Analysis
-
max time kernel
134s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:54
Static task
static1
Behavioral task
behavioral1
Sample
anticheats.exe
Resource
win7v20201028
General
-
Target
anticheats.exe
-
Size
417KB
-
MD5
fb2d06f3a2c9d4b9ec1064af3bf9f357
-
SHA1
aef3c1737f45eb8c1438b759d12d4eae9ce514ba
-
SHA256
95ab142281af83bca92a9919b0691e3966218a96273452c15b701485af44ad0b
-
SHA512
a7a083bbc238a061346f0fc884ab3eda39a23de4301e07112a758882d11b6a98d7c536649d3a6e01161c0ceadf4efb806f713be95a6185b5c10d0dfb06e5a063
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 5 api.ipify.org -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 436 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
anticheats.exedescription pid process Token: SeDebugPrivilege 1804 anticheats.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
anticheats.execmd.exedescription pid process target process PID 1804 wrote to memory of 340 1804 anticheats.exe cmd.exe PID 1804 wrote to memory of 340 1804 anticheats.exe cmd.exe PID 1804 wrote to memory of 340 1804 anticheats.exe cmd.exe PID 340 wrote to memory of 436 340 cmd.exe timeout.exe PID 340 wrote to memory of 436 340 cmd.exe timeout.exe PID 340 wrote to memory of 436 340 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\anticheats.exe"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp492D.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:436
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
04867b3b20337c4b1893442a2f44d68f
SHA10e24bc3957286e95d1d7ef08e590b49f0186737d
SHA256abcb09bafb7caec6f025c8e742cc16280093b3412a74ccc518b9230a97410393
SHA5129ae9b68d84b4ca3f0a48e8f9b25f62b1480843110a415df653b578314b12359baaecaa7587d5f7569ddba9407e799c6289e90beaa1c1175a7ca7a5732bdb2e6a