09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04

Analysis

max time kernel
132s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2023, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe
Size

72KB
MD5

68af8f5a1b540d467d8380464e3734b7
SHA1

3f0f23b10c6eb315423b67a861ab88cd857aac7a
SHA256

09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04
SHA512

332e21fc0cbd2d8c7f829058bf6cd3b31d567cc24bff8fa6a123b0331d37141dfaf78c405072ed434fd50cda31eb6a308bd72b72cd089d4c0ef76cd0ae7cf40a
SSDEEP

768:igyRh0oKY5mE4vgifS4sJCN8M84aMOjOIyT4k+kIXXF00oMO1:idJF4vgiKJL4a/yhYnoMO1

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4408	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4344	taskkill.exe
2144	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1176	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	83
PID 1340 wrote to memory of 1176	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	83
PID 1340 wrote to memory of 1176	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	83
PID 1340 wrote to memory of 4360	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	84
PID 1340 wrote to memory of 4360	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	84
PID 1340 wrote to memory of 4360	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	84
PID 4360 wrote to memory of 4344	4360	cmd.exe	87
PID 4360 wrote to memory of 4344	4360	cmd.exe	87
PID 4360 wrote to memory of 4344	4360	cmd.exe	87
PID 1176 wrote to memory of 2144	1176	cmd.exe	88
PID 1176 wrote to memory of 2144	1176	cmd.exe	88
PID 1176 wrote to memory of 2144	1176	cmd.exe	88
PID 1340 wrote to memory of 1324	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	92
PID 1340 wrote to memory of 1324	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	92
PID 1340 wrote to memory of 1324	1340	09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe	92
PID 1324 wrote to memory of 4408	1324	cmd.exe	94
PID 1324 wrote to memory of 4408	1324	cmd.exe	94
PID 1324 wrote to memory of 4408	1324	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe
"C:\Users\Admin\AppData\Local\Temp\09dcbee5eeae4cbed0bc341cb32e89ae03d2caef210feb7236211fff935a6f04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Stop_0.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MsgPoolConsole.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Stop_1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SYS_FFFF_FFFF.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Stop_2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\sc.exe
    sc stop inefiService
    3⤵
    - Launches sc.exe
    PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stop_0.bat

Filesize
34B

MD5
6a6e01c3a93a6c62616d3c59f5435514

SHA1
e782ca88d832be296a8346bae9872dcf056b8bd9

SHA256
022e6aea25bec6ea196ab2f4941a96639252636c14928dad804345b096913fcd

SHA512
c0a5ba0e7643c302ce12a15b2d282715b00c302356e2e0ef35a7e88f183bb66e6249053426d29796250a80f741209c9fa003854437fac000b0fddcaa64e4f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_1.bat

Filesize
33B

MD5
d6074591e3e711cf75cbd14eac2d0234

SHA1
2653f40bfad75eb894ca5f0ac073cf9402d72998

SHA256
a3d6ef7e6b5a47a9dbff1c76d0b0cc2cd49e926eb094bf4edde47e01c79f5725

SHA512
7592ca6e43a7fbc75ab52733df64562ea11820f5804138cc2b40ccb65acad356e3dbe567d0c38e23ebd09ce38d18dd278e5c4c59733f5038fbbf12388f1f1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stop_2.bat

Filesize
20B

MD5
47e5b28b58d93f6f1849aee525f8d711

SHA1
ad89dbafdd9726291426612e1106f8d8db233d55

SHA256
3b10f3f01a350cbbafd99a95e3f121ef226398cea4cb4362aa3f59264e5df68b

SHA512
fe2fedbe7f2966ebde05d6ff838028de48d931f79026981b495d397aff0f76b0c7068b5f9dbe91581ea88a5dd46365ea1870986660e4763705ddee666bb6f55b

Download Submit