d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9

General

Target

d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe
Size

327KB
MD5

a1e797c848d29445be1df614f396a155
SHA1

74c449f5d19cbf1baeba01695fc312e8af17c597
SHA256

d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9
SHA512

7ae634d8a43a01eba03d4067c5227317fe17411949bb9b895b2cf4be529ac3b55a975e5adf72dc9ec5a5cddcf12c398deb80d603f7a275d60f6e3cd69253037d
SSDEEP

6144:5uHOFnmy+g4VrG1VVE+Ih/UOPSe570Szp3bE2EBE2E4:gOFKupOB0vM4

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/892-60-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\KavUpda.exe	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe
File opened for modification	C:\Windows\system\KavUpda.exe	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1172	sc.exe
1036	sc.exe
1560	sc.exe
1388	sc.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
1868	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 952	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	25
PID 892 wrote to memory of 952	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	25
PID 892 wrote to memory of 952	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	25
PID 892 wrote to memory of 952	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	25
PID 892 wrote to memory of 1564	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	22
PID 892 wrote to memory of 1564	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	22
PID 892 wrote to memory of 1564	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	22
PID 892 wrote to memory of 1564	892	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	22

C:\Users\Admin\AppData\Local\Temp\d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe
"C:\Users\Admin\AppData\Local\Temp\d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start schedule /y
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:952
- C:\Windows\SysWOW64\At.exe
  At.exe 10:46:09 AM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 10:45:12 AM C:\Windows\Sysinf.bat
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\at.exe
    at 10:45:12 AM C:\Windows\Sysinf.bat
    3⤵
    PID:1548
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wuauserv /y
    3⤵
    PID:268
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Windows\regedt32.sys
  2⤵
  - Runs regedit.exe
  PID:1868
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:1172
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config wscsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1036
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe config srservice start= disabled
  2⤵
  - Launches sc.exe
  PID:1388
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:672
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:636
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:664
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 10:48:12 AM C:\Windows\Sysinf.bat
  2⤵
  PID:1356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop srservice /y
1⤵
PID:880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess /y
1⤵
PID:1092

C:\Windows\SysWOW64\at.exe
at 10:48:12 AM C:\Windows\Sysinf.bat
1⤵
PID:1132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
memory/892-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-75-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing