d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8

Analysis

max time kernel
53s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 18:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
Size

59KB
MD5

ef22816b41d10606160448ec5c44c83d
SHA1

ecf833769e4e276508f53a8bd81803faa6524639
SHA256

d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8
SHA512

4ae23366aec0b3cbe70ca334f065c7dc03ef5a69c7ce359c8538df054683fa43aed8c15732f92cd4e5d5d11c47ed58b311b969510fa0de4f93faaaf896b77b51
SSDEEP

1536:1oMQNgY0a7f/n+Y+W+S+M+F+q+M+q+/+f+l+Y+u+m+L+m+A+I+R+r+j+kn1+O4fa:1oZr/nhpf7Sv/BQQ8xBpYXPjyaG5JnCE

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\kvsys.sys	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
File created	C:\Windows\system32\drivers\etc\hosts	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
File created	C:\Windows\SysWOW64\drivers\tesafe.sys	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe

Executes dropped EXE 2 IoCs

pid	Process
1920	fsrtdfyyvuu.exe
1144	System32.exe

Deletes itself 1 IoCs

pid	Process
1128	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
764	cmd.exe
764	cmd.exe
1144	System32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Fonts\System32.exe	fsrtdfyyvuu.exe
File created	C:\WINDOWS\Fonts\System32.exe	fsrtdfyyvuu.exe
File opened for modification	C:\WINDOWS\Fonts\System32.dll	System32.exe
File created	C:\WINDOWS\Fonts\System32.dll	System32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
1920	fsrtdfyyvuu.exe
1144	System32.exe
1144	System32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
Token: 446676598888	1144	System32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1144	System32.exe
1144	System32.exe
1144	System32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1920	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	27
PID 1396 wrote to memory of 1920	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	27
PID 1396 wrote to memory of 1920	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	27
PID 1396 wrote to memory of 1920	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	27
PID 1920 wrote to memory of 764	1920	fsrtdfyyvuu.exe	28
PID 1920 wrote to memory of 764	1920	fsrtdfyyvuu.exe	28
PID 1920 wrote to memory of 764	1920	fsrtdfyyvuu.exe	28
PID 1920 wrote to memory of 764	1920	fsrtdfyyvuu.exe	28
PID 764 wrote to memory of 1144	764	cmd.exe	30
PID 764 wrote to memory of 1144	764	cmd.exe	30
PID 764 wrote to memory of 1144	764	cmd.exe	30
PID 764 wrote to memory of 1144	764	cmd.exe	30
PID 1920 wrote to memory of 1704	1920	fsrtdfyyvuu.exe	31
PID 1920 wrote to memory of 1704	1920	fsrtdfyyvuu.exe	31
PID 1920 wrote to memory of 1704	1920	fsrtdfyyvuu.exe	31
PID 1920 wrote to memory of 1704	1920	fsrtdfyyvuu.exe	31
PID 1396 wrote to memory of 1128	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	33
PID 1396 wrote to memory of 1128	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	33
PID 1396 wrote to memory of 1128	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	33
PID 1396 wrote to memory of 1128	1396	d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe	33

C:\Users\Admin\AppData\Local\Temp\d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe
"C:\Users\Admin\AppData\Local\Temp\d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\fsrtdfyyvuu.exe
  C:\Users\Admin\AppData\Local\Temp\\fsrtdfyyvuu.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\tmp7917.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\WINDOWS\Fonts\System32.exe
      "C:\WINDOWS\Fonts\System32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\fsrtdfyyvuu.exe"
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\d1cbaf01313ff70f06ee15bda76a75fc96b71b6548e81d37c9e6441884050ad8.exe"
  2⤵
  - Deletes itself
  PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fsrtdfyyvuu.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsrtdfyyvuu.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7917.bat

Filesize
31B

MD5
6f0fd99b5671f3699a0a55f811a1e935

SHA1
d1050817863e9248974486cb3f039b9d4e79db53

SHA256
3cf808864f27269dc82173ff699c4d132315a99828c7d951275398fb3ba80a83

SHA512
5debdc1c6c6c56e220bd6e8aede9fa3b8d1c7b04ea854697489e6ed03f765aa39502126d5288f6027aa50be7f9fb976f4469dd08d05b8e0844829ab40d678d4e

Download Submit
C:\WINDOWS\Fonts\System32.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
C:\Windows\Fonts\System32.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
\Users\Admin\AppData\Local\Temp\fsrtdfyyvuu.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
\Users\Admin\AppData\Local\Temp\fsrtdfyyvuu.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
\Windows\Fonts\System32.dll

Filesize
6KB

MD5
4d55953ebf5919514224a71039da29ec

SHA1
0bb102bec4f1cbf2a31bb9f1c8f098faad7a33d4

SHA256
992f79d8ff2026e201159fbd474bd7623b2a712d75d4fe1b46a69a40a1ab5eeb

SHA512
b08c1545add85445a2fd3203989ec37a6901808a6a4836b30016f1edeec9236c8c9de16f7b29bb6748cc0bd70cb9127a9c9d21fa2d3dd09fb55f66d893be6bd9

Download Submit
\Windows\Fonts\System32.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
\Windows\Fonts\System32.exe

Filesize
13KB

MD5
0c16b6d3a7803577ea3a335c6eb1e1b6

SHA1
ec76d2ebee72a562531c5f3bfbbb7f3486479dc6

SHA256
6501afbdad789223ce947207b8992efc8bb31fc677287dc527bd3e3bf462d4fe

SHA512
8dfa4a51cd84e6ce6e793e98727eadbae10b723fb6dc442473e56d4186c40cf145a00dfc42f313d7c423750702b06b123efece1628cd231918ce2dbe4ba98756

Download Submit
memory/1144-68-0x0000000025000000-0x0000000025012000-memory.dmp

Filesize
72KB

Download
memory/1144-70-0x0000000025000000-0x0000000025012000-memory.dmp

Filesize
72KB

Download
memory/1144-73-0x0000000025000000-0x0000000025012000-memory.dmp

Filesize
72KB

Download
memory/1396-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1396-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download