Analysis
-
max time kernel
127s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 10:39
Static task
static1
Behavioral task
behavioral1
Sample
LITEJY_v1.3.20210105 .exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
LITEJY_v1.3.20210105 .exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
LITEJY_v1.3.20210105 .exe
-
Size
7.1MB
-
MD5
758bbbd2e255c1aa72357ad76d63567a
-
SHA1
af4d310743bba94383f6279f1ff934708731e1cf
-
SHA256
00e23f66ad8beb0186dba445a6d846c878ff95c312424fc95a3ceffc0780de6a
-
SHA512
3a796cab3b9fca224f78b3011cade3c053c967446d6ca8a123e6777ade43e009be3165ddd0cafb74a4558102bfdb30496313a952025c61f696fe7cd3f6cc4e21
Score
8/10
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
LITEJY_v1.3.20210105 .exepid process 1148 LITEJY_v1.3.20210105 .exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
LITEJY_v1.3.20210105 .exepid process 1148 LITEJY_v1.3.20210105 .exe 1148 LITEJY_v1.3.20210105 .exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
LITEJY_v1.3.20210105 .exepid process 1148 LITEJY_v1.3.20210105 .exe 1148 LITEJY_v1.3.20210105 .exe 1148 LITEJY_v1.3.20210105 .exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
LITEJY_v1.3.20210105 .exepid process 1148 LITEJY_v1.3.20210105 .exe 1148 LITEJY_v1.3.20210105 .exe 1148 LITEJY_v1.3.20210105 .exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LITEJY_v1.3.20210105 .exepid process 1148 LITEJY_v1.3.20210105 .exe 1148 LITEJY_v1.3.20210105 .exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
LITEJY_v1.3.20210105 .exedescription pid process target process PID 1148 wrote to memory of 3096 1148 LITEJY_v1.3.20210105 .exe cacls.exe PID 1148 wrote to memory of 3096 1148 LITEJY_v1.3.20210105 .exe cacls.exe PID 1148 wrote to memory of 3096 1148 LITEJY_v1.3.20210105 .exe cacls.exe PID 1148 wrote to memory of 2272 1148 LITEJY_v1.3.20210105 .exe sc.exe PID 1148 wrote to memory of 2272 1148 LITEJY_v1.3.20210105 .exe sc.exe PID 1148 wrote to memory of 2272 1148 LITEJY_v1.3.20210105 .exe sc.exe PID 1148 wrote to memory of 952 1148 LITEJY_v1.3.20210105 .exe sc.exe PID 1148 wrote to memory of 952 1148 LITEJY_v1.3.20210105 .exe sc.exe PID 1148 wrote to memory of 952 1148 LITEJY_v1.3.20210105 .exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LITEJY_v1.3.20210105 .exe"C:\Users\Admin\AppData\Local\Temp\LITEJY_v1.3.20210105 .exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Prefetch /e /t /p everyone:N2⤵
-
C:\Windows\SysWOW64\sc.exesc delete cheat8lite2⤵
-
C:\Windows\SysWOW64\sc.exesc delete cheat8lite2⤵