4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Size

172KB
MD5

95c2b21ac9aedd8823d450270c157414
SHA1

0763082e03f8006e020796d0bdfc4c451bc6cc0c
SHA256

4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9
SHA512

22e813e752174b2ec2a67b5b5b069d2434e9fcba3675a1fc36372e1d54e6ff599bad61ffad7d2b695c391c3faa302a1521e2ec406652803f208b1f6bba6d9506
SSDEEP

3072:fJpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7UZ:hAm5oh63laEo+pXX1pkF8mxeq5+4m71V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4196	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
464	ntinit32.exe
3676	ntinit32.exe
4496	ntinit32.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\H:	ntinit32.exe
File opened (read-only)	\??\P:	ntinit32.exe
File opened (read-only)	\??\t:	ntinit32.exe
File opened (read-only)	\??\M:	ntinit32.exe
File opened (read-only)	\??\z:	ntinit32.exe
File opened (read-only)	\??\J:	ntinit32.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\K:	ntinit32.exe
File opened (read-only)	\??\k:	ntinit32.exe
File opened (read-only)	\??\Q:	ntinit32.exe
File opened (read-only)	\??\Z:	ntinit32.exe
File opened (read-only)	\??\R:	ntinit32.exe
File opened (read-only)	\??\Q:	ntinit32.exe
File opened (read-only)	\??\P:	ntinit32.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\b:	ntinit32.exe
File opened (read-only)	\??\X:	ntinit32.exe
File opened (read-only)	\??\Y:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\S:	ntinit32.exe
File opened (read-only)	\??\T:	ntinit32.exe
File opened (read-only)	\??\Y:	ntinit32.exe
File opened (read-only)	\??\Z:	ntinit32.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\T:	ntinit32.exe
File opened (read-only)	\??\L:	ntinit32.exe
File opened (read-only)	\??\U:	ntinit32.exe
File opened (read-only)	\??\Y:	ntinit32.exe
File opened (read-only)	\??\l:	ntinit32.exe
File opened (read-only)	\??\G:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\N:	ntinit32.exe
File opened (read-only)	\??\O:	ntinit32.exe
File opened (read-only)	\??\P:	ntinit32.exe
File opened (read-only)	\??\k:	ntinit32.exe
File opened (read-only)	\??\Q:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\G:	ntinit32.exe
File opened (read-only)	\??\M:	ntinit32.exe
File opened (read-only)	\??\s:	ntinit32.exe
File opened (read-only)	\??\s:	ntinit32.exe
File opened (read-only)	\??\H:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\A:	ntinit32.exe
File opened (read-only)	\??\N:	ntinit32.exe
File opened (read-only)	\??\U:	ntinit32.exe
File opened (read-only)	\??\y:	ntinit32.exe
File opened (read-only)	\??\J:	ntinit32.exe
File opened (read-only)	\??\K:	ntinit32.exe
File opened (read-only)	\??\V:	ntinit32.exe
File opened (read-only)	\??\Z:	ntinit32.exe
File opened (read-only)	\??\N:	ntinit32.exe
File opened (read-only)	\??\O:	ntinit32.exe
File opened (read-only)	\??\r:	ntinit32.exe
File opened (read-only)	\??\K:	ntinit32.exe
File opened (read-only)	\??\M:	ntinit32.exe
File opened (read-only)	\??\j:	ntinit32.exe
File opened (read-only)	\??\n:	ntinit32.exe
File opened (read-only)	\??\A:	ntinit32.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\Q:	ntinit32.exe
File opened (read-only)	\??\S:	ntinit32.exe
File opened (read-only)	\??\y:	ntinit32.exe
File opened (read-only)	\??\e:	ntinit32.exe
File opened (read-only)	\??\x:	ntinit32.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\K:	ntinit32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntinit32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ORJPHEPU.txt	ntinit32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ntinit32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ntinit32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ntinit32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ntinit32.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntinit32.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ntinit32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ntinit32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ntinit32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ntinit32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ntinit32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ntinit32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ntinit32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ntinit32.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\open	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\CDRM\\ntinit32.exe\" /START \"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open\command\ = "\"C:\\ProgramData\\CDRM\\ntinit32.exe\" /START \"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\runas	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\runas\command\ = "\"%1\" %*"	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\ = "dcore"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\ = "Application"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\Content-Type = "application/x-msdownload"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\DefaultIcon\ = "%1"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\open	ntinit32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\Content-Type = "application/x-msdownload"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\open\command	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\runas\command	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas\command\ = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "dcore"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CDRM\\ntinit32.exe\" /START \"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\DefaultIcon\ = "%1"	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\DefaultIcon\ = "%1"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\runas\command	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\DefaultIcon	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\DefaultIcon	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\runas	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CDRM\\ntinit32.exe\" /START \"%1\" %*"	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore\DefaultIcon	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\shell	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\shell\open\command	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.exe\Content-Type = "application/x-msdownload"	ntinit32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\dcore\ = "Application"	ntinit32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
3516	ntinit32.exe
3516	ntinit32.exe
4196	ntinit32.exe
4196	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
464	ntinit32.exe
464	ntinit32.exe
3676	ntinit32.exe
3676	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe
3516	ntinit32.exe
3516	ntinit32.exe
3204	ntinit32.exe
3204	ntinit32.exe
4496	ntinit32.exe
4496	ntinit32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Token: SeIncBasePriorityPrivilege	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Token: SeIncBasePriorityPrivilege	4196	ntinit32.exe
Token: SeIncBasePriorityPrivilege	3516	ntinit32.exe
Token: SeIncBasePriorityPrivilege	3676	ntinit32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3204	ntinit32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4196	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	83
PID 4840 wrote to memory of 4196	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	83
PID 4840 wrote to memory of 4196	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	83
PID 4840 wrote to memory of 3516	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	84
PID 4840 wrote to memory of 3516	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	84
PID 4840 wrote to memory of 3516	4840	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	84
PID 4196 wrote to memory of 3204	4196	ntinit32.exe	85
PID 4196 wrote to memory of 3204	4196	ntinit32.exe	85
PID 4196 wrote to memory of 3204	4196	ntinit32.exe	85
PID 3516 wrote to memory of 464	3516	ntinit32.exe	86
PID 3516 wrote to memory of 464	3516	ntinit32.exe	86
PID 3516 wrote to memory of 464	3516	ntinit32.exe	86
PID 3676 wrote to memory of 4496	3676	ntinit32.exe	88
PID 3676 wrote to memory of 4496	3676	ntinit32.exe	88
PID 3676 wrote to memory of 4496	3676	ntinit32.exe	88

C:\Users\Admin\AppData\Local\Temp\4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
"C:\Users\Admin\AppData\Local\Temp\4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\ProgramData\CDRM\ntinit32.exe
  "C:\ProgramData\CDRM\ntinit32.exe" 1
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Roaming\CDRM\ntinit32.exe
    "C:\Users\Admin\AppData\Roaming\CDRM\ntinit32.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3204
- C:\ProgramData\CDRM\ntinit32.exe
  "C:\ProgramData\CDRM\ntinit32.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\ProgramData\CDRM\ntinit32.exe
    "C:\ProgramData\CDRM\ntinit32.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:464

C:\ProgramData\CDRM\ntinit32.exe
C:\ProgramData\CDRM\ntinit32.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\ProgramData\CDRM0\ntinit32.exe
  "C:\ProgramData\CDRM0\ntinit32.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CDRM0\ocq.sys

Filesize
2KB

MD5
4d72bb625d8145440a25424868dedac9

SHA1
779d1dfe25ef2573544467e67d1071a71d34a2a8

SHA256
eeed1755ca5c38a6169158fc3cfa442334dd6382c4fb1fbb75eed38d9406093f

SHA512
d5eb1b583b95f6cb28f6c7e17e5c87b8c3763186ce17b422cac32f260d1509dd43738aab00c92a973c9ecf83d016b7e06bacb779735df44dfae668c4d88149b9

Download Submit
C:\ProgramData\CDRM0\veet\lodacue.drv

Filesize
7KB

MD5
0328e0f488641605892ebca2ac4d99cd

SHA1
0af0e426adb887052df24a4271045c067aca9aec

SHA256
976feecf94be7ee6fab81fdcbbcef920fb0b8fb8a7a1146b3b34e066c02a44c5

SHA512
ac003c4e87c7615b4338b8d2e541b9a5848f5863d99b809895fab8eb1bdbe051285ea51016020ff70717267c76b9bba6ee0824ae03c7dfda4616fbfc768af5f9

Download Submit
C:\ProgramData\CDRM0\veet\mid.sys

Filesize
9KB

MD5
18cf91ea14221a67f95e995e747f423f

SHA1
c8432086db808c703bb9b74362f8ab67b13062e7

SHA256
a452829bc1ec603ab36f52829d46e23c065b898a493356bcdf03315a56e93d25

SHA512
5dd2bdf862b6960709effe731222be51f8212d00b0f54240194568dcae53efcb751b408448aac368e685a4563dd5377ea51c4f68580586ca9b9750e890372f6b

Download Submit
C:\ProgramData\CDRM0\veet\peipriq.ocx

Filesize
8KB

MD5
c1206b08dd445418a7a417fa3b0e9b1b

SHA1
8812ee50a59669c7d0dfe02799de7481604f8da6

SHA256
67ded293b5e54207d29a4c7efdbc2441c28b6923129aebdc3fda8549fcc87f17

SHA512
c7b03c689a62e76b0cc0c5e78a2a2c2c4617d463f0b76e3beffaf3b639b6e8c241a073ae1cc7a555c24f8eb60e3362fe3633b0c93454afbb7314fa8d2e01c859

Download Submit
C:\ProgramData\CDRM0\veet\uxocaqsoxa.sys

Filesize
9KB

MD5
da7696837787101b043d446bd506119d

SHA1
8698669d4613e26e2865272837d3799ab292a009

SHA256
8d5e47e6b04464416d2f6e60a9edd56ddd8108ff19943b9ea9d282336a4f7df1

SHA512
c94d0473233ca0068b7b72bb92c9be55ba4f4db4c6b524fe003037342dc3602db634574449308c974863216f8bb9dda948e3e6dea4e57797b1a4287093efe249

Download Submit
C:\ProgramData\CDRM0\veet\vuo.ocx

Filesize
7KB

MD5
3424bedecb3a1f1d5d28db09bc2b6555

SHA1
d9c8a53101a3dea84a0ebe1c31a0182e75accb7b

SHA256
e412400b0fe0d775a527f35daeeef46ba0cd10d7bb1bf589f2a38399247233dc

SHA512
c6d702650bfd11d927a6ce767415a1e6dcb1f9151b13b812972d07a0d830925f5ad724a1427748c24223301536052ff92eebfa0b41590be9018a4333c8919b6a

Download Submit
C:\ProgramData\CDRM\ntinit32.exe

Filesize
172KB

MD5
345e58d72ec2f7015d86dc027f8c9f7f

SHA1
3568b15fb41e6dce74bb7ebe3974276c84008462

SHA256
7660ada0b95738a41c355cfc1b7468adabb0b36c4e60a64bad6d2cbf47c59f00

SHA512
ab30c4ccf4de0acc310a156406646343e03cea8d75dbedba0fc09eb7fc0ee119c2e28e9ded2d191b821b990eb76a8827c537704a5d38af88932b2a68bbb34d55

Download Submit
C:\Users\Admin\AppData\Roaming\CDRM\ntinit32.exe

Filesize
24KB

MD5
217796cb5be471f5966c96339e0f9e66

SHA1
be05456268a62bea718d6bbebe1155b983e70107

SHA256
9aa2d687da366a02ad23a22303c370e7c367911f12960196823d0543353f99e1

SHA512
659ce205bde4aa1b4c1077e7c8bd04443037e3169b61e9520dec2f7508f1fcb0fc15076224ca92574a85cb45cb227057860176c68a8ff96057397ac65cac410f

Download Submit
C:\Users\Admin\AppData\Roaming\CDRM\ntinit32.exe

Filesize
172KB

MD5
42c7de2ed63125d298a348397b95c817

SHA1
469d86bf2086a4f6bae49e4af6e346a12e185e1b

SHA256
5e47ad2a236de416c96b9f944729db0e38ec864fc20e0c01fba6b8a70ded3dfc

SHA512
13ba571489f12c9ddaef8f4c421efede67747e4ffd62c802b524e9b2061e1bfad45bfb47597383c157b0e24484beb694ec59ed71a79b345a90a71944cd766bd6

Download Submit
memory/3204-45-0x00000000740C0000-0x00000000740F9000-memory.dmp

Filesize
228KB

Download
memory/3204-70-0x00000000740C0000-0x00000000740F9000-memory.dmp

Filesize
228KB

Download