52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba

Analysis

max time kernel
93s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
Size

727KB
MD5

c6e3854ce5fd2cc208e0d69323338bae
SHA1

2a55ad9d47b97c3ffee633d81b98721728e61e1a
SHA256

52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba
SHA512

10117b25f7d23760c37e06f498b8e987fb44b7afbb7e39bbe2dcb74dc1a3a8225964ec5f84031e11e0a26b0bc0004bbc2c286eafb031c4c87becad57264eb630
SSDEEP

12288:pNsvD3T7o5cWTeVs/S6NYfLbowrSN2eEbEQK:TsvrT7oSWTi8NYDbfrSIbDK

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3580	sc.exe
1628	sc.exe
1416	sc.exe
624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4368	3016	WerFault.exe	79

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1864	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
4528	taskkill.exe
4260	taskkill.exe
1460	taskkill.exe
3392	taskkill.exe
4312	taskkill.exe
3228	taskkill.exe
4188	taskkill.exe
844	taskkill.exe
696	taskkill.exe
3760	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4144	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	81
PID 3016 wrote to memory of 4144	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	81
PID 4144 wrote to memory of 4528	4144	cmd.exe	82
PID 4144 wrote to memory of 4528	4144	cmd.exe	82
PID 3016 wrote to memory of 4828	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	84
PID 3016 wrote to memory of 4828	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	84
PID 3016 wrote to memory of 5032	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	86
PID 3016 wrote to memory of 5032	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	86
PID 3016 wrote to memory of 3052	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	87
PID 3016 wrote to memory of 3052	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	87
PID 3016 wrote to memory of 4432	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	90
PID 3016 wrote to memory of 4432	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	90
PID 3016 wrote to memory of 460	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	92
PID 3016 wrote to memory of 460	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	92
PID 3016 wrote to memory of 836	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	94
PID 3016 wrote to memory of 836	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	94
PID 3016 wrote to memory of 4276	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	96
PID 3016 wrote to memory of 4276	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	96
PID 3016 wrote to memory of 4168	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	98
PID 3016 wrote to memory of 4168	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	98
PID 4276 wrote to memory of 4188	4276	cmd.exe	97
PID 4276 wrote to memory of 4188	4276	cmd.exe	97
PID 4828 wrote to memory of 624	4828	cmd.exe	100
PID 4828 wrote to memory of 624	4828	cmd.exe	100
PID 4432 wrote to memory of 844	4432	cmd.exe	101
PID 4432 wrote to memory of 844	4432	cmd.exe	101
PID 5032 wrote to memory of 3580	5032	cmd.exe	102
PID 5032 wrote to memory of 3580	5032	cmd.exe	102
PID 3016 wrote to memory of 2224	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	103
PID 3016 wrote to memory of 2224	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	103
PID 3052 wrote to memory of 1628	3052	cmd.exe	104
PID 3052 wrote to memory of 1628	3052	cmd.exe	104
PID 460 wrote to memory of 4260	460	cmd.exe	106
PID 460 wrote to memory of 4260	460	cmd.exe	106
PID 3016 wrote to memory of 1512	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	107
PID 3016 wrote to memory of 1512	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	107
PID 1512 wrote to memory of 1416	1512	cmd.exe	108
PID 1512 wrote to memory of 1416	1512	cmd.exe	108
PID 836 wrote to memory of 1460	836	cmd.exe	109
PID 836 wrote to memory of 1460	836	cmd.exe	109
PID 4168 wrote to memory of 3392	4168	cmd.exe	110
PID 4168 wrote to memory of 3392	4168	cmd.exe	110
PID 3016 wrote to memory of 1364	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	111
PID 3016 wrote to memory of 1364	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	111
PID 2224 wrote to memory of 696	2224	cmd.exe	112
PID 2224 wrote to memory of 696	2224	cmd.exe	112
PID 1364 wrote to memory of 4312	1364	cmd.exe	113
PID 1364 wrote to memory of 4312	1364	cmd.exe	113
PID 3016 wrote to memory of 3960	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	114
PID 3016 wrote to memory of 3960	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	114
PID 3960 wrote to memory of 3228	3960	cmd.exe	115
PID 3960 wrote to memory of 3228	3960	cmd.exe	115
PID 3016 wrote to memory of 3840	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	116
PID 3016 wrote to memory of 3840	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	116
PID 3840 wrote to memory of 3760	3840	cmd.exe	117
PID 3840 wrote to memory of 3760	3840	cmd.exe	117
PID 3016 wrote to memory of 4184	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	118
PID 3016 wrote to memory of 4184	3016	52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe	118
PID 4184 wrote to memory of 2748	4184	cmd.exe	119
PID 4184 wrote to memory of 2748	4184	cmd.exe	119
PID 4184 wrote to memory of 4412	4184	cmd.exe	120
PID 4184 wrote to memory of 4412	4184	cmd.exe	120
PID 4184 wrote to memory of 4932	4184	cmd.exe	121
PID 4184 wrote to memory of 4932	4184	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
"C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop easyanticheat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\sc.exe
    sc stop easyanticheat
    3⤵
    - Launches sc.exe
    PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop bedaisy
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\system32\sc.exe
    sc stop bedaisy
    3⤵
    - Launches sc.exe
    PID:3580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop beservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\sc.exe
    sc stop beservice
    3⤵
    - Launches sc.exe
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EasyAntiCheat.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im beservice.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im beservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe" MD5
    3⤵
    PID:2748
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4412
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
  2⤵
  PID:3856
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
    3⤵
    PID:1328
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3016 -s 2100
  2⤵
  - Program crash
  PID:4368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3016 -ip 3016
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads