fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909

General

Target

fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe
Size

1.4MB
MD5

aa1734a9e5238be462b442ce5f16be4d
SHA1

7456bebd4249430eee781d622dc5edba11fb8529
SHA256

fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909
SHA512

b031eab401cec88527d03eb136986d179084f1590df5592f5e64f0e6e7e33dbbf1e53641feea50c7a1a345f8ff53a94b3cfe7f24f73dd03e6b8ed21010b62a01
SSDEEP

24576:A2eZJ8NI8W2eZJ8NI8W2eZJ8NI8W2eZJ8NI8uOM:68Y8Y8Y8c

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-55-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Help\HelpCat.exe	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe
File opened for modification	C:\Windows\Help\HelpCat.exe	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe
File created	C:\Windows\Sysinf.bat	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe
File opened for modification	C:\Windows\system\KavUpda.exe	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1624	sc.exe
480	sc.exe
468	sc.exe
976	sc.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
1256	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1964	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	31
PID 2032 wrote to memory of 1964	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	31
PID 2032 wrote to memory of 1964	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	31
PID 2032 wrote to memory of 1964	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	31
PID 2032 wrote to memory of 1924	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	28
PID 2032 wrote to memory of 1924	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	28
PID 2032 wrote to memory of 1924	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	28
PID 2032 wrote to memory of 1924	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	28
PID 1924 wrote to memory of 1204	1924	net.exe	29
PID 1924 wrote to memory of 1204	1924	net.exe	29
PID 1924 wrote to memory of 1204	1924	net.exe	29
PID 1924 wrote to memory of 1204	1924	net.exe	29
PID 2032 wrote to memory of 2008	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	61
PID 2032 wrote to memory of 2008	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	61
PID 2032 wrote to memory of 2008	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	61
PID 2032 wrote to memory of 2008	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	61
PID 2032 wrote to memory of 1748	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	60
PID 2032 wrote to memory of 1748	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	60
PID 2032 wrote to memory of 1748	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	60
PID 2032 wrote to memory of 1748	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	60
PID 2032 wrote to memory of 1972	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	59
PID 2032 wrote to memory of 1972	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	59
PID 2032 wrote to memory of 1972	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	59
PID 2032 wrote to memory of 1972	2032	fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe	59

C:\Users\Admin\AppData\Local\Temp\fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe
"C:\Users\Admin\AppData\Local\Temp\fdfc95607bec47a23b948dfd579d70f9e326bde2b5f728ed5ba20fc19e52b909.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start schedule /y
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:1964
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:1624
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:480
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:468
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:976
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:608
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:1156
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:1824
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:1880
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 9:51:48 AM C:\Windows\Sysinf.bat
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 9:48:48 AM C:\Windows\Sysinf.bat
  2⤵
  PID:1748
- C:\Windows\SysWOW64\At.exe
  At.exe 9:49:45 AM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:2008
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Windows\regedt32.sys
  2⤵
  - Runs regedit.exe
  PID:1256

C:\Windows\SysWOW64\at.exe
at 9:51:48 AM C:\Windows\Sysinf.bat
1⤵
PID:1980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv /y
1⤵
PID:1380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:1800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:840

C:\Windows\SysWOW64\at.exe
at 9:48:48 AM C:\Windows\Sysinf.bat
1⤵
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
memory/2008-62-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/2032-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing