68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe
Size

4.2MB
MD5

13864c6b8048bc6b99498a0f61d5be58
SHA1

04db785a8b6970dbd89eeeac2663a14fa08dcae9
SHA256

68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9
SHA512

9f6873f4d84f5cf03444141e669dfe386a05df3e566ac6697a101c47375a581b73ca4047c9e87ab2f76a0241a4bbd352593d03c247773520c62a846370f54faf
SSDEEP

49152:d+jvcz959eYNSKlsNL6CJiHXDOYFQj7jTZaqdwk0c05HGiK+s8KuqGaX0ToIBAUp:odNbJiHi2QjvYqdwkLcHHZJBAUZLL

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2124	sc.exe
2976	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2836	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe
1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe
1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1668	1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe	31
PID 1660 wrote to memory of 1668	1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe	31
PID 1660 wrote to memory of 1668	1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe	31
PID 1660 wrote to memory of 1668	1660	68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe	31
PID 1668 wrote to memory of 2124	1668	cmd.exe	33
PID 1668 wrote to memory of 2124	1668	cmd.exe	33
PID 1668 wrote to memory of 2124	1668	cmd.exe	33
PID 1668 wrote to memory of 2124	1668	cmd.exe	33
PID 1668 wrote to memory of 2976	1668	cmd.exe	34
PID 1668 wrote to memory of 2976	1668	cmd.exe	34
PID 1668 wrote to memory of 2976	1668	cmd.exe	34
PID 1668 wrote to memory of 2976	1668	cmd.exe	34
PID 1668 wrote to memory of 2836	1668	cmd.exe	36
PID 1668 wrote to memory of 2836	1668	cmd.exe	36
PID 1668 wrote to memory of 2836	1668	cmd.exe	36
PID 1668 wrote to memory of 2836	1668	cmd.exe	36
PID 1668 wrote to memory of 2772	1668	cmd.exe	38
PID 1668 wrote to memory of 2772	1668	cmd.exe	38
PID 1668 wrote to memory of 2772	1668	cmd.exe	38
PID 1668 wrote to memory of 2772	1668	cmd.exe	38
PID 1668 wrote to memory of 2820	1668	cmd.exe	39
PID 1668 wrote to memory of 2820	1668	cmd.exe	39
PID 1668 wrote to memory of 2820	1668	cmd.exe	39
PID 1668 wrote to memory of 2820	1668	cmd.exe	39
PID 1668 wrote to memory of 2176	1668	cmd.exe	40
PID 1668 wrote to memory of 2176	1668	cmd.exe	40
PID 1668 wrote to memory of 2176	1668	cmd.exe	40
PID 1668 wrote to memory of 2176	1668	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe
"C:\Users\Admin\AppData\Local\Temp\68d6f66f1dbca8a581aece57ea4254a48264eae7299d501188107947ab5d1cd9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\·ÀÉÁÍË.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\sc.exe
    sc delete ChromeElevationService
    3⤵
    - Launches sc.exe
    PID:2124
- - C:\Windows\SysWOW64\sc.exe
    sc delete 360
    3⤵
    - Launches sc.exe
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im dllhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\360 /f
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360 /f
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\360 /f
    3⤵
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\·ÀÉÁÍË.bat

Filesize
467B

MD5
f3ff51b7aa0e4e3044d31e57cd316f38

SHA1
de03393bddc8e3cc225766e988ec732a86be9674

SHA256
ea04a3da71be52f51404cabfa8eeefd12223d95f92c1f2a376ee25ee7323181b

SHA512
c582a9767528a4dc860ba322529b4d2b77aa8a272bb95053ace7fba671aad0aefc9aa7c7fd5682b8f875da58a4b6142ec708cb4bc40345645cc661c12ab32f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\·ÀÉÁÍË.bat

Filesize
467B

MD5
f3ff51b7aa0e4e3044d31e57cd316f38

SHA1
de03393bddc8e3cc225766e988ec732a86be9674

SHA256
ea04a3da71be52f51404cabfa8eeefd12223d95f92c1f2a376ee25ee7323181b

SHA512
c582a9767528a4dc860ba322529b4d2b77aa8a272bb95053ace7fba671aad0aefc9aa7c7fd5682b8f875da58a4b6142ec708cb4bc40345645cc661c12ab32f21

Download Submit
memory/1660-0-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download