116a80b9656d3f0e17d63cd0b0c8c846ae11eed78ba84b4fddba95ea5d6f13e4

Analysis

max time kernel
106s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2022, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BadwareFreeValo.exe
Size

6.6MB
MD5

ada216b77ddd4e5348a3b141e0134693
SHA1

10425d5f97105124ab33a4997371b141cb09b9ef
SHA256

116a80b9656d3f0e17d63cd0b0c8c846ae11eed78ba84b4fddba95ea5d6f13e4
SHA512

4529e0d8f684020edbce9f056b8349207abf4b49cf94475ab21b73bfb4ae16c7046b36e3be289a08e825fb33145d7ab5612c492ad1e279d550c0a133a62b1a1b
SSDEEP

98304:3dOKCra5ySTQQpENgTHIhXJKqm0UAiAO2g0XoBY7iVZ1KUsEhXFvaqup0JKbplGF:30KCu5IQpHUnRO2BaYM1KfqVSquz4k

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yUCAWgbbbTuUxTaPvdxBXkdbIju\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\yUCAWgbbbTuUxTaPvdxBXkdbIju"	BadwareFreeValo.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2348	BadwareFreeValo.exe
2348	BadwareFreeValo.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3216	sc.exe
2412	sc.exe
4296	sc.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
4468	taskkill.exe
1356	taskkill.exe
4692	taskkill.exe
1876	taskkill.exe
4820	taskkill.exe
3656	taskkill.exe
4776	taskkill.exe
5100	taskkill.exe
4632	taskkill.exe
4292	taskkill.exe
4860	taskkill.exe
4388	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2348	BadwareFreeValo.exe
2348	BadwareFreeValo.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2348	BadwareFreeValo.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeLoadDriverPrivilege	2348	BadwareFreeValo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3392	2348	BadwareFreeValo.exe	83
PID 2348 wrote to memory of 3392	2348	BadwareFreeValo.exe	83
PID 2348 wrote to memory of 4712	2348	BadwareFreeValo.exe	84
PID 2348 wrote to memory of 4712	2348	BadwareFreeValo.exe	84
PID 2348 wrote to memory of 3240	2348	BadwareFreeValo.exe	85
PID 2348 wrote to memory of 3240	2348	BadwareFreeValo.exe	85
PID 2348 wrote to memory of 2312	2348	BadwareFreeValo.exe	86
PID 2348 wrote to memory of 2312	2348	BadwareFreeValo.exe	86
PID 2348 wrote to memory of 3988	2348	BadwareFreeValo.exe	87
PID 2348 wrote to memory of 3988	2348	BadwareFreeValo.exe	87
PID 2348 wrote to memory of 1384	2348	BadwareFreeValo.exe	88
PID 2348 wrote to memory of 1384	2348	BadwareFreeValo.exe	88
PID 2348 wrote to memory of 232	2348	BadwareFreeValo.exe	89
PID 2348 wrote to memory of 232	2348	BadwareFreeValo.exe	89
PID 3392 wrote to memory of 4468	3392	cmd.exe	90
PID 3392 wrote to memory of 4468	3392	cmd.exe	90
PID 3240 wrote to memory of 1356	3240	cmd.exe	95
PID 3240 wrote to memory of 1356	3240	cmd.exe	95
PID 232 wrote to memory of 5096	232	cmd.exe	93
PID 232 wrote to memory of 5096	232	cmd.exe	93
PID 4712 wrote to memory of 4776	4712	cmd.exe	92
PID 4712 wrote to memory of 4776	4712	cmd.exe	92
PID 2312 wrote to memory of 3216	2312	cmd.exe	91
PID 2312 wrote to memory of 3216	2312	cmd.exe	91
PID 3988 wrote to memory of 5100	3988	cmd.exe	94
PID 3988 wrote to memory of 5100	3988	cmd.exe	94
PID 2348 wrote to memory of 2124	2348	BadwareFreeValo.exe	96
PID 2348 wrote to memory of 2124	2348	BadwareFreeValo.exe	96
PID 2348 wrote to memory of 3160	2348	BadwareFreeValo.exe	97
PID 2348 wrote to memory of 3160	2348	BadwareFreeValo.exe	97
PID 2348 wrote to memory of 2268	2348	BadwareFreeValo.exe	98
PID 2348 wrote to memory of 2268	2348	BadwareFreeValo.exe	98
PID 2348 wrote to memory of 4104	2348	BadwareFreeValo.exe	99
PID 2348 wrote to memory of 4104	2348	BadwareFreeValo.exe	99
PID 2348 wrote to memory of 1120	2348	BadwareFreeValo.exe	100
PID 2348 wrote to memory of 1120	2348	BadwareFreeValo.exe	100
PID 2348 wrote to memory of 3960	2348	BadwareFreeValo.exe	101
PID 2348 wrote to memory of 3960	2348	BadwareFreeValo.exe	101
PID 2124 wrote to memory of 4632	2124	cmd.exe	102
PID 2124 wrote to memory of 4632	2124	cmd.exe	102
PID 4104 wrote to memory of 2412	4104	cmd.exe	103
PID 4104 wrote to memory of 2412	4104	cmd.exe	103
PID 3160 wrote to memory of 4860	3160	cmd.exe	106
PID 3160 wrote to memory of 4860	3160	cmd.exe	106
PID 1120 wrote to memory of 4292	1120	cmd.exe	104
PID 1120 wrote to memory of 4292	1120	cmd.exe	104
PID 2268 wrote to memory of 4692	2268	cmd.exe	105
PID 2268 wrote to memory of 4692	2268	cmd.exe	105
PID 2348 wrote to memory of 1884	2348	BadwareFreeValo.exe	107
PID 2348 wrote to memory of 1884	2348	BadwareFreeValo.exe	107
PID 2348 wrote to memory of 3380	2348	BadwareFreeValo.exe	108
PID 2348 wrote to memory of 3380	2348	BadwareFreeValo.exe	108
PID 2348 wrote to memory of 2216	2348	BadwareFreeValo.exe	109
PID 2348 wrote to memory of 2216	2348	BadwareFreeValo.exe	109
PID 2348 wrote to memory of 1428	2348	BadwareFreeValo.exe	110
PID 2348 wrote to memory of 1428	2348	BadwareFreeValo.exe	110
PID 2348 wrote to memory of 1972	2348	BadwareFreeValo.exe	111
PID 2348 wrote to memory of 1972	2348	BadwareFreeValo.exe	111
PID 2348 wrote to memory of 1020	2348	BadwareFreeValo.exe	115
PID 2348 wrote to memory of 1020	2348	BadwareFreeValo.exe	115
PID 1884 wrote to memory of 4820	1884	cmd.exe	114
PID 1884 wrote to memory of 4820	1884	cmd.exe	114
PID 3380 wrote to memory of 1876	3380	cmd.exe	113
PID 3380 wrote to memory of 1876	3380	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\BadwareFreeValo.exe
"C:\Users\Admin\AppData\Local\Temp\BadwareFreeValo.exe"
1⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BadwareFreeValo.exe" MD5
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BadwareFreeValo.exe" MD5
    3⤵
    PID:5096
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:3960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1428
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4296
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-172-0x0000000140000000-0x0000000140C99000-memory.dmp

Filesize
12.6MB

Download
memory/2348-132-0x0000000140000000-0x0000000140C99000-memory.dmp

Filesize
12.6MB

Download