b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c

Analysis

max time kernel
184s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 08:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Size

44KB
MD5

d8faeceb29fce25bb9d202ec8a4f2683
SHA1

39d1a1eb4add29dd755bd84996578ea3b4a437ba
SHA256

b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c
SHA512

82c33e0620ef07399a5cf2bd7c6512ad1b2c42a81eecec404c982e78c64aa5601576c0a200198fa7ac3014b5322f39bdc6219ff4833f5fb741738620c9520dfe
SSDEEP

768:Xrd9EC5rkFBeR3lscNAhI/MK+Bg54d/yBKO7LdBONzOuaBBQARQkJZWSLtE7:OeR3lseAhI/MK+S54d/ot7/ONzIBBQAY

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1988	sc.exe
332	sc.exe
784	sc.exe
676	sc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: 33	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
Token: SeIncBasePriorityPrivilege	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1988	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	28
PID 1212 wrote to memory of 1988	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	28
PID 1212 wrote to memory of 1988	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	28
PID 1212 wrote to memory of 1988	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	28
PID 1212 wrote to memory of 332	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	30
PID 1212 wrote to memory of 332	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	30
PID 1212 wrote to memory of 332	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	30
PID 1212 wrote to memory of 332	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	30
PID 1212 wrote to memory of 784	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	31
PID 1212 wrote to memory of 784	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	31
PID 1212 wrote to memory of 784	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	31
PID 1212 wrote to memory of 784	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	31
PID 1212 wrote to memory of 676	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	34
PID 1212 wrote to memory of 676	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	34
PID 1212 wrote to memory of 676	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	34
PID 1212 wrote to memory of 676	1212	b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe	34

C:\Users\Admin\AppData\Local\Temp\b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe
"C:\Users\Admin\AppData\Local\Temp\b1796761d30fdf3752006fd3d7a9d8084db5c95a8c2f0aa5f072be8a1d31c29c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\sc.exe
  sc stop qqTouch
  2⤵
  - Launches sc.exe
  PID:1988
- C:\Windows\SysWOW64\sc.exe
  sc delete qqTouch
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\SysWOW64\sc.exe
  sc create qqTouch type= kernel binpath= C:\Users\Admin\AppData\Local\Temp\qqTouch.sys
  2⤵
  - Launches sc.exe
  PID:784
- C:\Windows\SysWOW64\sc.exe
  sc start qqTouch
  2⤵
  - Launches sc.exe
  PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads