09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04

General

Target

09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe
Size

72KB
MD5

68af8f5a1b540d467d8380464e3734b7
SHA1

3f0f23b10c6eb315423b67a861ab88cd857aac7a
SHA256

09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04
SHA512

332e21fc0cbd2d8c7f829058bf6cd3b31d567cc24bff8fa6a123b0331d37141dfaf78c405072ed434fd50cda31eb6a308bd72b72cd089d4c0ef76cd0ae7cf40a
SSDEEP

768:igyRh0oKY5mE4vgifS4sJCN8M84aMOjOIyT4k+kIXXF00oMO1:idJF4vgiKJL4a/yhYnoMO1

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1204	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
320	taskkill.exe
1368	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 656	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	27
PID 2032 wrote to memory of 656	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	27
PID 2032 wrote to memory of 656	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	27
PID 2032 wrote to memory of 656	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	27
PID 2032 wrote to memory of 1612	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	28
PID 2032 wrote to memory of 1612	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	28
PID 2032 wrote to memory of 1612	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	28
PID 2032 wrote to memory of 1612	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	28
PID 1612 wrote to memory of 1368	1612	cmd.exe	32
PID 1612 wrote to memory of 1368	1612	cmd.exe	32
PID 1612 wrote to memory of 1368	1612	cmd.exe	32
PID 1612 wrote to memory of 1368	1612	cmd.exe	32
PID 656 wrote to memory of 320	656	cmd.exe	31
PID 656 wrote to memory of 320	656	cmd.exe	31
PID 656 wrote to memory of 320	656	cmd.exe	31
PID 656 wrote to memory of 320	656	cmd.exe	31
PID 2032 wrote to memory of 1076	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	34
PID 2032 wrote to memory of 1076	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	34
PID 2032 wrote to memory of 1076	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	34
PID 2032 wrote to memory of 1076	2032	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	34
PID 1076 wrote to memory of 1204	1076	cmd.exe	36
PID 1076 wrote to memory of 1204	1076	cmd.exe	36
PID 1076 wrote to memory of 1204	1076	cmd.exe	36
PID 1076 wrote to memory of 1204	1076	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe
"C:\Users\Admin\AppData\Local\Temp\09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Stop_0.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MsgPoolConsole.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Stop_1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SYS_FFFF_FFFF.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Stop_2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\sc.exe
    sc stop inefiService
    3⤵
    - Launches sc.exe
    PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stop_0.bat

Filesize
34B

MD5
6a6e01c3a93a6c62616d3c59f5435514

SHA1
e782ca88d832be296a8346bae9872dcf056b8bd9

SHA256
022e6aea25bec6ea196ab2f4941a96639252636c14928dad804345b096913fcd

SHA512
c0a5ba0e7643c302ce12a15b2d282715b00c302356e2e0ef35a7e88f183bb66e6249053426d29796250a80f741209c9fa003854437fac000b0fddcaa64e4f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_0.bat

Filesize
34B

MD5
6a6e01c3a93a6c62616d3c59f5435514

SHA1
e782ca88d832be296a8346bae9872dcf056b8bd9

SHA256
022e6aea25bec6ea196ab2f4941a96639252636c14928dad804345b096913fcd

SHA512
c0a5ba0e7643c302ce12a15b2d282715b00c302356e2e0ef35a7e88f183bb66e6249053426d29796250a80f741209c9fa003854437fac000b0fddcaa64e4f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_1.bat

Filesize
33B

MD5
d6074591e3e711cf75cbd14eac2d0234

SHA1
2653f40bfad75eb894ca5f0ac073cf9402d72998

SHA256
a3d6ef7e6b5a47a9dbff1c76d0b0cc2cd49e926eb094bf4edde47e01c79f5725

SHA512
7592ca6e43a7fbc75ab52733df64562ea11820f5804138cc2b40ccb65acad356e3dbe567d0c38e23ebd09ce38d18dd278e5c4c59733f5038fbbf12388f1f1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_1.bat

Filesize
33B

MD5
d6074591e3e711cf75cbd14eac2d0234

SHA1
2653f40bfad75eb894ca5f0ac073cf9402d72998

SHA256
a3d6ef7e6b5a47a9dbff1c76d0b0cc2cd49e926eb094bf4edde47e01c79f5725

SHA512
7592ca6e43a7fbc75ab52733df64562ea11820f5804138cc2b40ccb65acad356e3dbe567d0c38e23ebd09ce38d18dd278e5c4c59733f5038fbbf12388f1f1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_2.bat

Filesize
20B

MD5
47e5b28b58d93f6f1849aee525f8d711

SHA1
ad89dbafdd9726291426612e1106f8d8db233d55

SHA256
3b10f3f01a350cbbafd99a95e3f121ef226398cea4cb4362aa3f59264e5df68b

SHA512
fe2fedbe7f2966ebde05d6ff838028de48d931f79026981b495d397aff0f76b0c7068b5f9dbe91581ea88a5dd46365ea1870986660e4763705ddee666bb6f55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_2.bat

Filesize
20B

MD5
47e5b28b58d93f6f1849aee525f8d711

SHA1
ad89dbafdd9726291426612e1106f8d8db233d55

SHA256
3b10f3f01a350cbbafd99a95e3f121ef226398cea4cb4362aa3f59264e5df68b

SHA512
fe2fedbe7f2966ebde05d6ff838028de48d931f79026981b495d397aff0f76b0c7068b5f9dbe91581ea88a5dd46365ea1870986660e4763705ddee666bb6f55b

Download Submit

Analysis

Sharing