Analysis Overview
SHA256
95ab142281af83bca92a9919b0691e3966218a96273452c15b701485af44ad0b
Threat Level: Known bad
The file anticheats.exe was found to be: Known bad.
Malicious Activity Summary
Echelon
Echelon log file
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 20:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 20:54
Reported
2020-11-11 03:05
Platform
win7v20201028
Max time kernel
134s
Max time network
138s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1804 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | C:\Windows\system32\cmd.exe |
| PID 1804 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | C:\Windows\system32\cmd.exe |
| PID 1804 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | C:\Windows\system32\cmd.exe |
| PID 340 wrote to memory of 436 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 340 wrote to memory of 436 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 340 wrote to memory of 436 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\anticheats.exe
"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp492D.tmp.cmd""
C:\Windows\system32\timeout.exe
timeout 1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 174.129.214.20:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/1804-0-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/1804-1-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
memory/1804-3-0x000000001B490000-0x000000001B526000-memory.dmp
memory/340-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp492D.tmp.cmd
| MD5 | 04867b3b20337c4b1893442a2f44d68f |
| SHA1 | 0e24bc3957286e95d1d7ef08e590b49f0186737d |
| SHA256 | abcb09bafb7caec6f025c8e742cc16280093b3412a74ccc518b9230a97410393 |
| SHA512 | 9ae9b68d84b4ca3f0a48e8f9b25f62b1480843110a415df653b578314b12359baaecaa7587d5f7569ddba9407e799c6289e90beaa1c1175a7ca7a5732bdb2e6a |
memory/436-6-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 20:54
Reported
2020-11-11 03:05
Platform
win10v20201028
Max time kernel
103s
Max time network
110s
Command Line
Signatures
Echelon
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 728 wrote to memory of 3524 | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | C:\Windows\system32\cmd.exe |
| PID 728 wrote to memory of 3524 | N/A | C:\Users\Admin\AppData\Local\Temp\anticheats.exe | C:\Windows\system32\cmd.exe |
| PID 3524 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 3524 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\anticheats.exe
"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4B2.tmp.cmd""
C:\Windows\system32\timeout.exe
timeout 1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.204.14.42:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | 179s.ru | udp |
| N/A | 45.147.197.110:80 | 179s.ru | tcp |
Files
memory/728-0-0x00007FFD72180000-0x00007FFD72B6C000-memory.dmp
memory/728-1-0x0000000000770000-0x0000000000771000-memory.dmp
memory/728-3-0x000000001B200000-0x000000001B296000-memory.dmp
memory/728-4-0x000000001C2A0000-0x000000001C310000-memory.dmp
memory/3524-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA4B2.tmp.cmd
| MD5 | fd29162478d33edcdff3b14547f3e40b |
| SHA1 | 106f17bac053a8a6b9835660b6de9f300cda9098 |
| SHA256 | b7d82488482a4ebf8af528fb8f107bbe85f770d89042c2dfebf65063ce6d0680 |
| SHA512 | 358bcbe53afa1b8f1f9fa2150c3fd03c79ac95205701698b7a912911a547383edef072ab08b1d2a8308545cafc89b5c6db8e05d84dae756f22cea8e835425224 |
memory/2588-7-0x0000000000000000-mapping.dmp