Analysis
-
max time kernel
154s -
max time network
166s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-10-2021 14:17
General
-
Target
warface cheat.exe
-
Size
49KB
-
MD5
ae0a9ba0686ad4be301eaacb06512b4e
-
SHA1
fce8b4a67fb5fe1cdfb1064f83666d18e719fae2
-
SHA256
3b019244b4ae2dbd3661304708254f8e24a3e8062019fe8a6252298ff9dbc9ab
-
SHA512
78578e75fd62476df29b43389a93f049ebe94ecafee52d3550ee6d4db598b063268c418360c573315af873fbbb6d4d553ce7ff4f3e8a6652cc6222ffdb1dd181
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\warface cheat.exe"C:\Users\Admin\AppData\Local\Temp\warface cheat.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\warface cheat.exe" "warface cheat.exe" ENABLE2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3436-121-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-140-0x000001C833ED0000-0x000001C833ED1000-memory.dmpFilesize
4KB
-
memory/3436-115-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-117-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-118-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-119-0x000001C833A30000-0x000001C833A31000-memory.dmpFilesize
4KB
-
memory/3436-120-0x000001C831A50000-0x000001C831A52000-memory.dmpFilesize
8KB
-
memory/3436-122-0x000001C831A53000-0x000001C831A55000-memory.dmpFilesize
8KB
-
memory/3436-116-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-123-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-124-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-125-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-126-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-114-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3436-151-0x000001C8340F0000-0x000001C8340F1000-memory.dmpFilesize
4KB
-
memory/3436-156-0x000001C819630000-0x000001C819632000-memory.dmpFilesize
8KB
-
memory/3472-158-0x0000000000000000-mapping.dmp
-
memory/4372-159-0x0000000000000000-mapping.dmp
-
memory/4916-157-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB