f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2

General

Target

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
Size

32KB
MD5

d4d096d5cf80ea153949d7cde798d615
SHA1

051cedcc6385b10879a297969d672455a5642904
SHA256

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2
SHA512

92670b295b75cd86837b0f8a495b455b95276537828b186391cdb5fd5cc3e5601d32ab3965bb00fef5e60bb955ac785bd20895536af06ded2b2e6dbc43b4d357
SSDEEP

768:eLh0pBoGRkmhvYwQMVmSDpuUbzrS/o1MADiBiN87:eLhxi5RV9bzrfLFm7

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5112-132-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/5112-145-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

rundll32.exef7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

pid process

700 rundll32.exe
5112 f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
Drops file in System32 directory 1 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

description ioc process

File created C:\Windows\SysWOW64\killkb.dll f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3420 sc.exe
3112 sc.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4128 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

224 taskkill.exe
3476 taskkill.exe
112 taskkill.exe
308 taskkill.exe

pid	process
700	rundll32.exe
5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\killkb.dll	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe

pid	process
3420	sc.exe
3112	sc.exe

pid	process
4128	ipconfig.exe

pid	process
224	taskkill.exe
3476	taskkill.exe
112	taskkill.exe
308	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exerundll32.exe

pid	process
5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe
700	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	308	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 3488	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3488	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3488	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1532	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1532	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1532	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3472	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3472	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3472	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1512	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1512	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1512	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1444	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1444	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 1444	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3368	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3368	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3368	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 3488 wrote to memory of 2844	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 2844	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 2844	3488	cmd.exe	cacls.exe
PID 1532 wrote to memory of 4764	1532	cmd.exe	cacls.exe
PID 1532 wrote to memory of 4764	1532	cmd.exe	cacls.exe
PID 1532 wrote to memory of 4764	1532	cmd.exe	cacls.exe
PID 3368 wrote to memory of 112	3368	cmd.exe	taskkill.exe
PID 3368 wrote to memory of 112	3368	cmd.exe	taskkill.exe
PID 3368 wrote to memory of 112	3368	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 224	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 224	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 224	1512	cmd.exe	taskkill.exe
PID 3472 wrote to memory of 3420	3472	cmd.exe	sc.exe
PID 3472 wrote to memory of 3420	3472	cmd.exe	sc.exe
PID 3472 wrote to memory of 3420	3472	cmd.exe	sc.exe
PID 1444 wrote to memory of 308	1444	cmd.exe	taskkill.exe
PID 1444 wrote to memory of 308	1444	cmd.exe	taskkill.exe
PID 1444 wrote to memory of 308	1444	cmd.exe	taskkill.exe
PID 5112 wrote to memory of 700	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 5112 wrote to memory of 700	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 5112 wrote to memory of 700	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	rundll32.exe
PID 5112 wrote to memory of 3904	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3904	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 3904	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 2440	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 2440	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 5112 wrote to memory of 2440	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	cmd.exe
PID 3904 wrote to memory of 3112	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 3112	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 3112	3904	cmd.exe	sc.exe
PID 2440 wrote to memory of 3476	2440	cmd.exe	taskkill.exe
PID 2440 wrote to memory of 3476	2440	cmd.exe	taskkill.exe
PID 2440 wrote to memory of 3476	2440	cmd.exe	taskkill.exe
PID 5112 wrote to memory of 4128	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	ipconfig.exe
PID 5112 wrote to memory of 4128	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	ipconfig.exe
PID 5112 wrote to memory of 4128	5112	f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe
"C:\Users\Admin\AppData\Local\Temp\f7d956f427ea1d6e993a266f6397b304a9b78ddb1a41e949492f89d565580dd2.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32 /e /p everyone:f
2⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32 /e /p everyone:f
3⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ekrn.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ekrn.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config ekrn start= disabled
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
3⤵
- Launches sc.exe
PID:3420

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im egui.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\taskkill.exe
taskkill /im egui.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
3⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ScanFrm.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ScanFrm.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\system32\killkb.dll, droqp
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config avp start= disabled
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\sc.exe
sc config avp start= disabled
3⤵
- Launches sc.exe
PID:3112

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im avp.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\taskkill.exe
taskkill /im avp.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
C:\Windows\SysWOW64\killkb.dll
Filesize
23KB

MD5
bd6e5ac0acc075e65e36074574a5dfd8

SHA1
12f7d36dc2402d735cfb2422b3df69c09805955b

SHA256
6d896d84492570ca5bcf476f64d6e6a111134577e55da0779ddda0936e9fc21b

SHA512
717e3c5c44e23d58b3c5707e8c3e9d3b061b9444b479e1fd3f9718c40a1caae963df243fc1fd3e0a3eb2f19efd30e298780b7ff3dad569b78c3f6299faa59532

Download Submit
C:\Windowsaboy.dll
Filesize
55KB

MD5
c4de710997c8ece56601785e1a012e4c

SHA1
75df0fbf700111838877814d00874ca1104c7180

SHA256
d16d6aa3ce9ae6d2cb88bd008ad52facec8e415d5bb9a3433d8e44371fb0e250

SHA512
295f3a25845ea4704858f2956bb7fbdd59c19201974d29ee0ed547dc8ad66d3f3b49fabb72112e51f295575156f5c85046f89d924797291c016575f50a1844be

Download Submit
memory/112-141-0x0000000000000000-mapping.dmp

Download
memory/224-142-0x0000000000000000-mapping.dmp

Download
memory/308-144-0x0000000000000000-mapping.dmp

Download
memory/700-146-0x0000000000000000-mapping.dmp

Download
memory/1444-137-0x0000000000000000-mapping.dmp

Download
memory/1512-136-0x0000000000000000-mapping.dmp

Download
memory/1532-134-0x0000000000000000-mapping.dmp

Download
memory/2440-150-0x0000000000000000-mapping.dmp

Download
memory/2844-139-0x0000000000000000-mapping.dmp

Download
memory/3112-151-0x0000000000000000-mapping.dmp

Download
memory/3368-138-0x0000000000000000-mapping.dmp

Download
memory/3420-143-0x0000000000000000-mapping.dmp

Download
memory/3472-135-0x0000000000000000-mapping.dmp

Download
memory/3476-152-0x0000000000000000-mapping.dmp

Download
memory/3488-133-0x0000000000000000-mapping.dmp

Download
memory/3904-149-0x0000000000000000-mapping.dmp

Download
memory/4128-154-0x0000000000000000-mapping.dmp

Download
memory/4764-140-0x0000000000000000-mapping.dmp

Download
memory/5112-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads