80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680

Analysis

max time kernel
175s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe
Size

35KB
MD5

922c6419f56eb42a5fb639eb19e460ec
SHA1

23f155cff8940d23e453c3034470e5f9b3445047
SHA256

80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680
SHA512

50acd840617f7ad392fd5c9033434065ededb1de5899067594bcc08d8dfa1db956bc998c7bce5b13d687ac49ac3f256074d8260e2838ee1305779b7d91db4f64
SSDEEP

768:7xO2yj6lDGHXqbDTAsrs66uKQL+6yjwPemBZB6Kv:7xO2qnHXetJdyjSXBZBX

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpi.dll	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3924	sc.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1588	taskkill.exe
4944	taskkill.exe
880	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 1028	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	85
PID 3744 wrote to memory of 1028	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	85
PID 3744 wrote to memory of 1028	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	85
PID 3744 wrote to memory of 3236	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	86
PID 3744 wrote to memory of 3236	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	86
PID 3744 wrote to memory of 3236	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	86
PID 3744 wrote to memory of 3272	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	89
PID 3744 wrote to memory of 3272	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	89
PID 3744 wrote to memory of 3272	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	89
PID 3744 wrote to memory of 3680	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	91
PID 3744 wrote to memory of 3680	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	91
PID 3744 wrote to memory of 3680	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	91
PID 3744 wrote to memory of 4984	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	92
PID 3744 wrote to memory of 4984	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	92
PID 3744 wrote to memory of 4984	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	92
PID 3744 wrote to memory of 1424	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	93
PID 3744 wrote to memory of 1424	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	93
PID 3744 wrote to memory of 1424	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	93
PID 1424 wrote to memory of 4944	1424	cmd.exe	97
PID 3680 wrote to memory of 880	3680	cmd.exe	98
PID 1424 wrote to memory of 4944	1424	cmd.exe	97
PID 1424 wrote to memory of 4944	1424	cmd.exe	97
PID 3680 wrote to memory of 880	3680	cmd.exe	98
PID 3680 wrote to memory of 880	3680	cmd.exe	98
PID 4984 wrote to memory of 1588	4984	cmd.exe	99
PID 4984 wrote to memory of 1588	4984	cmd.exe	99
PID 4984 wrote to memory of 1588	4984	cmd.exe	99
PID 3744 wrote to memory of 2848	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	100
PID 3744 wrote to memory of 2848	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	100
PID 3744 wrote to memory of 2848	3744	80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe	100
PID 3272 wrote to memory of 3924	3272	cmd.exe	103
PID 3272 wrote to memory of 3924	3272	cmd.exe	103
PID 3272 wrote to memory of 3924	3272	cmd.exe	103
PID 3236 wrote to memory of 1356	3236	cmd.exe	102
PID 3236 wrote to memory of 1356	3236	cmd.exe	102
PID 3236 wrote to memory of 1356	3236	cmd.exe	102
PID 1028 wrote to memory of 2540	1028	cmd.exe	101
PID 1028 wrote to memory of 2540	1028	cmd.exe	101
PID 1028 wrote to memory of 2540	1028	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe
"C:\Users\Admin\AppData\Local\Temp\80e8e0434bc69407e0d7280eae5b6e3b0445bfc127a1eb6b2ae003b41d9f2680.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows /e /p everyone:f
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ScanFrm.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ScanFrm.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe func.dll, droqp
  2⤵
  PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3744-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3744-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download