d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9

Analysis

max time kernel
59s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe
Size

327KB
MD5

a1e797c848d29445be1df614f396a155
SHA1

74c449f5d19cbf1baeba01695fc312e8af17c597
SHA256

d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9
SHA512

7ae634d8a43a01eba03d4067c5227317fe17411949bb9b895b2cf4be529ac3b55a975e5adf72dc9ec5a5cddcf12c398deb80d603f7a275d60f6e3cd69253037d
SSDEEP

6144:5uHOFnmy+g4VrG1VVE+Ih/UOPSe570Szp3bE2EBE2E4:gOFKupOB0vM4

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4904-133-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\KavUpda.exe	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe
File opened for modification	C:\Windows\system\KavUpda.exe	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 5008	4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	82
PID 4904 wrote to memory of 5008	4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	82
PID 4904 wrote to memory of 5008	4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	82
PID 4904 wrote to memory of 4504	4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	84
PID 4904 wrote to memory of 4504	4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	84
PID 4904 wrote to memory of 4504	4904	d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe	84

C:\Users\Admin\AppData\Local\Temp\d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe
"C:\Users\Admin\AppData\Local\Temp\d78ee91f13e95d9c4e04db43f19c9960f7ee3164f3b6789c06a7a9cfe18ce8c9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat
  2⤵
  PID:5008
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start schedule /y
    3⤵
    PID:2616
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess /y
    3⤵
    PID:4384
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wuauserv /y
    3⤵
    PID:4020
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:520
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:212
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 10:48:13 AM C:\Windows\Sysinf.bat
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 10:45:13 AM C:\Windows\Sysinf.bat
  2⤵
  PID:2112
- C:\Windows\SysWOW64\At.exe
  At.exe 10:46:10 AM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:1828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop 360timeprot /y
1⤵
PID:5088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:3904

C:\Windows\SysWOW64\at.exe
at 10:48:13 AM C:\Windows\Sysinf.bat
1⤵
PID:2388

C:\Windows\SysWOW64\at.exe
at 10:45:13 AM C:\Windows\Sysinf.bat
1⤵
PID:1672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
memory/4904-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download