cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8

Analysis

max time kernel
6s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe
Size

368KB
MD5

9981c88c6b37cc10e7c2058566145b05
SHA1

f27d4242b9e69e9a132e7b31f9e930dd3487143b
SHA256

cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8
SHA512

700bbcb3c95263dbe54e1bf64eb33acff86b520cac9dc377e960a473d786b79a99ebc44846bdb91fa9411009f9fc02ab247041e00e0b101de11df853571d69f4
SSDEEP

6144:5uHOirG1VVE+IwrG1VVE+IwrG1VVE+IRuHOyrG1VVE+IwrG1VVE+IwrG1VVE+Ig:gOmununu9OWununut

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/864-56-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\HelpCat.exe	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe
File created	C:\Windows\Sysinf.bat	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe
File created	C:\Windows\system\KavUpda.exe	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe
File opened for modification	C:\Windows\system\KavUpda.exe	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe
File created	C:\Windows\Help\HelpCat.exe	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 960	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	31
PID 864 wrote to memory of 960	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	31
PID 864 wrote to memory of 960	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	31
PID 864 wrote to memory of 960	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	31
PID 864 wrote to memory of 1436	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	30
PID 864 wrote to memory of 1436	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	30
PID 864 wrote to memory of 1436	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	30
PID 864 wrote to memory of 1436	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	30
PID 1436 wrote to memory of 1380	1436	net.exe	29
PID 1436 wrote to memory of 1380	1436	net.exe	29
PID 1436 wrote to memory of 1380	1436	net.exe	29
PID 1436 wrote to memory of 1380	1436	net.exe	29
PID 864 wrote to memory of 816	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	52
PID 864 wrote to memory of 816	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	52
PID 864 wrote to memory of 816	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	52
PID 864 wrote to memory of 816	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	52
PID 864 wrote to memory of 1768	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	32
PID 864 wrote to memory of 1768	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	32
PID 864 wrote to memory of 1768	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	32
PID 864 wrote to memory of 1768	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	32
PID 864 wrote to memory of 1232	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	51
PID 864 wrote to memory of 1232	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	51
PID 864 wrote to memory of 1232	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	51
PID 864 wrote to memory of 1232	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	51
PID 864 wrote to memory of 1984	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	34
PID 864 wrote to memory of 1984	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	34
PID 864 wrote to memory of 1984	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	34
PID 864 wrote to memory of 1984	864	cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe	34

C:\Users\Admin\AppData\Local\Temp\cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe
"C:\Users\Admin\AppData\Local\Temp\cbe59f50dd4d0afc3491f81539b775658e9058ddd0e454a52c19584d4ead07e8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 9:06:26 AM C:\Windows\Sysinf.bat
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\at.exe
    at 9:06:26 AM C:\Windows\Sysinf.bat
    3⤵
    PID:736
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc /y
    3⤵
    PID:964
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wuauserv /y
    3⤵
    PID:2000
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:1700
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:1960
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 9:09:26 AM C:\Windows\Sysinf.bat
  2⤵
  PID:1232
- C:\Windows\SysWOW64\At.exe
  At.exe 9:07:23 AM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:1380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:1068

C:\Windows\SysWOW64\at.exe
at 9:09:26 AM C:\Windows\Sysinf.bat
1⤵
PID:272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
memory/816-65-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/864-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download