c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71

Analysis

max time kernel
156s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 06:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe
Size

672KB
MD5

72bed7071806e539e62a48eb70bf7d30
SHA1

1855aba784a7c6a3f77adff895b500fd0841f45c
SHA256

c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71
SHA512

81284e0ebfdd0ceae75cc7579f9f3b71d59be535bcb9defe35e1284b2e9de5d0e71e3376151b2475f9e28ac170627064c98e0da08533b6c7d726a7ed87db4596
SSDEEP

6144:kLmyjDlZ77FHGACsu5loSmRRITX3w2Ijd2HeNB0ll5+NR:cj7FFCsu5loSmRTNC

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4712	sc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3108	1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe	84
PID 1096 wrote to memory of 3108	1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe	84
PID 1096 wrote to memory of 3108	1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe	84
PID 1096 wrote to memory of 840	1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe	86
PID 1096 wrote to memory of 840	1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe	86
PID 1096 wrote to memory of 840	1096	c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe	86
PID 840 wrote to memory of 4712	840	cmd.exe	88
PID 840 wrote to memory of 4712	840	cmd.exe	88
PID 840 wrote to memory of 4712	840	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe
"C:\Users\Admin\AppData\Local\Temp\c7d64c6ccc644e422b3081e654634e2ae52715a6bbdad3c12ce996fa4e6a0b71.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo 【2022-10-02 07:49:10】 APP was clicked >> Winlock.log
  2⤵
  PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c SC stop wscsvc && SC config wscsvc start= disabled && REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer /V ShellState /D 2400000038280100000000000000000000000000010000000d0000000000000000000000 /T REG_BINARY /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\sc.exe
    SC stop wscsvc
    3⤵
    - Launches sc.exe
    PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads