a24d959ae807b4b4d2d9c012916d75ff9906071e188efc6fb70e79603e8dd4b8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:15

Target

ViRuS/1.exe
Size

102KB
MD5

c4b5655aaf8632b0e844f20dd16cd9d2
SHA1

e148f206b7e45655ec2eb833afed0223c06dd8c1
SHA256

07e9ef8b3345f401ce7417307a99b94a0c712b869336f21d062acba7b564996d
SHA512

622a9b941d43e3e6d2dc42f45256bada25e51c95ebabd4ee77fbeca2eadc91ce2cf59406fc4c6d38793c130cd5565471e5ebdaf9ae3e214cc88d338646a8b42d
SSDEEP

3072:ERYtsPf3eNa9HMBXGg9PkWO6xn6dDxNUQ:ERYt8MBXG6pO6daDkQ

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2080-33-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/2080-14-0x0000000000400000-0x0000000000437000-memory.dmp	upx

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\0ROK.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\dlsp.dll	1.exe
File created	C:\Windows\SysWOW64\keepdaili.exe	1.exe
File created	C:\Windows\SysWOW64\qqsockdaili.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\qqsockdaili.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\rasapi32.dll.bak1	1.exe
File opened for modification	\??\c:\windows\SysWOW64\dllinject.tmp	1.exe
File opened for modification	C:\Windows\SysWOW64\DNFGame.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\keepdaili.exe	1.exe
File created	C:\Windows\SysWOW64\DNFGame.exe	1.exe
File created	C:\Windows\SysWOW64\dlsp.dll	1.exe
File created	C:\Windows\SysWOW64\dllcache\rasapi32.dll	1.exe
File created	C:\Windows\SysWOW64\dss.txt	1.exe
File opened for modification	C:\Windows\SysWOW64\dss.txt	1.exe
File created	C:\Windows\SysWOW64\0ROK.dll	1.exe
File created	C:\Windows\SysWOW64\rasapi32.dll.bak1	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	1.exe
2080	1.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2080	1.exe
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2080	1.exe
Token: SeDebugPrivilege	2080	1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2848	2080	1.exe	29
PID 2080 wrote to memory of 2848	2080	1.exe	29
PID 2080 wrote to memory of 2848	2080	1.exe	29
PID 2080 wrote to memory of 2848	2080	1.exe	29

C:\Users\Admin\AppData\Local\Temp\ViRuS\1.exe
"C:\Users\Admin\AppData\Local\Temp\ViRuS\1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c updataself.bat
  2⤵
  - Deletes itself
  PID:2848

C:\Users\Admin\AppData\Local\Temp\ViRuS\updataself.bat

Filesize
76B

MD5
847631069fc292f40d68606d5bc401bd

SHA1
32c08657af075c3efd852e6715e6e58b1da70c2c

SHA256
09f0f27e15c01f3b4ffa387da5a7bc9e43761b0dac6eb9061b53405d3f3576ce

SHA512
78af42282ae1b6d9d3a26094f502e6bb384d78b7a4725e252edd706c5af0e28b47e2c55471dfd48e7999951430231b127eedc00906f2485afb86912c0720b6c5

Download Submit
C:\Windows\SysWOW64\qqsockdaili.exe

Filesize
48KB

MD5
44d17a3f80a96c4e25d49412e61037e5

SHA1
52db224312f0dc76c952a65b3763fca096342353

SHA256
510b6d4be6008348b4a748a5402223d4003a69e000ff10b08043e3961df71f34

SHA512
68c3d9e0672865d9bf13120ddc610048d1aa5499881b3f11ad1d8f6dc597635e3051e01218c97e20bc63d97aeee836f72537ea61268a12ab474157f3ed3f05e3

Download Submit
\Windows\SysWOW64\dlsp.dll

Filesize
20KB

MD5
6c24d8228dfd156b1f94e419cf28d005

SHA1
7d9b0b66ffb3f5b07d64c4aa901ac6891da6932c

SHA256
6a21dcc6e4471bfc811501c64205d543520fac4d6a0c502a3de36d09f0ee1aa9

SHA512
20f2928a75580c6ab34c3d19baa3ed46595b834457fe5bd853d9f2d77e5747b6be2b3a1af233fea1f8800bf79111faef3fd05d928aa25b63a7e107b4ae6c6467

Download Submit
memory/2080-33-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2080-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download