52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba

Analysis

max time kernel
39s
max time network
102s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
Size

727KB
MD5

c6e3854ce5fd2cc208e0d69323338bae
SHA1

2a55ad9d47b97c3ffee633d81b98721728e61e1a
SHA256

52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba
SHA512

10117b25f7d23760c37e06f498b8e987fb44b7afbb7e39bbe2dcb74dc1a3a8225964ec5f84031e11e0a26b0bc0004bbc2c286eafb031c4c87becad57264eb630
SSDEEP

12288:pNsvD3T7o5cWTeVs/S6NYfLbowrSN2eEbEQK:TsvrT7oSWTi8NYDbfrSIbDK

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1692	sc.exe
1408	sc.exe
1064	sc.exe
1992	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1344	832	WerFault.exe	27

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1700	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
2036	taskkill.exe
1220	taskkill.exe
1716	taskkill.exe
828	taskkill.exe
1160	taskkill.exe
1460	taskkill.exe
1928	taskkill.exe
1648	taskkill.exe
1196	taskkill.exe
824	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	certutil.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1876	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	29
PID 832 wrote to memory of 1876	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	29
PID 832 wrote to memory of 1876	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	29
PID 1876 wrote to memory of 2036	1876	cmd.exe	30
PID 1876 wrote to memory of 2036	1876	cmd.exe	30
PID 1876 wrote to memory of 2036	1876	cmd.exe	30
PID 832 wrote to memory of 2028	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	31
PID 832 wrote to memory of 2028	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	31
PID 832 wrote to memory of 2028	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	31
PID 832 wrote to memory of 520	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	57
PID 832 wrote to memory of 520	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	57
PID 832 wrote to memory of 520	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	57
PID 832 wrote to memory of 1196	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	62
PID 832 wrote to memory of 1196	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	62
PID 832 wrote to memory of 1196	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	62
PID 832 wrote to memory of 556	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	39
PID 832 wrote to memory of 556	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	39
PID 832 wrote to memory of 556	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	39
PID 2028 wrote to memory of 1692	2028	cmd.exe	37
PID 2028 wrote to memory of 1692	2028	cmd.exe	37
PID 2028 wrote to memory of 1692	2028	cmd.exe	37
PID 832 wrote to memory of 1884	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	36
PID 832 wrote to memory of 1884	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	36
PID 832 wrote to memory of 1884	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	36
PID 832 wrote to memory of 292	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	42
PID 832 wrote to memory of 292	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	42
PID 832 wrote to memory of 292	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	42
PID 520 wrote to memory of 1408	520	cmd.exe	44
PID 520 wrote to memory of 1408	520	cmd.exe	44
PID 520 wrote to memory of 1408	520	cmd.exe	44
PID 832 wrote to memory of 1632	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	43
PID 832 wrote to memory of 1632	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	43
PID 832 wrote to memory of 1632	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	43
PID 832 wrote to memory of 1584	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	47
PID 832 wrote to memory of 1584	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	47
PID 832 wrote to memory of 1584	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	47
PID 1884 wrote to memory of 1220	1884	cmd.exe	46
PID 1884 wrote to memory of 1220	1884	cmd.exe	46
PID 1884 wrote to memory of 1220	1884	cmd.exe	46
PID 1196 wrote to memory of 1064	1196	taskkill.exe	50
PID 1196 wrote to memory of 1064	1196	taskkill.exe	50
PID 1196 wrote to memory of 1064	1196	taskkill.exe	50
PID 556 wrote to memory of 1648	556	cmd.exe	51
PID 556 wrote to memory of 1648	556	cmd.exe	51
PID 556 wrote to memory of 1648	556	cmd.exe	51
PID 1632 wrote to memory of 1716	1632	cmd.exe	52
PID 1632 wrote to memory of 1716	1632	cmd.exe	52
PID 1632 wrote to memory of 1716	1632	cmd.exe	52
PID 292 wrote to memory of 828	292	cmd.exe	53
PID 292 wrote to memory of 828	292	cmd.exe	53
PID 292 wrote to memory of 828	292	cmd.exe	53
PID 1584 wrote to memory of 1160	1584	cmd.exe	54
PID 1584 wrote to memory of 1160	1584	cmd.exe	54
PID 1584 wrote to memory of 1160	1584	cmd.exe	54
PID 832 wrote to memory of 520	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	57
PID 832 wrote to memory of 520	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	57
PID 832 wrote to memory of 520	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	57
PID 520 wrote to memory of 1460	520	cmd.exe	58
PID 520 wrote to memory of 1460	520	cmd.exe	58
PID 520 wrote to memory of 1460	520	cmd.exe	58
PID 832 wrote to memory of 1712	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	59
PID 832 wrote to memory of 1712	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	59
PID 832 wrote to memory of 1712	832	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	59
PID 1712 wrote to memory of 1992	1712	cmd.exe	60

C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
"C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop easyanticheat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\sc.exe
    sc stop easyanticheat
    3⤵
    - Launches sc.exe
    PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop bedaisy
  2⤵
  PID:520
- - C:\Windows\system32\sc.exe
    sc stop bedaisy
    3⤵
    - Launches sc.exe
    PID:1408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop beservice
  2⤵
  PID:1196
- - C:\Windows\system32\sc.exe
    sc stop beservice
    3⤵
    - Launches sc.exe
    PID:1064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EasyAntiCheat.exe
  2⤵
  PID:292
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im beservice.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im beservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1660
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1496
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:676
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe" MD5
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1528
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
  2⤵
  PID:436
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 832 -s 1536
  2⤵
  - Program crash
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads