67df53e50fef54326d9a6a7ad5381e3f18aad855e6fb69fbeaed731320d7c58d

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 13:58

Target

ac8zt2/install.bat
Size

304B
MD5

3a80487df38d375da59fce122961b561
SHA1

d61f2ef16b8cf8ccdceaf5a0078108b8634faa8a
SHA256

243930c9a6eb6369057d681f6fb32374d7dcb46b2bafae4b638e84bfb1a023a8
SHA512

b90329a1cd816a57a28faaae473b1e9d7b03af780575967b715f4b35bc5817f58dcb84968aaa73b375b302e638c2b974f5b1e173a033a43084559e45f760e477

Score

5^/10

upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msdrives\iedrives.dll	cmd.exe
File created	C:\Windows\system32\msdrives\msdrv.EXE	cmd.exe
File opened for modification	C:\Windows\system32\msdrives\msdrv.EXE	cmd.exe
File created	C:\Windows\system32\msdrives\msdrvctrl.exe	cmd.exe
File opened for modification	C:\Windows\system32\msdrives\msdrvctrl.exe	cmd.exe
File created	C:\Windows\system32\msdrives\driverpp.sys	cmd.exe
File opened for modification	C:\Windows\system32\msdrives\driverpp.sys	cmd.exe
File created	C:\Windows\system32\msdrives\iedrives.dll	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral7/memory/2068-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral7/memory/2068-9-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2068	di.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2068	2388	cmd.exe	32
PID 2388 wrote to memory of 2068	2388	cmd.exe	32
PID 2388 wrote to memory of 2068	2388	cmd.exe	32
PID 2388 wrote to memory of 2068	2388	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\ac8zt2\di.exe
  di.exe C:\Windows\system32\msdrives\driverpp.sys
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2068

memory/2068-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2068-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download