4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720

Analysis

max time kernel
87s
max time network
89s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 22:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Size

720KB
MD5

03431f0754a08d5d258e0ee953d0d760
SHA1

22df5899239d697d64dbdd81ee344ccdb8637da6
SHA256

4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720
SHA512

667e95b49a2c32045ae6d8491413392db98ba6b077ad546507f979ae988b9ac93a9884b3c6fd8f07eec8311e5ad1b4ae45c4d0cd05ee0d8e7a67650f86f99a58
SSDEEP

12288:xhSidauH42shOZrxLmWnI5Oi77u7I02O5lu7I02O5OKXDFc4:xINo49hOZrxLvnIFi7I02b7I02dKXDFp

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe

Disables Task Manager via registry modification
evasion

Kills process with taskkill 7 IoCs

evasion

pid	Process
1468	taskkill.exe
1964	taskkill.exe
1876	taskkill.exe
1580	taskkill.exe
1532	taskkill.exe
1472	taskkill.exe
1020	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Token: SeShutdownPrivilege	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1100	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	27
PID 1200 wrote to memory of 1100	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	27
PID 1200 wrote to memory of 1100	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	27
PID 1200 wrote to memory of 1100	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	27
PID 1200 wrote to memory of 832	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	28
PID 1200 wrote to memory of 832	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	28
PID 1200 wrote to memory of 832	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	28
PID 1200 wrote to memory of 832	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	28
PID 1200 wrote to memory of 2024	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	30
PID 1200 wrote to memory of 2024	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	30
PID 1200 wrote to memory of 2024	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	30
PID 1200 wrote to memory of 2024	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	30
PID 1200 wrote to memory of 1472	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	33
PID 1200 wrote to memory of 1472	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	33
PID 1200 wrote to memory of 1472	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	33
PID 1200 wrote to memory of 1472	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	33
PID 1200 wrote to memory of 1020	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	34
PID 1200 wrote to memory of 1020	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	34
PID 1200 wrote to memory of 1020	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	34
PID 1200 wrote to memory of 1020	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	34
PID 1100 wrote to memory of 1152	1100	net.exe	38
PID 1100 wrote to memory of 1152	1100	net.exe	38
PID 1100 wrote to memory of 1152	1100	net.exe	38
PID 1100 wrote to memory of 1152	1100	net.exe	38
PID 1200 wrote to memory of 1468	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	37
PID 1200 wrote to memory of 1468	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	37
PID 1200 wrote to memory of 1468	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	37
PID 1200 wrote to memory of 1468	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	37
PID 832 wrote to memory of 1624	832	net.exe	36
PID 832 wrote to memory of 1624	832	net.exe	36
PID 832 wrote to memory of 1624	832	net.exe	36
PID 832 wrote to memory of 1624	832	net.exe	36
PID 2024 wrote to memory of 1636	2024	net.exe	39
PID 2024 wrote to memory of 1636	2024	net.exe	39
PID 2024 wrote to memory of 1636	2024	net.exe	39
PID 2024 wrote to memory of 1636	2024	net.exe	39
PID 1200 wrote to memory of 1964	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	41
PID 1200 wrote to memory of 1964	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	41
PID 1200 wrote to memory of 1964	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	41
PID 1200 wrote to memory of 1964	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	41
PID 1200 wrote to memory of 1876	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	43
PID 1200 wrote to memory of 1876	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	43
PID 1200 wrote to memory of 1876	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	43
PID 1200 wrote to memory of 1876	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	43
PID 1200 wrote to memory of 1580	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	44
PID 1200 wrote to memory of 1580	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	44
PID 1200 wrote to memory of 1580	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	44
PID 1200 wrote to memory of 1580	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	44
PID 1200 wrote to memory of 1532	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	46
PID 1200 wrote to memory of 1532	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	46
PID 1200 wrote to memory of 1532	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	46
PID 1200 wrote to memory of 1532	1200	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	46

C:\Users\Admin\AppData\Local\Temp\4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
"C:\Users\Admin\AppData\Local\Temp\4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe"
1⤵
- Disables RegEdit via registry modification
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\net.exe
  net user Administrator beipandexiachang
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user Administrator beipandexiachang
    3⤵
    PID:1152
- C:\Windows\SysWOW64\net.exe
  net user 123456 beipandexiachang /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user 123456 beipandexiachang /add
    3⤵
    PID:1624
- C:\Windows\SysWOW64\net.exe
  net user administrators 123456 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user administrators 123456 /add
    3⤵
    PID:1636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im kavsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KVXP.kxp
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Rav.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ravmon.exe
  2⤵
  - Kills process with taskkill
  PID:1964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Mcshield.exe
  2⤵
  - Kills process with taskkill
  PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im VsTskMgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im 360tray.exe
  2⤵
  - Kills process with taskkill
  PID:1532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:4528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:9940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:10056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/4528-68-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/9940-69-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads