 3024 wrote to memory of 3036	3024	[email protected]	63
PID 3024 wrote to memory of 3036	3024	[email protected]	63
PID 3024 wrote to memory of 3036	3024	[email protected]	63
PID 1736 wrote to memory of 276	1736	[email protected]	67
PID 1736 wrote to memory of 276	1736	[email protected]	67
PID 1736 wrote to memory of 276	1736	[email protected]	67
PID 1736 wrote to memory of 276	1736	[email protected]	67
PID 1684 wrote to memory of 2536	1684	[email protected]	69
PID 1684 wrote to memory of 2536	1684	[email protected]	69
PID 1684 wrote to memory of 2536	1684	[email protected]	69
PID 1684 wrote to memory of 2536	1684	[email protected]	69
PID 1684 wrote to memory of 2536	1684	[email protected]	69
PID 1684 wrote to memory of 2536	1684	[email protected]	69
PID 3024 wrote to memory of 2764	3024	[email protected]	70
PID 3024 wrote to memory of 2764	3024	[email protected]	70
PID 3024 wrote to memory of 2764	3024	[email protected]	70
PID 3024 wrote to memory of 676	3024	[email protected]	72
PID 3024 wrote to memory of 676	3024	[email protected]	72
PID 3024 wrote to memory of 676	3024	[email protected]	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Re-Loader Activator 3.0 2\SetupComplete.cmd"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\Re-Loader Activator 3.0 2\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Re-Loader Activator 3.0 2\[email protected]" /ActAuto /RestorePoint /Logo=AutoDetect
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Indicator Removal: Clear Persistence
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\Re-Loader\OEM\brset.exe
    "C:\Users\Admin\AppData\Local\Temp\Re-Loader\OEM\brset.exe" /nt60 SYS /force
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\Re-Loader\OEM\bootsect.exe
    "C:\Users\Admin\AppData\Local\Temp\Re-Loader\OEM\bootsect.exe" /nt52 SYS /force
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im SppSvc
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im OsppSvc
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" delete KMS-R@1n
    3⤵
    - Launches sc.exe
    PID:2568
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name="KMS-R@1n"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1140
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop hkmsvc
    3⤵
    - Launches sc.exe
    PID:996
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" delete hkmsvc
    3⤵
    - Launches sc.exe
    PID:492
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" create "KMS-R@1n" DisplayName= KMS-R@1n binPath= "C:\Windows\[email protected]" obj= "NT Authority\NetworkService" type= "own" error= "normal" start= "auto" depend= "RpcSs/tcpip"
    3⤵
    - Launches sc.exe
    PID:620
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" description "KMS-R@1n" "v3.0 Beta 2"
    3⤵
    - Launches sc.exe
    PID:1820
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name="KMS-R@1n"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:860
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="KMS-R@1n" dir=in program="C:\Windows\[email protected]" localport=1688 protocol=TCP action=allow remoteip=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1052
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="KMS-R@1n" dir=out program="C:\Windows\[email protected]" localport=1688 protocol=TCP action=allow remoteip=any
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3036
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "\R@1n-KMS\Office14ProPlus" /SC minute /MO 1 /TR "wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') call Activate" /ru "SYSTEM"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "0000000000000598"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\[email protected]
C:\Windows\[email protected]
1⤵
- Executes dropped EXE
PID:696

C:\Windows\[email protected]
[email protected] "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:276

C:\Windows\[email protected]
[email protected] C:\Windows\system32\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  - Drops file in Windows directory
  PID:2536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Re-Loader\OEM\bootsect.exe

Filesize
95KB

MD5
d7701bacc5d02e9c75d22aa3ecd5db93

SHA1
53d7c5a012877d1e8ce3026cdfd4c6d8eba18d61

SHA256
2d4e0a0003a8c4c236d1ec69ce764c2d503f5f03836c7a08bad38b573440cb5b

SHA512
2539691014987d89589a06928ecb9a4f1f634d76de7d4d3f477cca99be1a924b0dad6a5516f6cdd5e02342da26a32dc60f9aec8ee68101a1e48330e5ab90786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re-Loader\OEM\brset.exe

Filesize
95KB

MD5
9594bc046765df20f4ac8ded4d1dd5d8

SHA1
95de0064b529d0ee2a0bc786d3511a9376352847

SHA256
4c457232dd4b8e3589f2f38f705089baf568b1e9ec1554a0a3022b39f4286e76

SHA512
5c1110603239d314ad8216e3503ecb78f40d2c286810e4af7944ab4fdb0591e96a64268d545cd950696651e2a4e85529f1220a188cf7013db827d8fa23a5a6b1

Download Submit
C:\Windows\[email protected]

Filesize
25KB

MD5
0f9fd9565e6eb157fa9be11ed9c1dc9f

SHA1
ffd767312eb98685aec289b97e3768559767ee86

SHA256
7565255f0a28d065f8f30f876e7df3e46ef2e6fedf420eca7d454cf49887b2de

SHA512
d76b375a790271a8d88004e02b827f98afc2cbaaa76d20dc7e3aa9ce7dc1582f125e120950fe84722fc113fc6835cd850cdc513be2d3c488e9f357f14f90835c

Download Submit
C:\Windows\[email protected]

Filesize
4KB

MD5
a2f93b21413115c31260975c35ec4e4c

SHA1
21809876fc990326f4d5de834bf16fe844893493

SHA256
5197323ddee0141ca9c433d3860e5e7b0193c0821d9e5278d8e5f6ea0523c322

SHA512
9ae1caac963a3048c87de01ff260061686aabd5d33da14992beb5562cf2c439b6ed6a3d8907f270a603cfe91322812d5d2ae345fe4806eae88364855aab31fce

Download Submit
C:\Windows\[email protected]

Filesize
5KB

MD5
dc30cfd21bbb742c10e3621d5b506780

SHA1
ffc5574a43121acdb27b9ed001cd9edf27cfc769

SHA256
484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74

SHA512
6acc15363fe596d71d2328ac2021e253cbb7be6983dfbd9d91f2fc7a45c26dbe5ec9be3a1d79ccd1e4976f686cf0582eae59a28335dc3ae5ab8fc3b380bb65c2

Download Submit
\Device\HarddiskVolume1\FMJES

Filesize
322KB

MD5
49864d91eda705bb680af048d74ad0a5

SHA1
8c08aea642da143b9f75dfa15c5f38519f4c5149

SHA256
730df9b3ffb7d69476d81ef8a20d4f845797b0344233f9c49eb962a378f7518c

SHA512
1d83450a489a129e657f7b719c6fd9c87130479a489d93459d650d970ddefc78573d587388493233a5c108e55654195acab0887f73382132ac462bd8df4a5e71

Download Submit
memory/276-37-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/276-45-0x000007FEF7690000-0x000007FEF7695000-memory.dmp

Filesize
20KB

Download
memory/3024-5-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-4-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

Filesize
4KB

Download
memory/3024-28-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

Filesize
4KB

Download
memory/3024-30-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-31-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-3-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-2-0x000000001ADE0000-0x000000001B5A0000-memory.dmp

Filesize
7.8MB

Download
memory/3024-1-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/3024-42-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads