d26fa7e729bcb29ca402aab21d59c17c9c3c1123c3261e93dc71a65579af4986

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Learix_2.0_Fps.bat
Size

56KB
MD5

00c34bd8bd72d2efdd70fe6737687246
SHA1

165c93db4ef01a071281c7b334a8bd940d53d45f
SHA256

d26fa7e729bcb29ca402aab21d59c17c9c3c1123c3261e93dc71a65579af4986
SHA512

3ce8e8f0d948c18472a64c6160565dd94cf3202f2f750a2b15c9800462f57004fd39c266513cd4d5ababf7818fe9b4f87b060b7f802cf72abaea5f3a7a2467ce
SSDEEP

1536:qW5X449tht1MF+VZKQ9u+7XGq2D3Kutht1MF+Vqz:qkI49tht1MF+VZBYMXNu3Kutht1MF+V0

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\System32\ 1	cmd.exe
File created	C:\Windows\System32\ Fps Tweaks	cmd.exe
File created	C:\Windows\System32\ 4	cmd.exe
File created	C:\Windows\System32\ Version 2.0	cmd.exe
File created	C:\Windows\System32\ _________________________________________________________________________________	cmd.exe
File created	C:\Windows\System32\ Updates	cmd.exe
File created	C:\Windows\System32\ Options	cmd.exe
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\ 2	cmd.exe
File created	C:\Windows\System32\ Remove Tweaks	cmd.exe
File created	C:\Windows\System32\ 3	cmd.exe
File created	C:\Windows\System32\ ]	cmd.exe
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\ [ X to Exit ]	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1240	2024	cmd.exe	28
PID 2024 wrote to memory of 1240	2024	cmd.exe	28
PID 2024 wrote to memory of 1240	2024	cmd.exe	28
PID 2024 wrote to memory of 888	2024	cmd.exe	29
PID 2024 wrote to memory of 888	2024	cmd.exe	29
PID 2024 wrote to memory of 888	2024	cmd.exe	29
PID 2024 wrote to memory of 1712	2024	cmd.exe	30
PID 2024 wrote to memory of 1712	2024	cmd.exe	30
PID 2024 wrote to memory of 1712	2024	cmd.exe	30
PID 2024 wrote to memory of 1132	2024	cmd.exe	31
PID 2024 wrote to memory of 1132	2024	cmd.exe	31
PID 2024 wrote to memory of 1132	2024	cmd.exe	31
PID 2024 wrote to memory of 1696	2024	cmd.exe	32
PID 2024 wrote to memory of 1696	2024	cmd.exe	32
PID 2024 wrote to memory of 1696	2024	cmd.exe	32
PID 2024 wrote to memory of 776	2024	cmd.exe	33
PID 2024 wrote to memory of 776	2024	cmd.exe	33
PID 2024 wrote to memory of 776	2024	cmd.exe	33
PID 2024 wrote to memory of 1432	2024	cmd.exe	34
PID 2024 wrote to memory of 1432	2024	cmd.exe	34
PID 2024 wrote to memory of 1432	2024	cmd.exe	34
PID 2024 wrote to memory of 368	2024	cmd.exe	35
PID 2024 wrote to memory of 368	2024	cmd.exe	35
PID 2024 wrote to memory of 368	2024	cmd.exe	35
PID 2024 wrote to memory of 320	2024	cmd.exe	36
PID 2024 wrote to memory of 320	2024	cmd.exe	36
PID 2024 wrote to memory of 320	2024	cmd.exe	36
PID 2024 wrote to memory of 960	2024	cmd.exe	37
PID 2024 wrote to memory of 960	2024	cmd.exe	37
PID 2024 wrote to memory of 960	2024	cmd.exe	37
PID 2024 wrote to memory of 1708	2024	cmd.exe	38
PID 2024 wrote to memory of 1708	2024	cmd.exe	38
PID 2024 wrote to memory of 1708	2024	cmd.exe	38
PID 2024 wrote to memory of 1760	2024	cmd.exe	39
PID 2024 wrote to memory of 1760	2024	cmd.exe	39
PID 2024 wrote to memory of 1760	2024	cmd.exe	39
PID 2024 wrote to memory of 1280	2024	cmd.exe	40
PID 2024 wrote to memory of 1280	2024	cmd.exe	40
PID 2024 wrote to memory of 1280	2024	cmd.exe	40
PID 2024 wrote to memory of 1208	2024	cmd.exe	41
PID 2024 wrote to memory of 1208	2024	cmd.exe	41
PID 2024 wrote to memory of 1208	2024	cmd.exe	41
PID 2024 wrote to memory of 1424	2024	cmd.exe	42
PID 2024 wrote to memory of 1424	2024	cmd.exe	42
PID 2024 wrote to memory of 1424	2024	cmd.exe	42
PID 2024 wrote to memory of 1068	2024	cmd.exe	43
PID 2024 wrote to memory of 1068	2024	cmd.exe	43
PID 2024 wrote to memory of 1068	2024	cmd.exe	43
PID 2024 wrote to memory of 900	2024	cmd.exe	44
PID 2024 wrote to memory of 900	2024	cmd.exe	44
PID 2024 wrote to memory of 900	2024	cmd.exe	44
PID 2024 wrote to memory of 1348	2024	cmd.exe	45
PID 2024 wrote to memory of 1348	2024	cmd.exe	45
PID 2024 wrote to memory of 1348	2024	cmd.exe	45
PID 2024 wrote to memory of 800	2024	cmd.exe	46
PID 2024 wrote to memory of 800	2024	cmd.exe	46
PID 2024 wrote to memory of 800	2024	cmd.exe	46
PID 2024 wrote to memory of 1484	2024	cmd.exe	47
PID 2024 wrote to memory of 1484	2024	cmd.exe	47
PID 2024 wrote to memory of 1484	2024	cmd.exe	47
PID 2024 wrote to memory of 272	2024	cmd.exe	48
PID 2024 wrote to memory of 272	2024	cmd.exe	48
PID 2024 wrote to memory of 272	2024	cmd.exe	48
PID 2024 wrote to memory of 1248	2024	cmd.exe	49

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Learix_2.0_Fps.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\mode.com
  mode 128,33
  2⤵
  PID:1240
- C:\Windows\System32\reg.exe
  Reg.exe query "HKU\S-1-5-19\Environment"
  2⤵
  PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:1712
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " Version 2.0 " nul
  2⤵
  PID:1132
- C:\Windows\System32\findstr.exe
  findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
  2⤵
  PID:1696
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:776
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 1 " nul
  2⤵
  PID:1432
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:368
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Fps Tweaks " nul
  2⤵
  PID:320
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:960
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 2 " nul
  2⤵
  PID:1708
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1760
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Remove Tweaks " nul
  2⤵
  PID:1280
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:1208
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 3 " nul
  2⤵
  PID:1424
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1068
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Updates " nul
  2⤵
  PID:900
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ " nul
  2⤵
  PID:1348
- C:\Windows\System32\findstr.exe
  findstr /v /a:B /R "^$" " 4 " nul
  2⤵
  PID:800
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " ] " nul
  2⤵
  PID:1484
- C:\Windows\System32\findstr.exe
  findstr /v /a:F /R "^$" " Options " nul
  2⤵
  PID:272
- C:\Windows\System32\findstr.exe
  findstr /v /a:8 /R "^$" " [ X to Exit ]" nul
  2⤵
  PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ Version 2.0

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ [ X to Exit ]

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ [

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ [

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ [

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ _________________________________________________________________________________

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ 1

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ 2

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ 3

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ 4

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ Fps Tweaks

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ Options

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ Remove Tweaks

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ Updates

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ ]

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ ]

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Windows\System32\ ]

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads