Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
29/12/2023, 23:52
General
-
Target
079a6b7ec6a7311dd8845286678c76f5.exe
-
Size
877KB
-
MD5
079a6b7ec6a7311dd8845286678c76f5
-
SHA1
dd67cb9b94fbef1d57b3eacd3d3487183b9ccf72
-
SHA256
37486e6a37ceeafc4acbb6300b4fc97ec4961f58fa479982b4bfa389bd643df5
-
SHA512
b8be27e226392b1b7877a0c2a3f9788b78d27b49aed0996ebc890a13a4a030ad9fb42c204b2b80fcc6f82bd684b99e55878e801e7e76abefa6be174b2aac24fa
-
SSDEEP
12288:UZWtI6RkE+erQZb+md4w1UWOB0JupOB0H:UuhaE+erQZb+md4wmWO9OM
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 30 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
-
Runs regedit.exe 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 17 IoCs
Processes
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵
-
C:\Users\Admin\AppData\Local\Temp\079a6b7ec6a7311dd8845286678c76f5.exe"C:\Users\Admin\AppData\Local\Temp\079a6b7ec6a7311dd8845286678c76f5.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:13:22 PM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:10:22 PM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\At.exeAt.exe 6:11:20 PM C:\Windows\Help\HelpCat.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:13:19 PM C:\Windows\Sysinf.bat2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 6:10:19 PM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\At.exeAt.exe 6:11:17 PM C:\Windows\Help\HelpCat.exe2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\at.exeat 6:10:19 PM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\at.exeat 6:13:19 PM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\at.exeat 6:13:22 PM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\at.exeat 6:10:22 PM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17695447111502178908-1259429313-1698858420-2085273634-292246685-2088285882-627824169"1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "108396565218021610191808352243-1134534971-1074442137-1992508115-463150578335610059"1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-65707153210391766781216760277-1270066965755150277-144887851-7848646832015349594"1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1259673901625255047140501374-980004851-1538045540-11803655616193683161391517499"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52bbfd1a841d7e11aacd0cdff9db1f849
SHA1be1bb90667786d5d67e486b17a04d8ecc1df3da4
SHA256a9f0460dfa74b50ec28af0512424c7e003242dfbfd713dc6dcee29afe4ae72d9
SHA5129b04bda20d3dfdb3cbaec0b28bbfb277375503633d1e47836c7df4b67e56a355d22737f808b60cac6fd94a1536704f86a8f90630e3d1d7c48561676101b51cea
-
Filesize
216KB