11e7270f427aa3ec487d380d7dd07023f516bd201bfbf342b46b075ef420b11b

Analysis

max time kernel
127s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LITEJY_v1.3.20210105 .exe
Size

7.1MB
MD5

758bbbd2e255c1aa72357ad76d63567a
SHA1

af4d310743bba94383f6279f1ff934708731e1cf
SHA256

00e23f66ad8beb0186dba445a6d846c878ff95c312424fc95a3ceffc0780de6a
SHA512

3a796cab3b9fca224f78b3011cade3c053c967446d6ca8a123e6777ade43e009be3165ddd0cafb74a4558102bfdb30496313a952025c61f696fe7cd3f6cc4e21

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

LITEJY_v1.3.20210105 .exe

pid process

1148 LITEJY_v1.3.20210105 .exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LITEJY_v1.3.20210105 .exe

pid process

1148 LITEJY_v1.3.20210105 .exe
1148 LITEJY_v1.3.20210105 .exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

616
616
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LITEJY_v1.3.20210105 .exe

pid process

1148 LITEJY_v1.3.20210105 .exe
1148 LITEJY_v1.3.20210105 .exe
1148 LITEJY_v1.3.20210105 .exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LITEJY_v1.3.20210105 .exe

pid process

1148 LITEJY_v1.3.20210105 .exe
1148 LITEJY_v1.3.20210105 .exe
1148 LITEJY_v1.3.20210105 .exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LITEJY_v1.3.20210105 .exe

pid process

1148 LITEJY_v1.3.20210105 .exe
1148 LITEJY_v1.3.20210105 .exe

pid	process
1148	LITEJY_v1.3.20210105 .exe

pid	process
1148	LITEJY_v1.3.20210105 .exe
1148	LITEJY_v1.3.20210105 .exe

pid	process
616
616

pid	process
1148	LITEJY_v1.3.20210105 .exe
1148	LITEJY_v1.3.20210105 .exe
1148	LITEJY_v1.3.20210105 .exe

pid	process
1148	LITEJY_v1.3.20210105 .exe
1148	LITEJY_v1.3.20210105 .exe
1148	LITEJY_v1.3.20210105 .exe

pid	process
1148	LITEJY_v1.3.20210105 .exe
1148	LITEJY_v1.3.20210105 .exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LITEJY_v1.3.20210105 .exe

description	pid	process	target process
PID 1148 wrote to memory of 3096	1148	LITEJY_v1.3.20210105 .exe	cacls.exe
PID 1148 wrote to memory of 3096	1148	LITEJY_v1.3.20210105 .exe	cacls.exe
PID 1148 wrote to memory of 3096	1148	LITEJY_v1.3.20210105 .exe	cacls.exe
PID 1148 wrote to memory of 2272	1148	LITEJY_v1.3.20210105 .exe	sc.exe
PID 1148 wrote to memory of 2272	1148	LITEJY_v1.3.20210105 .exe	sc.exe
PID 1148 wrote to memory of 2272	1148	LITEJY_v1.3.20210105 .exe	sc.exe
PID 1148 wrote to memory of 952	1148	LITEJY_v1.3.20210105 .exe	sc.exe
PID 1148 wrote to memory of 952	1148	LITEJY_v1.3.20210105 .exe	sc.exe
PID 1148 wrote to memory of 952	1148	LITEJY_v1.3.20210105 .exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\LITEJY_v1.3.20210105 .exe
"C:\Users\Admin\AppData\Local\Temp\LITEJY_v1.3.20210105 .exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Prefetch /e /t /p everyone:N
2⤵
PID:3096

C:\Windows\SysWOW64\sc.exe
sc delete cheat8lite
2⤵
PID:2272

C:\Windows\SysWOW64\sc.exe
sc delete cheat8lite
2⤵
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-4-0x0000000000000000-mapping.dmp

Download
memory/2272-3-0x0000000000000000-mapping.dmp

Download
memory/3096-2-0x0000000000000000-mapping.dmp

Download