Overview
overview
10Static
static
10AnyDesk v3...V).exe
windows10-2004-x64
1DLL Explor...32.exe
windows10-2004-x64
7DLL Explor...64.exe
windows10-2004-x64
7DLL UnInje...or.exe
windows10-2004-x64
1Everything...ng.exe
windows10-2004-x64
7Everything...up.exe
windows10-2004-x64
4LastActivi...ew.exe
windows10-2004-x64
9LastActivi...ew.bat
windows10-2004-x64
9Lastproverka.bat
windows10-2004-x64
3NirCMD 2.8...md.exe
windows10-2004-x64
9NirCMD 2.8...xe.bat
windows10-2004-x64
9NirCMD 2.8...xe.bat
windows10-2004-x64
9OpenedFile...32.exe
windows10-2004-x64
9OpenedFile...64.exe
windows10-2004-x64
8Process Hacker 2.lnk
windows10-2004-x64
3Recuva 1.5...le.exe
windows10-2004-x64
7Shellbag_a...er.exe
windows10-2004-x64
10USBDeview ...ew.exe
windows10-2004-x64
9UserAssist...ew.exe
windows10-2004-x64
9processhac...up.exe
windows10-2004-x64
7Resubmissions
19-10-2023 11:09
231019-m9hf6agh68 10Analysis
-
max time kernel
435s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-ja -
resource tags
arch:x64arch:x86image:win10v2004-20230915-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
19-10-2023 11:09
Behavioral task
behavioral1
Sample
AnyDesk v3.6.3 (аналог TV).exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral2
Sample
DLL Explorer 1.2/DLLExplorer32.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral3
Sample
DLL Explorer 1.2/DLLExplorer64.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral4
Sample
DLL UnInjector 1.3/NVTDLLUnInjector.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral5
Sample
Everything 1.4.1.877/Everything.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral6
Sample
Everything-1.4.1.1022.x86-Setup.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral7
Sample
LastActivityView 1.2.7/LastActivityView.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral8
Sample
LastActivityView 1.2.7/Сохранить отчет LastActivityView.bat
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral9
Sample
Lastproverka.bat
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral10
Sample
NirCMD 2.8.1/nircmd.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral11
Sample
NirCMD 2.8.1/Скриншот hl2.exe.bat
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral12
Sample
NirCMD 2.8.1/Скриншот ucp.exe.bat
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral13
Sample
OpenedFilesView 1.80/OpenedFilesView_32.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral14
Sample
OpenedFilesView 1.80/OpenedFilesView_64.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral15
Sample
Process Hacker 2.lnk
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral16
Sample
Recuva 1.53.1087 Pro & Portable/Recuva_Portable.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral17
Sample
Shellbag_analyzer_cleaner.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral18
Sample
USBDeview 2.73/USBDeview.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral19
Sample
UserAssistView 1.0.2/UserAssistView.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
Behavioral task
behavioral20
Sample
processhacker-2.39-setup.exe
Resource
win10v2004-20230915-ja
windows10-2004-x64
General
-
Target
LastActivityView 1.2.7/Сохранить отчет LastActivityView.bat
-
Size
100B
-
MD5
fee395eb478f2f4e7645d82bf48c3fd8
-
SHA1
69fab669e47201d349128648519ab57067d8bd74
-
SHA256
f51c87997520b087f73e80a0809352a9824c65406c903b91ee4abb12216b88bb
-
SHA512
1197b01afeca3aec71f17278f0a4e7d6a4ba7c859a9f8a14b9cec02dcfbe4daf2e055ab2a81c4f080efd2ecc55c7844459d80cb5462b4eb83332b6866c963c06
Malware Config
Signatures
-
Nirsoft 1 IoCs
resource yara_rule behavioral8/memory/1780-2-0x0000000000400000-0x0000000000432000-memory.dmp Nirsoft -
resource yara_rule behavioral8/memory/1780-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral8/memory/1780-2-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeBackupPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeBackupPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe Token: SeSecurityPrivilege 1780 LastActivityView.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1156 wrote to memory of 4952 1156 cmd.exe 86 PID 1156 wrote to memory of 4952 1156 cmd.exe 86 PID 1156 wrote to memory of 1780 1156 cmd.exe 87 PID 1156 wrote to memory of 1780 1156 cmd.exe 87 PID 1156 wrote to memory of 1780 1156 cmd.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LastActivityView 1.2.7\Сохранить отчет LastActivityView.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\chcp.comchcp 12512⤵PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\LastActivityView 1.2.7\LastActivityView.exeLastActivityView.exe /sverhtml "SXUYPNET#Admin Отчет LAV.html"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780
-