a22f393576c3c8fa3ade88102fa98dfc93097d15b4c453ef676f6daaefffa592

Analysis

max time kernel
139s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoSettings/Enable_Sensors.bat
Size

5KB
MD5

e7af5b1aa32ba337b911509a294ce959
SHA1

6a84fd55c440fe35f2cc71fdca5a7818c80d9127
SHA256

e16d47f43aa3334de3bcf1c3a6234fef05135ca1102f00eda7b714dc651470f1
SHA512

91e712a1f3bdd1c7d58e6b7532877848159c5fb128b1ea24da470ee58489d9a941fa835a8dd863741856046fefa1f401c60e42bba09f6a2ce882bc24b957e172
SSDEEP

96:fgexK+/VNhXhHsG2Wk0kdKarsUBiTkit5JHiRYkXoNRm/V:IkVNfXhHsG2Wk0mKarsUApJCRANRm/V

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/memory/3580-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/764-2-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/2296-13-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/468-14-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/3300-27-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/2444-26-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/5096-12-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/5096-11-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/3600-10-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/1676-9-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/2240-7-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/2240-6-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/2952-4-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral8/memory/3580-1-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	LGPO.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	LGPO.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	LGPO.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	LGPO.exe
File created	C:\Windows\System32\GroupPolicy\User\Registry.pol	LGPO.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4824	sc.exe
4036	sc.exe
4588	sc.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 2180	976	cmd.exe	15
PID 976 wrote to memory of 2180	976	cmd.exe	15
PID 976 wrote to memory of 224	976	cmd.exe	36
PID 976 wrote to memory of 224	976	cmd.exe	36
PID 976 wrote to memory of 3580	976	cmd.exe	35
PID 976 wrote to memory of 3580	976	cmd.exe	35
PID 976 wrote to memory of 3580	976	cmd.exe	35
PID 976 wrote to memory of 764	976	cmd.exe	119
PID 976 wrote to memory of 764	976	cmd.exe	119
PID 976 wrote to memory of 764	976	cmd.exe	119
PID 976 wrote to memory of 2952	976	cmd.exe	33
PID 976 wrote to memory of 2952	976	cmd.exe	33
PID 976 wrote to memory of 2952	976	cmd.exe	33
PID 976 wrote to memory of 2240	976	cmd.exe	16
PID 976 wrote to memory of 2240	976	cmd.exe	16
PID 976 wrote to memory of 2240	976	cmd.exe	16
PID 976 wrote to memory of 1676	976	cmd.exe	31
PID 976 wrote to memory of 1676	976	cmd.exe	31
PID 976 wrote to memory of 1676	976	cmd.exe	31
PID 976 wrote to memory of 3600	976	cmd.exe	30
PID 976 wrote to memory of 3600	976	cmd.exe	30
PID 976 wrote to memory of 3600	976	cmd.exe	30
PID 976 wrote to memory of 4824	976	cmd.exe	120
PID 976 wrote to memory of 4824	976	cmd.exe	120
PID 976 wrote to memory of 5096	976	cmd.exe	29
PID 976 wrote to memory of 5096	976	cmd.exe	29
PID 976 wrote to memory of 5096	976	cmd.exe	29
PID 976 wrote to memory of 4588	976	cmd.exe	27
PID 976 wrote to memory of 4588	976	cmd.exe	27
PID 976 wrote to memory of 2296	976	cmd.exe	26
PID 976 wrote to memory of 2296	976	cmd.exe	26
PID 976 wrote to memory of 2296	976	cmd.exe	26
PID 976 wrote to memory of 4036	976	cmd.exe	25
PID 976 wrote to memory of 4036	976	cmd.exe	25
PID 976 wrote to memory of 468	976	cmd.exe	24
PID 976 wrote to memory of 468	976	cmd.exe	24
PID 976 wrote to memory of 468	976	cmd.exe	24
PID 976 wrote to memory of 4616	976	cmd.exe	18
PID 976 wrote to memory of 4616	976	cmd.exe	18
PID 976 wrote to memory of 4616	976	cmd.exe	18
PID 976 wrote to memory of 2444	976	cmd.exe	23
PID 976 wrote to memory of 2444	976	cmd.exe	23
PID 976 wrote to memory of 2444	976	cmd.exe	23
PID 976 wrote to memory of 3300	976	cmd.exe	22
PID 976 wrote to memory of 3300	976	cmd.exe	22
PID 976 wrote to memory of 3300	976	cmd.exe	22

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Добавлен параметр в LGPO файл {08}(для настройки ГП){#}:{\n #}
1⤵
PID:2240

C:\Windows\system32\sc.exe
sc config SensrSvc start= demand
1⤵
- Launches sc.exe
PID:4824

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\LGPO.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\LGPO.exe" /t "C:\Users\Admin\AppData\Local\Temp\LGPO-file.txt" /q
1⤵
- Drops file in System32 directory
PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Перезагрузите компьютер!!! {\n #}
1⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Исправление выполнено {\n #}
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0b}Применение параметров из LGPO файла {08}(настройка ГП) {\n #}
1⤵
PID:468

C:\Windows\system32\sc.exe
sc config SensorDataService start= demand
1⤵
- Launches sc.exe
PID:4036

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0f}Служба "Служба данных датчиков"{\n #}
1⤵
PID:2296

C:\Windows\system32\sc.exe
sc config SensorService start= demand
1⤵
- Launches sc.exe
PID:4588

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0f}"Служба датчиков" (датчики поворота дисплея, местоположения и т.д.){\n #}
1⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0f}Служба наблюдения за датчиками "SensrSvc" (кооректировка яркости дисплея, поворота экрана и т.д.){\n #}
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Добавлен параметр в LGPO файл {08}(для настройки ГП){#}:{\n #}
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Добавлен параметр в LGPO файл {08}(для настройки ГП){#}:{\n #}
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0f}"Включение определения вашего расположения для AppStore и Других программ (Геозона)" {0b}Настроить ГП!{\n #}
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0b}Добавление настройки Групповой Политики в файл LGPO:{\n #}
1⤵
PID:3580

C:\Windows\system32\reg.exe
reg query "HKU\S-1-5-19\Environment"
1⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Enable_Sensors.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 6wbZgdiOdk2GfW9k4e5X0A.0.2
1⤵
PID:764

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/764-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1676-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2240-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2296-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2444-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3300-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3580-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3580-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3600-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5096-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5096-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download