b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8

Analysis

max time kernel
101s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
Size

32KB
MD5

59c331cca45c6d13570fcabc29b4536f
SHA1

007f82c0402c6c947b32c75266cc8f60d36bce8d
SHA256

b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8
SHA512

aff6ff37c4204a81af74161979805232d566fc01fbbe80e0e5ab3324c99de6418b89ac9755e8680f8f06c7adba7a652a12664a57ccbd21e982b2534a4a65c171
SSDEEP

768:HV8YHLr3mFzuVF81t7x4zv4FnNKkHx3xtov5AOq4b:1V3mFKzjsFnNjR3xK5AOq4b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1516	Rund1132.com

Deletes itself 1 IoCs

pid	Process
1152	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killallQQ.bat	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File opened for modification	C:\Windows\SysWOW64\Rund1132.com	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File opened for modification	C:\Windows\SysWOW64\QQGame.exe	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File created	C:\Windows\SysWOW64\Rund1132.ini	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File created	C:\Windows\SysWOW64\ScheTime.bat	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1552	sc.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1516	Rund1132.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
1516	Rund1132.com
1516	Rund1132.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 940	2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	27
PID 2032 wrote to memory of 940	2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	27
PID 2032 wrote to memory of 940	2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	27
PID 2032 wrote to memory of 940	2032	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	27
PID 940 wrote to memory of 1552	940	cmd.exe	29
PID 940 wrote to memory of 1552	940	cmd.exe	29
PID 940 wrote to memory of 1552	940	cmd.exe	29
PID 940 wrote to memory of 1552	940	cmd.exe	29
PID 940 wrote to memory of 584	940	cmd.exe	30
PID 940 wrote to memory of 584	940	cmd.exe	30
PID 940 wrote to memory of 584	940	cmd.exe	30
PID 940 wrote to memory of 584	940	cmd.exe	30
PID 584 wrote to memory of 676	584	net.exe	31
PID 584 wrote to memory of 676	584	net.exe	31
PID 584 wrote to memory of 676	584	net.exe	31
PID 584 wrote to memory of 676	584	net.exe	31
PID 940 wrote to memory of 1224	940	cmd.exe	32
PID 940 wrote to memory of 1224	940	cmd.exe	32
PID 940 wrote to memory of 1224	940	cmd.exe	32
PID 940 wrote to memory of 1224	940	cmd.exe	32
PID 940 wrote to memory of 1356	940	cmd.exe	33
PID 940 wrote to memory of 1356	940	cmd.exe	33
PID 940 wrote to memory of 1356	940	cmd.exe	33
PID 940 wrote to memory of 1356	940	cmd.exe	33
PID 940 wrote to memory of 112	940	cmd.exe	34
PID 940 wrote to memory of 112	940	cmd.exe	34
PID 940 wrote to memory of 112	940	cmd.exe	34
PID 940 wrote to memory of 112	940	cmd.exe	34
PID 940 wrote to memory of 336	940	cmd.exe	35
PID 940 wrote to memory of 336	940	cmd.exe	35
PID 940 wrote to memory of 336	940	cmd.exe	35
PID 940 wrote to memory of 336	940	cmd.exe	35
PID 940 wrote to memory of 1324	940	cmd.exe	36
PID 940 wrote to memory of 1324	940	cmd.exe	36
PID 940 wrote to memory of 1324	940	cmd.exe	36
PID 940 wrote to memory of 1324	940	cmd.exe	36
PID 940 wrote to memory of 1528	940	cmd.exe	37
PID 940 wrote to memory of 1528	940	cmd.exe	37
PID 940 wrote to memory of 1528	940	cmd.exe	37
PID 940 wrote to memory of 1528	940	cmd.exe	37
PID 940 wrote to memory of 1612	940	cmd.exe	38
PID 940 wrote to memory of 1612	940	cmd.exe	38
PID 940 wrote to memory of 1612	940	cmd.exe	38
PID 940 wrote to memory of 1612	940	cmd.exe	38
PID 940 wrote to memory of 1260	940	cmd.exe	39
PID 940 wrote to memory of 1260	940	cmd.exe	39
PID 940 wrote to memory of 1260	940	cmd.exe	39
PID 940 wrote to memory of 1260	940	cmd.exe	39
PID 940 wrote to memory of 1556	940	cmd.exe	40
PID 940 wrote to memory of 1556	940	cmd.exe	40
PID 940 wrote to memory of 1556	940	cmd.exe	40
PID 940 wrote to memory of 1556	940	cmd.exe	40
PID 940 wrote to memory of 2000	940	cmd.exe	41
PID 940 wrote to memory of 2000	940	cmd.exe	41
PID 940 wrote to memory of 2000	940	cmd.exe	41
PID 940 wrote to memory of 2000	940	cmd.exe	41
PID 940 wrote to memory of 1912	940	cmd.exe	42
PID 940 wrote to memory of 1912	940	cmd.exe	42
PID 940 wrote to memory of 1912	940	cmd.exe	42
PID 940 wrote to memory of 1912	940	cmd.exe	42
PID 940 wrote to memory of 1604	940	cmd.exe	43
PID 940 wrote to memory of 1604	940	cmd.exe	43
PID 940 wrote to memory of 1604	940	cmd.exe	43
PID 940 wrote to memory of 1604	940	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
"C:\Users\Admin\AppData\Local\Temp\b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\ScheTime.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\sc.exe
    sc config Schedule start= AUTO
    3⤵
    - Launches sc.exe
    PID:1552
- - C:\Windows\SysWOW64\net.exe
    net start schedule
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start schedule
      4⤵
      PID:676
- - C:\Windows\SysWOW64\at.exe
    AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\at.exe
    AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\at.exe
    AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:112
- - C:\Windows\SysWOW64\at.exe
    AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:336
- - C:\Windows\SysWOW64\at.exe
    AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\at.exe
    AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\at.exe
    AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\at.exe
    AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\at.exe
    AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\at.exe
    AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\at.exe
    AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\at.exe
    AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\at.exe
    AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:816
- - C:\Windows\SysWOW64\at.exe
    AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\at.exe
    AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\at.exe
    AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\at.exe
    AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\at.exe
    AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\at.exe
    AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:944
- - C:\Windows\SysWOW64\at.exe
    AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\at.exe
    AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\at.exe
    AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\at.exe
    AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\at.exe
    AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\at.exe
    AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\at.exe
    AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:624
- - C:\Windows\SysWOW64\at.exe
    AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\at.exe
    AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\at.exe
    AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\at.exe
    AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:304
- - C:\Windows\SysWOW64\at.exe
    AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\at.exe
    AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\at.exe
    AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\at.exe
    AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\at.exe
    AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:860
- - C:\Windows\SysWOW64\at.exe
    AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\at.exe
    AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:740
- - C:\Windows\SysWOW64\at.exe
    AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\at.exe
    AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\at.exe
    AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:840
- - C:\Windows\SysWOW64\at.exe
    AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\at.exe
    AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\at.exe
    AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\at.exe
    AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\at.exe
    AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:764
- - C:\Windows\SysWOW64\at.exe
    AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\at.exe
    AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\at.exe
    AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:364
- C:\Windows\SysWOW64\Rund1132.com
  C:\Windows\system32\Rund1132.com
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\killallQQ.bat
  2⤵
  - Deletes itself
  PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Rund1132.com

Filesize
16KB

MD5
9471c8f911e758ae387034237116b74a

SHA1
5758884582fbbe48de1d252c86098ebdf83f7d7d

SHA256
03492d5a13be86d096b33f4523c25f1770760f2b4dc2c27c1e9b4e1ebfffd857

SHA512
06fc5579770f6debdc5106e55003406d33b3b54edd56b02236d3a761034ce74f33e49596c79a5e45946c9e4ca1ec049429807ef3a48faa22e47225b01012a9a2

Download Submit
C:\Windows\SysWOW64\ScheTime.bat

Filesize
3KB

MD5
c4d9d103721db23d7fbebba839c76fd1

SHA1
19609c07d0f6f2fb69310770a30e2dea2b852331

SHA256
82abc37c3e55c8f70dfdbd3fd2b3670dd8c769548145dcff7965ff610a703e50

SHA512
62c7ee6a1a198773feef24382ff15802d9c65007d3bf080dd585f78598bdd3f759421fccbc5eb4f693a93feeb72555ddd9b09fa12fbf400c967be67f073c10be

Download Submit
C:\Windows\SysWOW64\killallQQ.bat

Filesize
348B

MD5
13c245b3e1fa5ac396cea7857e894712

SHA1
197897af4b6b9edbd41070e244ee67787aa75436

SHA256
a6a24ba89acf011687adfe0040bba80191545af981afa162c55b3c5b19c16e3c

SHA512
b4e8cf75488c096b44b93d54f00e1177da99b854f4afb8ab522ce44d472c331e748ce22ab056c6390f40a41f7e17075333677edcdf0517105526a40440d5f47f

Download Submit
\Windows\SysWOW64\Rund1132.com

Filesize
16KB

MD5
9471c8f911e758ae387034237116b74a

SHA1
5758884582fbbe48de1d252c86098ebdf83f7d7d

SHA256
03492d5a13be86d096b33f4523c25f1770760f2b4dc2c27c1e9b4e1ebfffd857

SHA512
06fc5579770f6debdc5106e55003406d33b3b54edd56b02236d3a761034ce74f33e49596c79a5e45946c9e4ca1ec049429807ef3a48faa22e47225b01012a9a2

Download Submit
\Windows\SysWOW64\Rund1132.com

Filesize
16KB

MD5
9471c8f911e758ae387034237116b74a

SHA1
5758884582fbbe48de1d252c86098ebdf83f7d7d

SHA256
03492d5a13be86d096b33f4523c25f1770760f2b4dc2c27c1e9b4e1ebfffd857

SHA512
06fc5579770f6debdc5106e55003406d33b3b54edd56b02236d3a761034ce74f33e49596c79a5e45946c9e4ca1ec049429807ef3a48faa22e47225b01012a9a2

Download Submit
memory/1224-63-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1516-169-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-167-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2032-168-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2032-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2032-172-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download