Overview

overview

3

Static

static

3

WareHub_Cw...te.rar

windows7-x64

3

WareHub_Cw...te.rar

windows10-2004-x64

3

WareHub_Cw...by.exe

windows7-x64

1

WareHub_Cw...by.exe

windows10-2004-x64

1

WareHub_Cw...og.txt

windows7-x64

1

WareHub_Cw...og.txt

windows10-2004-x64

1

WareHub_Cw...or.dll

windows7-x64

1

WareHub_Cw...or.dll

windows10-2004-x64

1

WareHub_Cw...LDER/a

windows7-x64

1

WareHub_Cw...LDER/a

windows10-2004-x64

1

WareHub_Cw.../a.exe

windows7-x64

1

WareHub_Cw.../a.exe

windows10-2004-x64

1

WareHub_Cw.../a.dll

windows7-x64

1

WareHub_Cw.../a.dll

windows10-2004-x64

1

WareHub_Cw.../a.txt

windows7-x64

1

WareHub_Cw.../a.txt

windows10-2004-x64

1

WareHub_Cw...ns.txt

windows7-x64

1

WareHub_Cw...ns.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2023 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WareHub_Cw4ck_By_discord.gg_Recte/Execute Me In Lobby.exe

  • Size

    90KB

  • MD5

    c5cbe94c0a909f2521b5365989ae3a1a

  • SHA1

    598e081ad680bc6510719d3cc0e291a84d4402e6

  • SHA256

    f68369688730d28b9033c372be78fa07d909633a3ef0587d7badc8eb3e750f1d

  • SHA512

    bba0dc5c318bdc219ac35f9ac9f1a1d40506778b52436afaeb872c46e0e39c28294c661e897d30be7a737242c58329bd3f9715670b480baaf4bc717b2ff33fbf

  • SSDEEP

    1536:H7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfEwcO+:b7DhdC6kzWypvaQ0FxyNTBfEP

Score
1/10

Malware Config

Signatures

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WareHub_Cw4ck_By_discord.gg_Recte\Execute Me In Lobby.exe
    "C:\Users\Admin\AppData\Local\Temp\WareHub_Cw4ck_By_discord.gg_Recte\Execute Me In Lobby.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ED3E.tmp\ED3F.tmp\ED40.bat "C:\Users\Admin\AppData\Local\Temp\WareHub_Cw4ck_By_discord.gg_Recte\Execute Me In Lobby.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\system32\net.exe
        NET FILE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 FILE
          4⤵
            PID:2988
        • C:\Windows\system32\net.exe
          NET FILE
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 FILE
            4⤵
              PID:3472
          • C:\Users\Admin\AppData\Local\Temp\WareHub_Cw4ck_By_discord.gg_Recte\IGNORE-THIS-FOLDER\a.exe
            .\IGNORE-THIS-FOLDER\a.exe inject -p 1v1_LOL -a .\IGNORE-THIS-FOLDER\a.png -n LOLXUESOS -c IKSAD -m sdfmn
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4076
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" pause 1>nul"
            3⤵
              PID:4384
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Press any key to exit.."
              3⤵
                PID:232

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ED3E.tmp\ED3F.tmp\ED40.bat
            Filesize

            1KB

            MD5

            35c6da25f9807fc18452f8127f2dd228

            SHA1

            63f1b757fb8344b64964339ceb0bfaf4bfcbd519

            SHA256

            f8afd8b32a57f63338c69685c8d97af4c3215c067bad715197a693f30617c853

            SHA512

            32528629c3222afe24a347c3d3d7b2cc4659c7bf2a772a6e61ec35c72452cca8f252db5c97e939acfb6291d4796822016329a6c2b93493f0733cf575ff44fed4

            Download Submit

          • memory/4076-6-0x0000000000780000-0x000000000078A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4076-7-0x0000000001050000-0x000000000105C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4076-8-0x00007FFBC00A0000-0x00007FFBC0B61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4076-10-0x00007FFBC00A0000-0x00007FFBC0B61000-memory.dmp

            Filesize

            10.8MB

            Download