Analysis
-
max time kernel
5s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
25/12/2023, 15:34
General
-
Target
29acd85a3064ac1e7185ba7b3ca840a5.exe
-
Size
1.7MB
-
MD5
29acd85a3064ac1e7185ba7b3ca840a5
-
SHA1
c7217dcc033dc183d2938b04ad4b6e4acae1695a
-
SHA256
835ff10769dffe66a2f73102b694862b435be949d0c19722f52b562c254870f4
-
SHA512
9819b04e4e6a31e117b5502084d2b6abbf778e4d0df106b5c71e524179c57fb4a0ab402af3c5b9463cb516b73163c2ab26a9d71e386c66227de67aa830ad3af7
-
SSDEEP
12288:UZWtI6RkAbu9O1bu9O1bu9O1bu9O1bu9O1buAqaerQZb+md4w1UM:UuhaAjjjjj4aerQZb+md4wmM
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
-
Runs regedit.exe 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 16 IoCs
Processes
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵
-
C:\Users\Admin\AppData\Local\Temp\29acd85a3064ac1e7185ba7b3ca840a5.exe"C:\Users\Admin\AppData\Local\Temp\29acd85a3064ac1e7185ba7b3ca840a5.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
- Runs regedit.exe
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 10:15:26 AM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 10:12:26 AM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\At.exeAt.exe 10:13:24 AM C:\Windows\Help\HelpCat.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 10:15:23 AM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 10:12:23 AM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\At.exeAt.exe 10:13:21 AM C:\Windows\Help\HelpCat.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\29acd85a3064ac1e7185ba7b3ca840a5~4.exe29acd85a3064ac1e7185ba7b3ca840a5~4.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\at.exeat 10:15:23 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\at.exeat 10:12:23 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\at.exeat 10:15:26 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\at.exeat 10:12:26 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Suspicious use of WriteProcessMemory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-466087653-298752041-11028229801850006784-936037692422834328-828783202-181361460"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-365154802-2007304840183481052-980161166-1480022818-540963438442395522-660905412"1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\taskeng.exetaskeng.exe {B50D1A37-6DA3-4719-8481-A4E13EC48601} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460B
MD57db3d565d6ddbe65a8b0e093910e7dcd
SHA1d4804e6180c6e74ba79d3343f2f2ccb15e502f12
SHA256a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f
SHA5120b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b
-
Filesize
2KB
MD5e7d7ec66bd61fac3843c98650b0c68f6
SHA1a15ae06e1be51038863650746368a71024539bac
SHA2566475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8
SHA512ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6
-
Filesize
1.3MB
MD569102d2f525b9072f1ffff7f24fcf8e8
SHA1a6724e0a4722c269da0d514d324a497c9595bb9b
SHA2562e2621ae98f7a5b2af2cd3e00e546d953323c137f304837b2de8f30d4d0a5580
SHA512ac53ae916c4a6f1a1c12efa80cf4ad965a97b4076a6a455a5c0700253c728afe057af0d3ba960c78eec3f4703b7af608aa8e9726800eedcdd46b4d6ece3adde4
-
Filesize
375KB
MD52b8eff2ac4c67e4be7523d2bca311373
SHA1d4bea48ae14810d81ced575e1eb086f317a47f3b
SHA25678de13d01c281d1d72ce8358e57381b0d66f9530cf47857c141aa43d2311dc9a
SHA512da5c2b6a3aa9f4414dda38720b200a96d91335aab446180e7320991b23e0d31e92a457ad5cdeb9d3a517554dfdc411380dd207535ded1c3b990a247298a3533c
-
Filesize
92KB
MD59253be46af98a0b40c26d6bdd6a13107
SHA1e5c93a9d400921734c8ef43472432f5735d9a429
SHA256af5b86a2ec44ebd362552ba20cf8bdcaceab76c83d962a54b4c36b59dc9eb759
SHA512b6e2b37e962c2e17c38a519203e8817252cb53f812fb0722f52029dafa50ccc3a921db9707d7249d732d30b8359ecfa74c18e998b985792d265eb76c2c7b8589
-
Filesize
216KB