b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8

Analysis

max time kernel
192s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
Size

32KB
MD5

59c331cca45c6d13570fcabc29b4536f
SHA1

007f82c0402c6c947b32c75266cc8f60d36bce8d
SHA256

b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8
SHA512

aff6ff37c4204a81af74161979805232d566fc01fbbe80e0e5ab3324c99de6418b89ac9755e8680f8f06c7adba7a652a12664a57ccbd21e982b2534a4a65c171
SSDEEP

768:HV8YHLr3mFzuVF81t7x4zv4FnNKkHx3xtov5AOq4b:1V3mFKzjsFnNjR3xK5AOq4b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4588	Rund1132.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ScheTime.bat	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File created	C:\Windows\SysWOW64\killallQQ.bat	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File opened for modification	C:\Windows\SysWOW64\Rund1132.com	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File opened for modification	C:\Windows\SysWOW64\QQGame.exe	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
File created	C:\Windows\SysWOW64\Rund1132.ini	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4724	sc.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4588	Rund1132.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1896	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
4588	Rund1132.com
4588	Rund1132.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1196	1896	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	82
PID 1896 wrote to memory of 1196	1896	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	82
PID 1896 wrote to memory of 1196	1896	b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe	82
PID 1196 wrote to memory of 4724	1196	cmd.exe	84
PID 1196 wrote to memory of 4724	1196	cmd.exe	84
PID 1196 wrote to memory of 4724	1196	cmd.exe	84
PID 1196 wrote to memory of 3468	1196	cmd.exe	85
PID 1196 wrote to memory of 3468	1196	cmd.exe	85
PID 1196 wrote to memory of 3468	1196	cmd.exe	85
PID 3468 wrote to memory of 680	3468	net.exe	86
PID 3468 wrote to memory of 680	3468	net.exe	86
PID 3468 wrote to memory of 680	3468	net.exe	86
PID 1196 wrote to memory of 3480	1196	cmd.exe	87
PID 1196 wrote to memory of 3480	1196	cmd.exe	87
PID 1196 wrote to memory of 3480	1196	cmd.exe	87
PID 1196 wrote to memory of 4024	1196	cmd.exe	88
PID 1196 wrote to memory of 4024	1196	cmd.exe	88
PID 1196 wrote to memory of 4024	1196	cmd.exe	88
PID 1196 wrote to memory of 4756	1196	cmd.exe	89
PID 1196 wrote to memory of 4756	1196	cmd.exe	89
PID 1196 wrote to memory of 4756	1196	cmd.exe	89
PID 1196 wrote to memory of 1312	1196	cmd.exe	90
PID 1196 wrote to memory of 1312	1196	cmd.exe	90
PID 1196 wrote to memory of 1312	1196	cmd.exe	90
PID 1196 wrote to memory of 4428	1196	cmd.exe	91
PID 1196 wrote to memory of 4428	1196	cmd.exe	91
PID 1196 wrote to memory of 4428	1196	cmd.exe	91
PID 1196 wrote to memory of 1652	1196	cmd.exe	92
PID 1196 wrote to memory of 1652	1196	cmd.exe	92
PID 1196 wrote to memory of 1652	1196	cmd.exe	92
PID 1196 wrote to memory of 1536	1196	cmd.exe	93
PID 1196 wrote to memory of 1536	1196	cmd.exe	93
PID 1196 wrote to memory of 1536	1196	cmd.exe	93
PID 1196 wrote to memory of 4144	1196	cmd.exe	94
PID 1196 wrote to memory of 4144	1196	cmd.exe	94
PID 1196 wrote to memory of 4144	1196	cmd.exe	94
PID 1196 wrote to memory of 4212	1196	cmd.exe	95
PID 1196 wrote to memory of 4212	1196	cmd.exe	95
PID 1196 wrote to memory of 4212	1196	cmd.exe	95
PID 1196 wrote to memory of 1864	1196	cmd.exe	96
PID 1196 wrote to memory of 1864	1196	cmd.exe	96
PID 1196 wrote to memory of 1864	1196	cmd.exe	96
PID 1196 wrote to memory of 396	1196	cmd.exe	97
PID 1196 wrote to memory of 396	1196	cmd.exe	97
PID 1196 wrote to memory of 396	1196	cmd.exe	97
PID 1196 wrote to memory of 3240	1196	cmd.exe	98
PID 1196 wrote to memory of 3240	1196	cmd.exe	98
PID 1196 wrote to memory of 3240	1196	cmd.exe	98
PID 1196 wrote to memory of 4780	1196	cmd.exe	99
PID 1196 wrote to memory of 4780	1196	cmd.exe	99
PID 1196 wrote to memory of 4780	1196	cmd.exe	99
PID 1196 wrote to memory of 2772	1196	cmd.exe	100
PID 1196 wrote to memory of 2772	1196	cmd.exe	100
PID 1196 wrote to memory of 2772	1196	cmd.exe	100
PID 1196 wrote to memory of 4420	1196	cmd.exe	101
PID 1196 wrote to memory of 4420	1196	cmd.exe	101
PID 1196 wrote to memory of 4420	1196	cmd.exe	101
PID 1196 wrote to memory of 2692	1196	cmd.exe	102
PID 1196 wrote to memory of 2692	1196	cmd.exe	102
PID 1196 wrote to memory of 2692	1196	cmd.exe	102
PID 1196 wrote to memory of 4704	1196	cmd.exe	103
PID 1196 wrote to memory of 4704	1196	cmd.exe	103
PID 1196 wrote to memory of 4704	1196	cmd.exe	103
PID 1196 wrote to memory of 2560	1196	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe
"C:\Users\Admin\AppData\Local\Temp\b590ffe6983d135b9004f592eca99f549b8f8909aa2959676256d0d53ca738b8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\ScheTime.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\sc.exe
    sc config Schedule start= AUTO
    3⤵
    - Launches sc.exe
    PID:4724
- - C:\Windows\SysWOW64\net.exe
    net start schedule
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start schedule
      4⤵
      PID:680
- - C:\Windows\SysWOW64\at.exe
    AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\at.exe
    AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\at.exe
    AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\at.exe
    AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\at.exe
    AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\at.exe
    AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\at.exe
    AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\at.exe
    AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\at.exe
    AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\at.exe
    AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\at.exe
    AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:396
- - C:\Windows\SysWOW64\at.exe
    AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\at.exe
    AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\at.exe
    AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\at.exe
    AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\at.exe
    AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\at.exe
    AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\at.exe
    AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\at.exe
    AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\at.exe
    AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\at.exe
    AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\at.exe
    AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\at.exe
    AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\at.exe
    AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\at.exe
    AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\at.exe
    AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\at.exe
    AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\at.exe
    AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\at.exe
    AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\at.exe
    AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\at.exe
    AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\at.exe
    AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\at.exe
    AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\at.exe
    AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\at.exe
    AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\at.exe
    AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\at.exe
    AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\at.exe
    AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\at.exe
    AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\at.exe
    AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\at.exe
    AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\at.exe
    AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\at.exe
    AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:388
- - C:\Windows\SysWOW64\at.exe
    AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\at.exe
    AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\at.exe
    AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\at.exe
    AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:452
- - C:\Windows\SysWOW64\at.exe
    AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\Windows\system32\Rund1132.com
    3⤵
    PID:3516
- C:\Windows\SysWOW64\Rund1132.com
  C:\Windows\system32\Rund1132.com
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\killallQQ.bat
  2⤵
  PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Rund1132.com

Filesize
16KB

MD5
9471c8f911e758ae387034237116b74a

SHA1
5758884582fbbe48de1d252c86098ebdf83f7d7d

SHA256
03492d5a13be86d096b33f4523c25f1770760f2b4dc2c27c1e9b4e1ebfffd857

SHA512
06fc5579770f6debdc5106e55003406d33b3b54edd56b02236d3a761034ce74f33e49596c79a5e45946c9e4ca1ec049429807ef3a48faa22e47225b01012a9a2

Download Submit
C:\Windows\SysWOW64\Rund1132.com

Filesize
16KB

MD5
9471c8f911e758ae387034237116b74a

SHA1
5758884582fbbe48de1d252c86098ebdf83f7d7d

SHA256
03492d5a13be86d096b33f4523c25f1770760f2b4dc2c27c1e9b4e1ebfffd857

SHA512
06fc5579770f6debdc5106e55003406d33b3b54edd56b02236d3a761034ce74f33e49596c79a5e45946c9e4ca1ec049429807ef3a48faa22e47225b01012a9a2

Download Submit
C:\Windows\SysWOW64\ScheTime.bat

Filesize
3KB

MD5
c4d9d103721db23d7fbebba839c76fd1

SHA1
19609c07d0f6f2fb69310770a30e2dea2b852331

SHA256
82abc37c3e55c8f70dfdbd3fd2b3670dd8c769548145dcff7965ff610a703e50

SHA512
62c7ee6a1a198773feef24382ff15802d9c65007d3bf080dd585f78598bdd3f759421fccbc5eb4f693a93feeb72555ddd9b09fa12fbf400c967be67f073c10be

Download Submit
C:\Windows\SysWOW64\killallQQ.bat

Filesize
348B

MD5
13c245b3e1fa5ac396cea7857e894712

SHA1
197897af4b6b9edbd41070e244ee67787aa75436

SHA256
a6a24ba89acf011687adfe0040bba80191545af981afa162c55b3c5b19c16e3c

SHA512
b4e8cf75488c096b44b93d54f00e1177da99b854f4afb8ab522ce44d472c331e748ce22ab056c6390f40a41f7e17075333677edcdf0517105526a40440d5f47f

Download Submit
memory/1896-197-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1896-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4588-191-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4588-198-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download