0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8

Analysis

max time kernel
199s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe
Size

1.3MB
MD5

efd442c36491cd4332446f15524bb51c
SHA1

da86e700b9b0f4217b70f9513c05fcfb6d15ef69
SHA256

0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8
SHA512

3dc5e41c6a931f46273388fa92383a7e1754755e9896a47c1f5dae7a681a2fbfb7a47b844411a51a137a4181c73c77d94bcc31140e1c8511d17267a2a1c5b6a6
SSDEEP

12288:gOwOB0JupOB0fOwOB0JupOB0TOwOB0JupOB0fOwOB0JupOB0/:aO9OmO9OIO9OmO9Og

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1224-54-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1224-57-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Option.bat	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\KavUpda.exe	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe
File created	C:\Windows\Help\HelpCat.exe	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe
File opened for modification	C:\Windows\Help\HelpCat.exe	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe
File created	C:\Windows\Sysinf.bat	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 300	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	28
PID 1224 wrote to memory of 300	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	28
PID 1224 wrote to memory of 300	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	28
PID 1224 wrote to memory of 300	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	28
PID 1224 wrote to memory of 580	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	30
PID 1224 wrote to memory of 580	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	30
PID 1224 wrote to memory of 580	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	30
PID 1224 wrote to memory of 580	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	30
PID 580 wrote to memory of 1440	580	net.exe	32
PID 580 wrote to memory of 1440	580	net.exe	32
PID 580 wrote to memory of 1440	580	net.exe	32
PID 580 wrote to memory of 1440	580	net.exe	32
PID 1224 wrote to memory of 1660	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	33
PID 1224 wrote to memory of 1660	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	33
PID 1224 wrote to memory of 1660	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	33
PID 1224 wrote to memory of 1660	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	33
PID 1224 wrote to memory of 1352	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	35
PID 1224 wrote to memory of 1352	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	35
PID 1224 wrote to memory of 1352	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	35
PID 1224 wrote to memory of 1352	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	35
PID 1224 wrote to memory of 1640	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	36
PID 1224 wrote to memory of 1640	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	36
PID 1224 wrote to memory of 1640	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	36
PID 1224 wrote to memory of 1640	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	36
PID 1224 wrote to memory of 1780	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	41
PID 1224 wrote to memory of 1780	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	41
PID 1224 wrote to memory of 1780	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	41
PID 1224 wrote to memory of 1780	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	41
PID 1224 wrote to memory of 1268	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	38
PID 1224 wrote to memory of 1268	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	38
PID 1224 wrote to memory of 1268	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	38
PID 1224 wrote to memory of 1268	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	38
PID 1640 wrote to memory of 1996	1640	cmd.exe	44
PID 1640 wrote to memory of 1996	1640	cmd.exe	44
PID 1640 wrote to memory of 1996	1640	cmd.exe	44
PID 1640 wrote to memory of 1996	1640	cmd.exe	44
PID 1224 wrote to memory of 1484	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	42
PID 1224 wrote to memory of 1484	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	42
PID 1224 wrote to memory of 1484	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	42
PID 1224 wrote to memory of 1484	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	42
PID 1352 wrote to memory of 1228	1352	cmd.exe	50
PID 1352 wrote to memory of 1228	1352	cmd.exe	50
PID 1352 wrote to memory of 1228	1352	cmd.exe	50
PID 1352 wrote to memory of 1228	1352	cmd.exe	50
PID 1780 wrote to memory of 1552	1780	net.exe	45
PID 1780 wrote to memory of 1552	1780	net.exe	45
PID 1780 wrote to memory of 1552	1780	net.exe	45
PID 1780 wrote to memory of 1552	1780	net.exe	45
PID 1224 wrote to memory of 1672	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	51
PID 1224 wrote to memory of 1672	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	51
PID 1224 wrote to memory of 1672	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	51
PID 1224 wrote to memory of 1672	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	51
PID 1224 wrote to memory of 936	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	48
PID 1224 wrote to memory of 936	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	48
PID 1224 wrote to memory of 936	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	48
PID 1224 wrote to memory of 936	1224	0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe	48
PID 1268 wrote to memory of 860	1268	net.exe	49
PID 1268 wrote to memory of 860	1268	net.exe	49
PID 1268 wrote to memory of 860	1268	net.exe	49
PID 1268 wrote to memory of 860	1268	net.exe	49
PID 1484 wrote to memory of 628	1484	net.exe	52
PID 1484 wrote to memory of 628	1484	net.exe	52
PID 1484 wrote to memory of 628	1484	net.exe	52
PID 1484 wrote to memory of 628	1484	net.exe	52

C:\Users\Admin\AppData\Local\Temp\0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe
"C:\Users\Admin\AppData\Local\Temp\0fb90a7540e9a65ab73de74f6100f3a37c2fb38b5feb9a781ece08f97bab7ff8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Option.bat
  2⤵
  PID:300
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start schedule /y
    3⤵
    PID:1440
- C:\Windows\SysWOW64\At.exe
  At.exe 8:18:03 PM C:\Windows\Help\HelpCat.exe
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 8:17:06 PM C:\Windows\Sysinf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\at.exe
    at 8:17:06 PM C:\Windows\Sysinf.bat
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c at 8:20:06 PM C:\Windows\Sysinf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\at.exe
    at 8:20:06 PM C:\Windows\Sysinf.bat
    3⤵
    PID:1996
- C:\Windows\SysWOW64\net.exe
  net.exe stop sharedaccess /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess /y
    3⤵
    PID:860
- C:\Windows\SysWOW64\net.exe
  net.exe stop wscsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc /y
    3⤵
    PID:1552
- C:\Windows\SysWOW64\net.exe
  net.exe stop wuauserv /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wuauserv /y
    3⤵
    PID:628
- C:\Windows\SysWOW64\net.exe
  net.exe stop 360timeprot /y
  2⤵
  PID:936
- C:\Windows\SysWOW64\net.exe
  net.exe stop srservice /y
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Option.bat

Filesize
82B

MD5
3f7fbd2eb34892646e93fd5e6e343512

SHA1
265ac1061b54f62350fb7a5f57e566454d013a66

SHA256
e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7

SHA512
53d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140

Download Submit
memory/1224-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-65-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download