56258a7cce841ad3b4b8fba3e980a5ed1b13213bca684a81d3295b04803cb8ba

Analysis

max time kernel
16s
max time network
78s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-11-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loaderunpac4.exe
Size

1.1MB
MD5

2e2169e859d21c8b8d56ab4f8c732a12
SHA1

e4b06667879a7fa15d3e4f0d63b0014bd6c701fa
SHA256

56258a7cce841ad3b4b8fba3e980a5ed1b13213bca684a81d3295b04803cb8ba
SHA512

5326c36ea2d381d8efe41b0ddac95f8bff9225411c3905489ab4b8081e1c666a99a662f24de842cac800541cbc5a338476c41804600792519a07064cc95df16f
SSDEEP

24576:9u9MQzEf7H539Fc7eApy0Qu0Xiok9VQSnJULVqtIZo3:HQwzB9FRX0919zNtI

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	Loaderunpac4.exe

Executes dropped EXE 52 IoCs

pid	Process
5088	ami.exe
3664	ami.exe
3832	ami.exe
1328	ami.exe
1508	ami.exe
4556	ami.exe
400	ami.exe
3184	ami.exe
1804	ami.exe
2560	ami.exe
2088	ami.exe
4580	ami.exe
3068	ami.exe
4200	ami.exe
2084	ami.exe
648	ami.exe
2260	ami.exe
3756	ami.exe
856	ami.exe
1428	ami.exe
4512	ami.exe
4740	ami.exe
1488	ami.exe
3292	ami.exe
4680	ami.exe
4236	ami.exe
5088	ami.exe
3664	ami.exe
3832	ami.exe
1328	ami.exe
1508	ami.exe
4556	ami.exe
400	ami.exe
3184	ami.exe
1804	ami.exe
2560	ami.exe
2088	ami.exe
4580	ami.exe
3068	ami.exe
4200	ami.exe
2084	ami.exe
648	ami.exe
2260	ami.exe
3756	ami.exe
856	ami.exe
1428	ami.exe
4512	ami.exe
4740	ami.exe
1488	ami.exe
3292	ami.exe
4680	ami.exe
4236	ami.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\windows32\amifldrv64.sys	Loaderunpac4.exe
File created	C:\Windows\windows32\amigendrv64.sys	Loaderunpac4.exe
File created	C:\Windows\windows32\ami.exe	Loaderunpac4.exe
File created	C:\Windows\windows32\a.bat	Loaderunpac4.exe
File created	C:\Windows\windows32\b.bat	Loaderunpac4.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3312	sc.exe
3276	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaderunpac4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Loaderunpac4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Loaderunpac4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Loaderunpac4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4736	WMIC.exe
4736	WMIC.exe
4736	WMIC.exe
4736	WMIC.exe
4648	WMIC.exe
4648	WMIC.exe
4648	WMIC.exe
4648	WMIC.exe
2024	WMIC.exe
2024	WMIC.exe
2024	WMIC.exe
2024	WMIC.exe
4736	WMIC.exe
4736	WMIC.exe
4736	WMIC.exe
4736	WMIC.exe
4648	WMIC.exe
4648	WMIC.exe
4648	WMIC.exe
4648	WMIC.exe
2024	WMIC.exe
2024	WMIC.exe
2024	WMIC.exe
2024	WMIC.exe

Suspicious behavior: LoadsDriver 52 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	Loaderunpac4.exe
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe
Token: SeDebugPrivilege	4736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4736	WMIC.exe
Token: SeRemoteShutdownPrivilege	4736	WMIC.exe
Token: SeUndockPrivilege	4736	WMIC.exe
Token: SeManageVolumePrivilege	4736	WMIC.exe
Token: 33	4736	WMIC.exe
Token: 34	4736	WMIC.exe
Token: 35	4736	WMIC.exe
Token: 36	4736	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3932	svchost.exe
Token: SeIncreaseQuotaPrivilege	3932	svchost.exe
Token: SeSecurityPrivilege	3932	svchost.exe
Token: SeTakeOwnershipPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeSystemtimePrivilege	3932	svchost.exe
Token: SeBackupPrivilege	3932	svchost.exe
Token: SeRestorePrivilege	3932	svchost.exe
Token: SeShutdownPrivilege	3932	svchost.exe
Token: SeSystemEnvironmentPrivilege	3932	svchost.exe
Token: SeUndockPrivilege	3932	svchost.exe
Token: SeManageVolumePrivilege	3932	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3932	svchost.exe
Token: SeIncreaseQuotaPrivilege	3932	svchost.exe
Token: SeSecurityPrivilege	3932	svchost.exe
Token: SeTakeOwnershipPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeSystemtimePrivilege	3932	svchost.exe
Token: SeBackupPrivilege	3932	svchost.exe
Token: SeRestorePrivilege	3932	svchost.exe
Token: SeShutdownPrivilege	3932	svchost.exe
Token: SeSystemEnvironmentPrivilege	3932	svchost.exe
Token: SeUndockPrivilege	3932	svchost.exe
Token: SeManageVolumePrivilege	3932	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3932	svchost.exe
Token: SeIncreaseQuotaPrivilege	3932	svchost.exe
Token: SeSecurityPrivilege	3932	svchost.exe
Token: SeTakeOwnershipPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeSystemtimePrivilege	3932	svchost.exe
Token: SeBackupPrivilege	3932	svchost.exe
Token: SeRestorePrivilege	3932	svchost.exe
Token: SeShutdownPrivilege	3932	svchost.exe
Token: SeSystemEnvironmentPrivilege	3932	svchost.exe
Token: SeUndockPrivilege	3932	svchost.exe
Token: SeManageVolumePrivilege	3932	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3932	svchost.exe
Token: SeIncreaseQuotaPrivilege	3932	svchost.exe
Token: SeSecurityPrivilege	3932	svchost.exe
Token: SeTakeOwnershipPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeSystemtimePrivilege	3932	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 5088	2400	Loaderunpac4.exe	88
PID 2400 wrote to memory of 5088	2400	Loaderunpac4.exe	88
PID 2400 wrote to memory of 3664	2400	Loaderunpac4.exe	90
PID 2400 wrote to memory of 3664	2400	Loaderunpac4.exe	90
PID 2400 wrote to memory of 3832	2400	Loaderunpac4.exe	92
PID 2400 wrote to memory of 3832	2400	Loaderunpac4.exe	92
PID 2400 wrote to memory of 1328	2400	Loaderunpac4.exe	94
PID 2400 wrote to memory of 1328	2400	Loaderunpac4.exe	94
PID 2400 wrote to memory of 1508	2400	Loaderunpac4.exe	96
PID 2400 wrote to memory of 1508	2400	Loaderunpac4.exe	96
PID 2400 wrote to memory of 4556	2400	Loaderunpac4.exe	98
PID 2400 wrote to memory of 4556	2400	Loaderunpac4.exe	98
PID 2400 wrote to memory of 400	2400	Loaderunpac4.exe	100
PID 2400 wrote to memory of 400	2400	Loaderunpac4.exe	100
PID 2400 wrote to memory of 3184	2400	Loaderunpac4.exe	102
PID 2400 wrote to memory of 3184	2400	Loaderunpac4.exe	102
PID 2400 wrote to memory of 1804	2400	Loaderunpac4.exe	104
PID 2400 wrote to memory of 1804	2400	Loaderunpac4.exe	104
PID 2400 wrote to memory of 2560	2400	Loaderunpac4.exe	107
PID 2400 wrote to memory of 2560	2400	Loaderunpac4.exe	107
PID 2400 wrote to memory of 2088	2400	Loaderunpac4.exe	109
PID 2400 wrote to memory of 2088	2400	Loaderunpac4.exe	109
PID 2400 wrote to memory of 4580	2400	Loaderunpac4.exe	112
PID 2400 wrote to memory of 4580	2400	Loaderunpac4.exe	112
PID 2400 wrote to memory of 3068	2400	Loaderunpac4.exe	114
PID 2400 wrote to memory of 3068	2400	Loaderunpac4.exe	114
PID 2400 wrote to memory of 4200	2400	Loaderunpac4.exe	116
PID 2400 wrote to memory of 4200	2400	Loaderunpac4.exe	116
PID 2400 wrote to memory of 2084	2400	Loaderunpac4.exe	118
PID 2400 wrote to memory of 2084	2400	Loaderunpac4.exe	118
PID 2400 wrote to memory of 648	2400	Loaderunpac4.exe	120
PID 2400 wrote to memory of 648	2400	Loaderunpac4.exe	120
PID 2400 wrote to memory of 2260	2400	Loaderunpac4.exe	122
PID 2400 wrote to memory of 2260	2400	Loaderunpac4.exe	122
PID 2400 wrote to memory of 3756	2400	Loaderunpac4.exe	124
PID 2400 wrote to memory of 3756	2400	Loaderunpac4.exe	124
PID 2400 wrote to memory of 856	2400	Loaderunpac4.exe	126
PID 2400 wrote to memory of 856	2400	Loaderunpac4.exe	126
PID 2400 wrote to memory of 1428	2400	Loaderunpac4.exe	128
PID 2400 wrote to memory of 1428	2400	Loaderunpac4.exe	128
PID 2400 wrote to memory of 4512	2400	Loaderunpac4.exe	130
PID 2400 wrote to memory of 4512	2400	Loaderunpac4.exe	130
PID 2400 wrote to memory of 4740	2400	Loaderunpac4.exe	132
PID 2400 wrote to memory of 4740	2400	Loaderunpac4.exe	132
PID 2400 wrote to memory of 1488	2400	Loaderunpac4.exe	134
PID 2400 wrote to memory of 1488	2400	Loaderunpac4.exe	134
PID 2400 wrote to memory of 3292	2400	Loaderunpac4.exe	136
PID 2400 wrote to memory of 3292	2400	Loaderunpac4.exe	136
PID 2400 wrote to memory of 4680	2400	Loaderunpac4.exe	138
PID 2400 wrote to memory of 4680	2400	Loaderunpac4.exe	138
PID 2400 wrote to memory of 4236	2400	Loaderunpac4.exe	140
PID 2400 wrote to memory of 4236	2400	Loaderunpac4.exe	140
PID 2400 wrote to memory of 1596	2400	Loaderunpac4.exe	142
PID 2400 wrote to memory of 1596	2400	Loaderunpac4.exe	142
PID 2400 wrote to memory of 1596	2400	Loaderunpac4.exe	142
PID 2400 wrote to memory of 1712	2400	Loaderunpac4.exe	143
PID 2400 wrote to memory of 1712	2400	Loaderunpac4.exe	143
PID 2400 wrote to memory of 1712	2400	Loaderunpac4.exe	143
PID 1712 wrote to memory of 3264	1712	cmd.exe	146
PID 1712 wrote to memory of 3264	1712	cmd.exe	146
PID 1712 wrote to memory of 3264	1712	cmd.exe	146
PID 3264 wrote to memory of 4176	3264	net.exe	147
PID 3264 wrote to memory of 4176	3264	net.exe	147
PID 3264 wrote to memory of 4176	3264	net.exe	147

C:\Users\Admin\AppData\Local\Temp\Loaderunpac4.exe
"C:\Users\Admin\AppData\Local\Temp\Loaderunpac4.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /SU auto
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /SS P4WX8PMREZZG
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /SV "1.0"
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CSK P1IZ950TKNSQ
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CM ZZM32VZTGMU6
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /SM "Gigabyte Technology Co., Ltd."
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /SK 40820SGV798S
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /SF 8GKGD8JBMF7I
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /BM CSYS9G9DGM5I
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /BP 6831G6S0145W
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /BV "1.0"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /BT LTPHCSTY2ZZH
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /BLC 4YV195LVLBJF
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /PSN "To Be Filled By O.E.M."
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /PAT FR5PXHRHXCGQ
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /PPN 02AX2HPGIW7S
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CSK L106SJLKJKCU
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CS "Default String"
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CV "1.0"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CM "Micro-Star International Co., Ltd."
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CA XEAVIST2RFAH
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CO "0000 0000h"
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /CT "03h"
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /IV "3.80"
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /IVN "American Megatrends International, LLC."
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\windows32\ami.exe
  "C:\\Windows\\windows32\\ami.exe" /BS 230868160955318
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\windows32\b.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 7A9F990DD25A /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3420
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4648
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [0-9]
      4⤵
      System Location Discovery: System Language Discovery
      PID:1828
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3832
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4200
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2024
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C net stop winmgmt /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:4176
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C net start winmgmt /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc stop winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc start winmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\wbem\repository\MAPPING3.MAP

Filesize
207KB

MD5
7a9e145dcabc32e592f9f59b6f0b782b

SHA1
9295620df6ecb50a29173bcd7a79dbc280332218

SHA256
4d70321e903f76961998c9d8568f9c2e8f84ed8c767def3d0a01664a8700a62f

SHA512
55f2a0a86153965fef50aa92cbee9942239ec2fd387c4a6495683e6bc880d4fe1e51d420f57a4eee3e2ca7a24b357cd346ce7e66a5c7708fe6200fd255ea77a3

Download Submit
C:\Windows\windows32\ami.exe

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Windows\windows32\b.bat

Filesize
2KB

MD5
c0b8d81370dd4defc9317dc6c204d581

SHA1
fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23

SHA256
4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f

SHA512
271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828

Download Submit
memory/2400-43-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-1-0x00000000002F0000-0x000000000040C000-memory.dmp

Filesize
1.1MB

Download
memory/2400-5-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/2400-6-0x0000000005280000-0x0000000005476000-memory.dmp

Filesize
2.0MB

Download
memory/2400-7-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/2400-8-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-11-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2400-15-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-3-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2400-2-0x0000000005070000-0x0000000005142000-memory.dmp

Filesize
840KB

Download
memory/2400-4-0x00000000056F0000-0x0000000005C96000-memory.dmp

Filesize
5.6MB

Download
memory/2400-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x00000000002F0000-0x000000000040C000-memory.dmp

Filesize
1.1MB

Download
memory/2400-2-0x0000000005070000-0x0000000005142000-memory.dmp

Filesize
840KB

Download
memory/2400-3-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-4-0x00000000056F0000-0x0000000005C96000-memory.dmp

Filesize
5.6MB

Download
memory/2400-5-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/2400-6-0x0000000005280000-0x0000000005476000-memory.dmp

Filesize
2.0MB

Download
memory/2400-7-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/2400-8-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-11-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2400-15-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2400-43-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download