Overview

overview

8

Static

static

3

read_the_guide.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    7s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2023 08:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    read_the_guide.exe

  • Size

    3.4MB

  • MD5

    ef1153c007a9c485b1a1682f445aac22

  • SHA1

    2b7495fabc1af5def6a2ea0242769754c976c805

  • SHA256

    78daf836d26ae23c5f96249816da699605e9586d463662487377fb9d61c6533a

  • SHA512

    9ee0d665adf4d1218f4bf781a9724b2994dc5c608d52c06a9e5e83744070551e96ed64bdff18523f3f5b905b2779d2ff5c0b0c44fec25880cd2e2c66f9b93780

  • SSDEEP

    24576:zeV1nbHjQKtIWj3/i3c0WRpexWGExoTQPUd0PvmpYteKnhBPmcin8e8BKSfzzX6l:yTDQKSWjEclpiWnRPgaeKTmTn0HCh

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\read_the_guide.exe
    "C:\Users\Admin\AppData\Local\Temp\read_the_guide.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop BEService
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\system32\sc.exe
        sc stop BEService
        3⤵
        • Launches sc.exe
        PID:1340
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\system32\sc.exe
        sc stop EasyAntiCheat
        3⤵
        • Launches sc.exe
        PID:2328
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:2144
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:3792
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 324 -s 1748
          2⤵
          • Program crash
          PID:4944
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 480 -p 324 -ip 324
        1⤵
          PID:4016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/324-0-0x00007FF772440000-0x00007FF7727B9000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/324-10-0x00007FFC53370000-0x00007FFC53565000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/324-9-0x00007FFC53370000-0x00007FFC53565000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/324-11-0x00007FFC53370000-0x00007FFC53565000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/324-12-0x00007FFC53370000-0x00007FFC53565000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/324-13-0x00007FF772440000-0x00007FF7727B9000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/324-14-0x00007FFC53370000-0x00007FFC53565000-memory.dmp

          Filesize

          2.0MB

          Download