7ddd7c32f45a7fddf7b998c7830501bb48f860b491f247be3b01bb886c359562

Analysis

max time kernel
30s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f30dd29524a28e0f1349f18b05af8aa.exe
Size

179KB
MD5

8f30dd29524a28e0f1349f18b05af8aa
SHA1

292e4bb67ace01f31705e8e97f50999c35ef7162
SHA256

7ddd7c32f45a7fddf7b998c7830501bb48f860b491f247be3b01bb886c359562
SHA512

a9fa95f59d7081fb3d000b3c0e1962ec18b762179fdcaf75d281666067282522146a4909655295d638323ae466e1b06e3a67e51b848360a2c184fc930da6d3de
SSDEEP

3072:zrWfM/ioEsek7k+wo5+ZoVf/4E5/64nSv0uHDoSN3GGUQcrbIEN:zRaHseUkNYQ+/RnSvbDT1sjIi

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	ope784B.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ope784B.exe

Executes dropped EXE 2 IoCs

pid	Process
2232	ope784B.exe
2784	ope7994.exe

Loads dropped DLL 10 IoCs

pid	Process
2620	8f30dd29524a28e0f1349f18b05af8aa.exe
2620	8f30dd29524a28e0f1349f18b05af8aa.exe
2620	8f30dd29524a28e0f1349f18b05af8aa.exe
2784	ope7994.exe
2784	ope7994.exe
2784	ope7994.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001552e-21.dat	upx
behavioral1/memory/2784-22-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2620-17-0x00000000023F0000-0x0000000002445000-memory.dmp	upx
behavioral1/memory/2784-38-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-39-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-45-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-47-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-48-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-50-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-53-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-55-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2784-56-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killkb.dll	ope784B.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\aboy.dll	ope784B.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1652	sc.exe
2584	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2836	ipconfig.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2184	taskkill.exe
2296	taskkill.exe
1976	taskkill.exe
2616	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1964	rundll32.exe
Token: SeDebugPrivilege	1964	rundll32.exe
Token: SeDebugPrivilege	1964	rundll32.exe
Token: SeDebugPrivilege	1976	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2784	ope7994.exe
2784	ope7994.exe
2784	ope7994.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2784	ope7994.exe
2784	ope7994.exe
2784	ope7994.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2232	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	28
PID 2620 wrote to memory of 2232	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	28
PID 2620 wrote to memory of 2232	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	28
PID 2620 wrote to memory of 2232	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	28
PID 2232 wrote to memory of 2752	2232	ope784B.exe	29
PID 2232 wrote to memory of 2752	2232	ope784B.exe	29
PID 2232 wrote to memory of 2752	2232	ope784B.exe	29
PID 2232 wrote to memory of 2752	2232	ope784B.exe	29
PID 2232 wrote to memory of 2764	2232	ope784B.exe	30
PID 2232 wrote to memory of 2764	2232	ope784B.exe	30
PID 2232 wrote to memory of 2764	2232	ope784B.exe	30
PID 2232 wrote to memory of 2764	2232	ope784B.exe	30
PID 2232 wrote to memory of 2800	2232	ope784B.exe	41
PID 2232 wrote to memory of 2800	2232	ope784B.exe	41
PID 2232 wrote to memory of 2800	2232	ope784B.exe	41
PID 2232 wrote to memory of 2800	2232	ope784B.exe	41
PID 2232 wrote to memory of 1876	2232	ope784B.exe	38
PID 2232 wrote to memory of 1876	2232	ope784B.exe	38
PID 2232 wrote to memory of 1876	2232	ope784B.exe	38
PID 2232 wrote to memory of 1876	2232	ope784B.exe	38
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2620 wrote to memory of 2784	2620	8f30dd29524a28e0f1349f18b05af8aa.exe	40
PID 2232 wrote to memory of 2920	2232	ope784B.exe	37
PID 2232 wrote to memory of 2920	2232	ope784B.exe	37
PID 2232 wrote to memory of 2920	2232	ope784B.exe	37
PID 2232 wrote to memory of 2920	2232	ope784B.exe	37
PID 2232 wrote to memory of 2576	2232	ope784B.exe	36
PID 2232 wrote to memory of 2576	2232	ope784B.exe	36
PID 2232 wrote to memory of 2576	2232	ope784B.exe	36
PID 2232 wrote to memory of 2576	2232	ope784B.exe	36
PID 2800 wrote to memory of 2584	2800	cmd.exe	42
PID 2800 wrote to memory of 2584	2800	cmd.exe	42
PID 2800 wrote to memory of 2584	2800	cmd.exe	42
PID 2800 wrote to memory of 2584	2800	cmd.exe	42
PID 2920 wrote to memory of 2616	2920	cmd.exe	43
PID 2920 wrote to memory of 2616	2920	cmd.exe	43
PID 2920 wrote to memory of 2616	2920	cmd.exe	43
PID 2920 wrote to memory of 2616	2920	cmd.exe	43
PID 1876 wrote to memory of 2184	1876	cmd.exe	44
PID 1876 wrote to memory of 2184	1876	cmd.exe	44
PID 1876 wrote to memory of 2184	1876	cmd.exe	44
PID 1876 wrote to memory of 2184	1876	cmd.exe	44
PID 2752 wrote to memory of 2736	2752	cmd.exe	47
PID 2752 wrote to memory of 2736	2752	cmd.exe	47
PID 2752 wrote to memory of 2736	2752	cmd.exe	47
PID 2752 wrote to memory of 2736	2752	cmd.exe	47
PID 2576 wrote to memory of 2296	2576	cmd.exe	46
PID 2576 wrote to memory of 2296	2576	cmd.exe	46
PID 2576 wrote to memory of 2296	2576	cmd.exe	46
PID 2576 wrote to memory of 2296	2576	cmd.exe	46
PID 2764 wrote to memory of 2176	2764	cmd.exe	45
PID 2764 wrote to memory of 2176	2764	cmd.exe	45
PID 2764 wrote to memory of 2176	2764	cmd.exe	45
PID 2764 wrote to memory of 2176	2764	cmd.exe	45
PID 2232 wrote to memory of 1964	2232	ope784B.exe	49
PID 2232 wrote to memory of 1964	2232	ope784B.exe	49
PID 2232 wrote to memory of 1964	2232	ope784B.exe	49
PID 2232 wrote to memory of 1964	2232	ope784B.exe	49
PID 2232 wrote to memory of 1964	2232	ope784B.exe	49

C:\Users\Admin\AppData\Local\Temp\8f30dd29524a28e0f1349f18b05af8aa.exe
"C:\Users\Admin\AppData\Local\Temp\8f30dd29524a28e0f1349f18b05af8aa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\ope784B.exe
  "C:\Users\Admin\AppData\Local\Temp\ope784B.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ScanFrm.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ScanFrm.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im egui.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ekrn.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config ekrn start= disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      4⤵
      Launches sc.exe
      PID:2584
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\killkb.dll, droqp
    3⤵
    - Drops file in Drivers directory
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config avp start= disabled
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\sc.exe
      sc config avp start= disabled
      4⤵
      Launches sc.exe
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im avp.exe /f
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im avp.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1976
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\ope7994.exe
  "C:\Users\Admin\AppData\Local\Temp\ope7994.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ope7994.exe

Filesize
142KB

MD5
4c084810b3cba56d4aaaedb4ef185c92

SHA1
bd6202b72ea494935344384480d7c8008a4ceeae

SHA256
6f38a00649bac7e0bf192c97ae9e19f57f326f1d1db4cb8dfe0e05e9283f3597

SHA512
c65fcf16e1122b3a83feb62a616e6e5bb9b96891e3cc8b263e3b06a62d13cc85702e682b32c09636719ca8713ecbeadad89a0134ccbf3e25977958f56494bde1

Download Submit
C:\Windows\SysWOW64\killkb.dll

Filesize
31KB

MD5
2ac8d11c35581d70a014508d904155ee

SHA1
615a143b8ccb2863edd18de26032cf14ec19eb17

SHA256
df4bd0fd3f4c6130fe186a69d8e480e5438b4f967aa3e82bbbb81175449959a7

SHA512
c3cbf43723e30a654b83f3a1311b5c7656a415f9c1d1089b4ded48fee27b6a82ae7d9839bf7d67c1b8b5cff8f111554738d487370e34f858e087226b1bb8ebf6

Download Submit
\Users\Admin\AppData\Local\Temp\ope784B.exe

Filesize
41KB

MD5
c2d0fcfd15835f86c47c7442fa3f75df

SHA1
bd7bb1bb76c4b1609d630d1570bc99045a09abbc

SHA256
53b93aa2c490cee2821d4d7f1ccbea277a097bdb4e178307dd31b2ddefb98a27

SHA512
26254e252f9cd016ce471c772090e25b4f9d626a8a69a17ec73a81354e6217d5d79193631c2e60a9b1ed073cc2e3ae9327102f33de1bcefcf1b280b96e057645

Download Submit
memory/2232-16-0x0000000000400000-0x0000000000428F0A-memory.dmp

Filesize
163KB

Download
memory/2620-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-9-0x0000000000840000-0x0000000000869000-memory.dmp

Filesize
164KB

Download
memory/2620-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-17-0x00000000023F0000-0x0000000002445000-memory.dmp

Filesize
340KB

Download
memory/2620-13-0x0000000000840000-0x0000000000869000-memory.dmp

Filesize
164KB

Download
memory/2784-29-0x0000000002FA0000-0x00000000031A4000-memory.dmp

Filesize
2.0MB

Download
memory/2784-39-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-25-0x0000000000240000-0x0000000000295000-memory.dmp

Filesize
340KB

Download
memory/2784-27-0x0000000000240000-0x0000000000295000-memory.dmp

Filesize
340KB

Download
memory/2784-30-0x0000000002FA0000-0x00000000031A4000-memory.dmp

Filesize
2.0MB

Download
memory/2784-22-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-38-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-28-0x0000000000240000-0x0000000000295000-memory.dmp

Filesize
340KB

Download
memory/2784-40-0x0000000000240000-0x0000000000295000-memory.dmp

Filesize
340KB

Download
memory/2784-45-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-47-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-48-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-50-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-53-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2784-56-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download