da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe
Size

3.6MB
MD5

888e459b6d4472a0c407066ee6445747
SHA1

c0f15d0dcff203736aa438d7118474d04a2f83ae
SHA256

da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7
SHA512

3bebf54a5cdcdfad4404fce5c22f9a404b1c21ee498236e30162bc854ef7701f31e40f125e790dc9693441c43d8ac5606b6a2181c03fa3b10ba96a1b28dc49a7
SSDEEP

24576:jWehjcjhb/foo9yAWt+Z3HJ8SESRXDlQw66KDx6DNH+jV2JE6dki+0HSrApDsKh3:j/jgooYAWFSYG+jbbi+KUAWKajEXulsT

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 7 IoCs

evasion

pid	Process
1280	taskkill.exe
2720	taskkill.exe
2588	taskkill.exe
2656	taskkill.exe
2632	taskkill.exe
2488	taskkill.exe
2484	taskkill.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe
1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1280	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	28
PID 1376 wrote to memory of 1280	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	28
PID 1376 wrote to memory of 1280	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	28
PID 1376 wrote to memory of 1280	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	28
PID 1376 wrote to memory of 2720	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	31
PID 1376 wrote to memory of 2720	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	31
PID 1376 wrote to memory of 2720	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	31
PID 1376 wrote to memory of 2720	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	31
PID 1376 wrote to memory of 2588	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	33
PID 1376 wrote to memory of 2588	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	33
PID 1376 wrote to memory of 2588	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	33
PID 1376 wrote to memory of 2588	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	33
PID 1376 wrote to memory of 2656	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	35
PID 1376 wrote to memory of 2656	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	35
PID 1376 wrote to memory of 2656	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	35
PID 1376 wrote to memory of 2656	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	35
PID 1376 wrote to memory of 2632	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	37
PID 1376 wrote to memory of 2632	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	37
PID 1376 wrote to memory of 2632	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	37
PID 1376 wrote to memory of 2632	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	37
PID 1376 wrote to memory of 2488	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	39
PID 1376 wrote to memory of 2488	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	39
PID 1376 wrote to memory of 2488	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	39
PID 1376 wrote to memory of 2488	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	39
PID 1376 wrote to memory of 2484	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	41
PID 1376 wrote to memory of 2484	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	41
PID 1376 wrote to memory of 2484	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	41
PID 1376 wrote to memory of 2484	1376	da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe	41

C:\Users\Admin\AppData\Local\Temp\da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe
"C:\Users\Admin\AppData\Local\Temp\da6bc7e476f6bb885bf275fd22a1043e01657043f2f7f56d415e08f4ad3039e7.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im SGuard64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im SGuardSvc64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im SGuardUpdate64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im crossfire.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im GameLoader.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im ACE-Helper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im WebViewProcess_x64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2484

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads