f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27

Analysis

max time kernel
4s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 08:06

Target

f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe
Size

1.1MB
MD5

7937d360be3cbe69ce359a8364c8c1ae
SHA1

88cf0235f5cfcc071784c9c3989af84715a85cbe
SHA256

f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27
SHA512

0b6d00b29bf164951b2dff3ffdbc39560f8163985da08bb88b42abc84b5cb071fa0485391bedd51d710328ef1c74eca10ba3c142c12752dbddf921682cbc6916
SSDEEP

12288:gONu9O6uJOB06GONu9O6uJOB06GONu9O6uJOB06G:NO/O/OW

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1604-60-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\KavUpda.exe	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe
File opened for modification	C:\Windows\system\KavUpda.exe	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 996	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	28
PID 1604 wrote to memory of 996	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	28
PID 1604 wrote to memory of 996	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	28
PID 1604 wrote to memory of 996	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	28
PID 1604 wrote to memory of 1772	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	31
PID 1604 wrote to memory of 1772	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	31
PID 1604 wrote to memory of 1772	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	31
PID 1604 wrote to memory of 1772	1604	f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe	31

C:\Users\Admin\AppData\Local\Temp\f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe
"C:\Users\Admin\AppData\Local\Temp\f2de5420e4dcf465c0049205fdd71c1a37556eb64fe1e5d7c8866f8c62b9ae27.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:996
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 2:08:02 PM C:\Windows\Sysinf.bat
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\at.exe
    at 2:08:02 PM C:\Windows\Sysinf.bat
    3⤵
    PID:472
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  PID:304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess /y
    3⤵
    PID:972
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:628
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:1028
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  PID:1320
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 2:11:02 PM C:\Windows\Sysinf.bat
  2⤵
  PID:580
- C:\Windows\SysWOW64\At.exe
  At.exe 2:08:59 PM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule /y
1⤵
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc /y
1⤵
PID:1972

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
memory/1604-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-63-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download