f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2

General

Target

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
Size

32KB
MD5

d4d096d5cf80ea153949d7cde798d615
SHA1

051cedcc6385b10879a297969d672455a5642904
SHA256

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2
SHA512

92670b295b75cd86837b0f8a495b455b95276537828b186391cdb5fd5cc3e5601d32ab3965bb00fef5e60bb955ac785bd20895536af06ded2b2e6dbc43b4d357
SSDEEP

768:eLh0pBoGRkmhvYwQMVmSDpuUbzrS/o1MADiBiN87:eLhxi5RV9bzrfLFm7

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

rundll32.exef7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1552-66-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1688 rundll32.exe
1688 rundll32.exe
1688 rundll32.exe
1688 rundll32.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in System32 directory 1 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

description ioc process

File created C:\Windows\SysWOW64\killkb.dll f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1412 sc.exe
1428 sc.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1536 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

964 taskkill.exe
1640 taskkill.exe
1544 taskkill.exe
896 taskkill.exe

pid	process
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\killkb.dll	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

pid	process
1412	sc.exe
1428	sc.exe

pid	process
1536	ipconfig.exe

pid	process
964	taskkill.exe
1640	taskkill.exe
1544	taskkill.exe
896	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exerundll32.exe

pid	process
1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

464
464

pid	process
464
464

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1552 wrote to memory of 832	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 832	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 832	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 832	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 2000	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 2000	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 2000	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 2000	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1464	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1464	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1464	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1464	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 584	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 584	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 584	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 584	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1460	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1460	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1460	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1460	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1420	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 2000 wrote to memory of 748	2000	cmd.exe	cacls.exe
PID 2000 wrote to memory of 748	2000	cmd.exe	cacls.exe
PID 2000 wrote to memory of 748	2000	cmd.exe	cacls.exe
PID 2000 wrote to memory of 748	2000	cmd.exe	cacls.exe
PID 832 wrote to memory of 516	832	cmd.exe	cacls.exe
PID 832 wrote to memory of 516	832	cmd.exe	cacls.exe
PID 832 wrote to memory of 516	832	cmd.exe	cacls.exe
PID 832 wrote to memory of 516	832	cmd.exe	cacls.exe
PID 1464 wrote to memory of 1412	1464	cmd.exe	sc.exe
PID 1464 wrote to memory of 1412	1464	cmd.exe	sc.exe
PID 1464 wrote to memory of 1412	1464	cmd.exe	sc.exe
PID 1464 wrote to memory of 1412	1464	cmd.exe	sc.exe
PID 584 wrote to memory of 1544	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 1544	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 1544	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 1544	584	cmd.exe	taskkill.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	taskkill.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	taskkill.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	taskkill.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	taskkill.exe
PID 1420 wrote to memory of 964	1420	cmd.exe	taskkill.exe
PID 1420 wrote to memory of 964	1420	cmd.exe	taskkill.exe
PID 1420 wrote to memory of 964	1420	cmd.exe	taskkill.exe
PID 1420 wrote to memory of 964	1420	cmd.exe	taskkill.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1688	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 1552 wrote to memory of 1864	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1864	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1864	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1864	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1956	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1956	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1956	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1552 wrote to memory of 1956	1552	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 1864 wrote to memory of 1428	1864	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
"C:\Users\Admin\AppData\Local\Temp\f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32 /e /p everyone:f
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32 /e /p everyone:f
3⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config ekrn start= disabled
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
3⤵
- Launches sc.exe
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
3⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ekrn.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ekrn.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im egui.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\taskkill.exe
taskkill /im egui.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ScanFrm.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ScanFrm.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\system32\killkb.dll, droqp
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config avp start= disabled
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\sc.exe
sc config avp start= disabled
3⤵
- Launches sc.exe
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im avp.exe /f
2⤵
PID:1956

C:\Windows\SysWOW64\taskkill.exe
taskkill /im avp.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
memory/516-61-0x0000000000000000-mapping.dmp

Download
memory/584-57-0x0000000000000000-mapping.dmp

Download
memory/748-60-0x0000000000000000-mapping.dmp

Download
memory/832-54-0x0000000000000000-mapping.dmp

Download
memory/896-77-0x0000000000000000-mapping.dmp

Download
memory/964-65-0x0000000000000000-mapping.dmp

Download
memory/1412-62-0x0000000000000000-mapping.dmp

Download
memory/1420-59-0x0000000000000000-mapping.dmp

Download
memory/1428-76-0x0000000000000000-mapping.dmp

Download
memory/1460-58-0x0000000000000000-mapping.dmp

Download
memory/1464-56-0x0000000000000000-mapping.dmp

Download
memory/1536-78-0x0000000000000000-mapping.dmp

Download
memory/1544-63-0x0000000000000000-mapping.dmp

Download
memory/1552-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-64-0x0000000000000000-mapping.dmp

Download
memory/1688-68-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1688-67-0x0000000000000000-mapping.dmp

Download
memory/1864-74-0x0000000000000000-mapping.dmp

Download
memory/1956-75-0x0000000000000000-mapping.dmp

Download
memory/2000-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads