a22f393576c3c8fa3ade88102fa98dfc93097d15b4c453ef676f6daaefffa592

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoSettings/Disable_NumLock.bat
Size

1KB
MD5

a89fe1724241c3e26f242c4f60a1cef6
SHA1

a350cc504eec2b7351d436c59ae7405a3b8e9785
SHA256

903408ca653d38c982459e46d80bc2ac0f9774c2ec6e6066218960854d1a7e37
SHA512

1757db7507600e04ee93f24155470c3cffedc5c0b08af196c3b38a8292865cd6435774ed71684f07fa0aa16e2b803a5ded9a271e5f028a50fb3a2e24f2602a96

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2740-2-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral3/memory/2644-1-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral3/memory/2424-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648"	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648"	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
2424	cecho.exe
2644	cecho.exe
2740	cecho.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2380	1724	cmd.exe	25
PID 1724 wrote to memory of 2380	1724	cmd.exe	25
PID 1724 wrote to memory of 2380	1724	cmd.exe	25
PID 1724 wrote to memory of 1536	1724	cmd.exe	24
PID 1724 wrote to memory of 1536	1724	cmd.exe	24
PID 1724 wrote to memory of 1536	1724	cmd.exe	24
PID 1724 wrote to memory of 2424	1724	cmd.exe	23
PID 1724 wrote to memory of 2424	1724	cmd.exe	23
PID 1724 wrote to memory of 2424	1724	cmd.exe	23
PID 1724 wrote to memory of 2424	1724	cmd.exe	23
PID 1724 wrote to memory of 1996	1724	cmd.exe	22
PID 1724 wrote to memory of 1996	1724	cmd.exe	22
PID 1724 wrote to memory of 1996	1724	cmd.exe	22
PID 1724 wrote to memory of 2208	1724	cmd.exe	21
PID 1724 wrote to memory of 2208	1724	cmd.exe	21
PID 1724 wrote to memory of 2208	1724	cmd.exe	21
PID 1724 wrote to memory of 2212	1724	cmd.exe	20
PID 1724 wrote to memory of 2212	1724	cmd.exe	20
PID 1724 wrote to memory of 2212	1724	cmd.exe	20
PID 1724 wrote to memory of 1260	1724	cmd.exe	19
PID 1724 wrote to memory of 1260	1724	cmd.exe	19
PID 1724 wrote to memory of 1260	1724	cmd.exe	19
PID 1724 wrote to memory of 2224	1724	cmd.exe	18
PID 1724 wrote to memory of 2224	1724	cmd.exe	18
PID 1724 wrote to memory of 2224	1724	cmd.exe	18
PID 1724 wrote to memory of 2644	1724	cmd.exe	17
PID 1724 wrote to memory of 2644	1724	cmd.exe	17
PID 1724 wrote to memory of 2644	1724	cmd.exe	17
PID 1724 wrote to memory of 2644	1724	cmd.exe	17
PID 1724 wrote to memory of 2740	1724	cmd.exe	16
PID 1724 wrote to memory of 2740	1724	cmd.exe	16
PID 1724 wrote to memory of 2740	1724	cmd.exe	16
PID 1724 wrote to memory of 2740	1724	cmd.exe	16

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Перезагрузите компьютер!!! {\n #}
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2740

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Исправление выполнено {\n #}
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2644

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f
1⤵
PID:2224

C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-20\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f
1⤵
- Modifies data under HKEY_USERS
PID:1260

C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-19\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f
1⤵
- Modifies data under HKEY_USERS
PID:2212

C:\Windows\system32\reg.exe
reg add "HKEY_USERS\S-1-5-18\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f
1⤵
- Modifies data under HKEY_USERS
PID:2208

C:\Windows\system32\reg.exe
reg add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f
1⤵
- Modifies data under HKEY_USERS
PID:1996

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0b} --- Выключаем "NumLock" у всех, в том числе на Логин-Скрине (по умолчанию) --- {\n #}
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2424

C:\Windows\system32\reg.exe
reg query "HKU\S-1-5-19\Environment"
1⤵
PID:1536

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2380

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Disable_NumLock.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2424-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2644-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2740-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download