bcfefef116c5ccf1ea7e110be257222f01f73aff1e0106f2268313bed413afcb

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

6.1MB
MD5

d07c83d3938c02bc7befdcf11a8f619e
SHA1

6cdcc379877847670c859417a84f3fc265a2b420
SHA256

bcfefef116c5ccf1ea7e110be257222f01f73aff1e0106f2268313bed413afcb
SHA512

1e211b65f23eaf32575f757c69df30b80f9f6ac1d4901371e65ae9d1471f5f873e6d4121189bc6b5bfe93149d4699dceab6b248a4e070ffbb703b0b97ff8581a
SSDEEP

98304:vrX2+qaBQF2Os1nxZyOZS4fBhENbOo1R+TfXw4ld9v4JCn6UE4+twOD4wfOtOdBq:vTZ3Ms1xI94fsNyQ61D4JFPtCtOdBuR

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 1 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
668	wevtutil.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1424	sc.exe
1620	sc.exe
1628	sc.exe
1376	sc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1700	loader.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	668	wevtutil.exe
Token: SeBackupPrivilege	668	wevtutil.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1620	1700	loader.exe	27
PID 1700 wrote to memory of 1620	1700	loader.exe	27
PID 1700 wrote to memory of 1620	1700	loader.exe	27
PID 1700 wrote to memory of 1628	1700	loader.exe	28
PID 1700 wrote to memory of 1628	1700	loader.exe	28
PID 1700 wrote to memory of 1628	1700	loader.exe	28
PID 1700 wrote to memory of 1376	1700	loader.exe	30
PID 1700 wrote to memory of 1376	1700	loader.exe	30
PID 1700 wrote to memory of 1376	1700	loader.exe	30
PID 1700 wrote to memory of 1424	1700	loader.exe	31
PID 1700 wrote to memory of 1424	1700	loader.exe	31
PID 1700 wrote to memory of 1424	1700	loader.exe	31
PID 1700 wrote to memory of 668	1700	loader.exe	33
PID 1700 wrote to memory of 668	1700	loader.exe	33
PID 1700 wrote to memory of 668	1700	loader.exe	33

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\sc.exe
  sc stop faceit > nul
  2⤵
  - Launches sc.exe
  PID:1620
- C:\Windows\system32\sc.exe
  sc stop vgc > nul
  2⤵
  - Launches sc.exe
  PID:1628
- C:\Windows\system32\sc.exe
  sc stop vgk > nul
  2⤵
  - Launches sc.exe
  PID:1376
- C:\Windows\system32\sc.exe
  sc stop ESEADriver2 > nul
  2⤵
  - Launches sc.exe
  PID:1424
- C:\Windows\system32\wevtutil.exe
  wevtutil cl System
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Indicator Removal on Host

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-54-0x0000000077300000-0x0000000077302000-memory.dmp

Filesize
8KB

Download
memory/1700-55-0x0000000077300000-0x0000000077302000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x0000000077300000-0x0000000077302000-memory.dmp

Filesize
8KB

Download
memory/1700-57-0x000000013FD40000-0x000000014087F000-memory.dmp

Filesize
11.2MB

Download