a22f393576c3c8fa3ade88102fa98dfc93097d15b4c453ef676f6daaefffa592

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoSettings/Check.bat
Size

111KB
MD5

8de1beb7c5e0ff6e71b001dbe92385d2
SHA1

a100fe979553a0993d916c76ba5e0e87717af3c1
SHA256

798e841f8cc6a5fd3f27670bc31d3f89c62e5e3a2d0515c9719cf503a24b8862
SHA512

8fbb45e81f037218a9a3bbe6fe97021fdae232d9e845b77800c17664de5d9e4b8ee5f922c46919c358c77e10e0958ed8b7ff307cc1c5de20a4fa52d65923b3e0
SSDEEP

1536:hDE9SdURwRfzXYJEOauvUHyxC69amzkHV:hDE9SdmwRfzXDOauvUHyxCuazHV

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1440-76-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1440-77-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1632-78-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1632-79-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1352-80-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/784-81-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3032-82-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3032-83-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2380-84-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2304-85-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1652-87-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2436-88-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2436-89-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
1440	cecho.exe
1632	cecho.exe
1352	cecho.exe
784	cecho.exe
3032	cecho.exe
2380	cecho.exe
2304	cecho.exe
1652	cecho.exe
2436	cecho.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	592	WMIC.exe
Token: SeSecurityPrivilege	592	WMIC.exe
Token: SeTakeOwnershipPrivilege	592	WMIC.exe
Token: SeLoadDriverPrivilege	592	WMIC.exe
Token: SeSystemProfilePrivilege	592	WMIC.exe
Token: SeSystemtimePrivilege	592	WMIC.exe
Token: SeProfSingleProcessPrivilege	592	WMIC.exe
Token: SeIncBasePriorityPrivilege	592	WMIC.exe
Token: SeCreatePagefilePrivilege	592	WMIC.exe
Token: SeBackupPrivilege	592	WMIC.exe
Token: SeRestorePrivilege	592	WMIC.exe
Token: SeShutdownPrivilege	592	WMIC.exe
Token: SeDebugPrivilege	592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	592	WMIC.exe
Token: SeRemoteShutdownPrivilege	592	WMIC.exe
Token: SeUndockPrivilege	592	WMIC.exe
Token: SeManageVolumePrivilege	592	WMIC.exe
Token: 33	592	WMIC.exe
Token: 34	592	WMIC.exe
Token: 35	592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	592	WMIC.exe
Token: SeSecurityPrivilege	592	WMIC.exe
Token: SeTakeOwnershipPrivilege	592	WMIC.exe
Token: SeLoadDriverPrivilege	592	WMIC.exe
Token: SeSystemProfilePrivilege	592	WMIC.exe
Token: SeSystemtimePrivilege	592	WMIC.exe
Token: SeProfSingleProcessPrivilege	592	WMIC.exe
Token: SeIncBasePriorityPrivilege	592	WMIC.exe
Token: SeCreatePagefilePrivilege	592	WMIC.exe
Token: SeBackupPrivilege	592	WMIC.exe
Token: SeRestorePrivilege	592	WMIC.exe
Token: SeShutdownPrivilege	592	WMIC.exe
Token: SeDebugPrivilege	592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	592	WMIC.exe
Token: SeRemoteShutdownPrivilege	592	WMIC.exe
Token: SeUndockPrivilege	592	WMIC.exe
Token: SeManageVolumePrivilege	592	WMIC.exe
Token: 33	592	WMIC.exe
Token: 34	592	WMIC.exe
Token: 35	592	WMIC.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2296	1156	cmd.exe	29
PID 1156 wrote to memory of 2296	1156	cmd.exe	29
PID 1156 wrote to memory of 2296	1156	cmd.exe	29
PID 1156 wrote to memory of 2468	1156	cmd.exe	30
PID 1156 wrote to memory of 2468	1156	cmd.exe	30
PID 1156 wrote to memory of 2468	1156	cmd.exe	30
PID 1156 wrote to memory of 1988	1156	cmd.exe	31
PID 1156 wrote to memory of 1988	1156	cmd.exe	31
PID 1156 wrote to memory of 1988	1156	cmd.exe	31
PID 1988 wrote to memory of 2388	1988	cmd.exe	32
PID 1988 wrote to memory of 2388	1988	cmd.exe	32
PID 1988 wrote to memory of 2388	1988	cmd.exe	32
PID 1156 wrote to memory of 3056	1156	cmd.exe	33
PID 1156 wrote to memory of 3056	1156	cmd.exe	33
PID 1156 wrote to memory of 3056	1156	cmd.exe	33
PID 1156 wrote to memory of 1604	1156	cmd.exe	34
PID 1156 wrote to memory of 1604	1156	cmd.exe	34
PID 1156 wrote to memory of 1604	1156	cmd.exe	34
PID 1604 wrote to memory of 524	1604	cmd.exe	35
PID 1604 wrote to memory of 524	1604	cmd.exe	35
PID 1604 wrote to memory of 524	1604	cmd.exe	35
PID 1156 wrote to memory of 564	1156	cmd.exe	36
PID 1156 wrote to memory of 564	1156	cmd.exe	36
PID 1156 wrote to memory of 564	1156	cmd.exe	36
PID 564 wrote to memory of 592	564	cmd.exe	37
PID 564 wrote to memory of 592	564	cmd.exe	37
PID 564 wrote to memory of 592	564	cmd.exe	37
PID 1156 wrote to memory of 1440	1156	cmd.exe	39
PID 1156 wrote to memory of 1440	1156	cmd.exe	39
PID 1156 wrote to memory of 1440	1156	cmd.exe	39
PID 1156 wrote to memory of 1440	1156	cmd.exe	39
PID 1156 wrote to memory of 1632	1156	cmd.exe	40
PID 1156 wrote to memory of 1632	1156	cmd.exe	40
PID 1156 wrote to memory of 1632	1156	cmd.exe	40
PID 1156 wrote to memory of 1632	1156	cmd.exe	40
PID 1156 wrote to memory of 1352	1156	cmd.exe	41
PID 1156 wrote to memory of 1352	1156	cmd.exe	41
PID 1156 wrote to memory of 1352	1156	cmd.exe	41
PID 1156 wrote to memory of 1352	1156	cmd.exe	41
PID 1156 wrote to memory of 784	1156	cmd.exe	42
PID 1156 wrote to memory of 784	1156	cmd.exe	42
PID 1156 wrote to memory of 784	1156	cmd.exe	42
PID 1156 wrote to memory of 784	1156	cmd.exe	42
PID 1156 wrote to memory of 3032	1156	cmd.exe	43
PID 1156 wrote to memory of 3032	1156	cmd.exe	43
PID 1156 wrote to memory of 3032	1156	cmd.exe	43
PID 1156 wrote to memory of 3032	1156	cmd.exe	43
PID 1156 wrote to memory of 2380	1156	cmd.exe	44
PID 1156 wrote to memory of 2380	1156	cmd.exe	44
PID 1156 wrote to memory of 2380	1156	cmd.exe	44
PID 1156 wrote to memory of 2380	1156	cmd.exe	44
PID 1156 wrote to memory of 2304	1156	cmd.exe	45
PID 1156 wrote to memory of 2304	1156	cmd.exe	45
PID 1156 wrote to memory of 2304	1156	cmd.exe	45
PID 1156 wrote to memory of 2304	1156	cmd.exe	45
PID 1156 wrote to memory of 1652	1156	cmd.exe	46
PID 1156 wrote to memory of 1652	1156	cmd.exe	46
PID 1156 wrote to memory of 1652	1156	cmd.exe	46
PID 1156 wrote to memory of 1652	1156	cmd.exe	46
PID 1156 wrote to memory of 2436	1156	cmd.exe	47
PID 1156 wrote to memory of 2436	1156	cmd.exe	47
PID 1156 wrote to memory of 2436	1156	cmd.exe	47
PID 1156 wrote to memory of 2436	1156	cmd.exe	47

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Check.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR"
    3⤵
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get MUILanguages /Value 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get MUILanguages /Value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} ╔═════════════════════════════════════════════════════════════════════╗ {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} ║ {07}Проверка {08}редакции {0f}Windows 10 Enterprise {0a}LTSB RS1 10.0.14393 {08}║ {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} ╚═════════════════════════════════════════════════════════════════════╝ {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" Ваша Windows:{0a} x64 {#}|{0a} en-US, de-DE, es-ES, fr-FR {#}| {0e}6.1.7601 {4f} Версия не поддерживается {#} {00}.{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:784
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [1] = {0e}Spy{#} (Только проверка значений по слежению, сбору и AppStore) {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [2] = {0e}Settings{#} (Только проверка значений дополнительных настроек Windows) {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [3] = {0e}Сделать все{#} (Проверить значения слежения, AppStore и настроек) {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [Без ввода]{#} = {0e}Выйти {\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} | Версия 3.16{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoSettings\_Fix.bat

Filesize
4KB

MD5
6f478bb851479b47c68cc595e44e682f

SHA1
889ff300f374c23578ec876388fe89ad554c20c6

SHA256
30518495160eb5418a6bdb1981579728abce0ace48c9dbfd9777784611d00a87

SHA512
d6878cf9c358cd2fe203fabea580f88ce94f12e075ca435ea1f2f1151a6678318d26f81002c29d82f31908efa33f242fde296386bdd66594988491f670918b33

Download Submit
memory/784-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1352-80-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1440-76-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1440-77-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1652-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2304-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2380-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2436-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2436-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3032-82-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3032-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download