Analysis
-
max time kernel
139s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2023, 23:24
General
-
Target
cOOla_unban.exe
-
Size
5.6MB
-
MD5
6857f16046fd533188f28606ae7586ab
-
SHA1
230bb3ad33960731a4ec637469197fe07d8c3234
-
SHA256
b3cbb74a4236bd44bb4bdc9d3ce5515a52abb470804de9949818d5d4989cacc5
-
SHA512
a5d8142c80d10cc9d5b4607ae6f6dffb5f96383e07194a226a575cf4c11b81730a57ea4c8423753c4cf7dc02cb2598fc2aafc0c4b0b695bd4c947921809ca3a6
-
SSDEEP
98304:JYsLCpbM7aFsTiyrkrGKsSdYNTQqv5uCtL2FdIjt4+gpitlCqg67g7xLxRWY:esL8bMRjrPKsSez5uIjVgpIlCq7g7XR5
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral1/memory/3752-0-0x00007FF668E20000-0x00007FF6697C9000-memory.dmp vmprotect behavioral1/memory/3752-4-0x00007FF668E20000-0x00007FF6697C9000-memory.dmp vmprotect behavioral1/memory/3752-8-0x00007FF668E20000-0x00007FF6697C9000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3752 cOOla_unban.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2744 sc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Kills process with taskkill 5 IoCs
pid Process 3936 taskkill.exe 2448 taskkill.exe 1504 taskkill.exe 4668 taskkill.exe 4044 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe 3752 cOOla_unban.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3936 taskkill.exe Token: SeDebugPrivilege 2448 taskkill.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeDebugPrivilege 4668 taskkill.exe Token: SeDebugPrivilege 4044 taskkill.exe Token: SeDebugPrivilege 2688 taskmgr.exe Token: SeSystemProfilePrivilege 2688 taskmgr.exe Token: SeCreateGlobalPrivilege 2688 taskmgr.exe Token: 33 2688 taskmgr.exe Token: SeIncBasePriorityPrivilege 2688 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe 2688 taskmgr.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3752 wrote to memory of 2440 3752 cOOla_unban.exe 93 PID 3752 wrote to memory of 2440 3752 cOOla_unban.exe 93 PID 3752 wrote to memory of 4460 3752 cOOla_unban.exe 94 PID 3752 wrote to memory of 4460 3752 cOOla_unban.exe 94 PID 2440 wrote to memory of 3936 2440 cmd.exe 95 PID 2440 wrote to memory of 3936 2440 cmd.exe 95 PID 4460 wrote to memory of 1932 4460 cmd.exe 96 PID 4460 wrote to memory of 1932 4460 cmd.exe 96 PID 4460 wrote to memory of 1096 4460 cmd.exe 97 PID 4460 wrote to memory of 1096 4460 cmd.exe 97 PID 4460 wrote to memory of 3332 4460 cmd.exe 98 PID 4460 wrote to memory of 3332 4460 cmd.exe 98 PID 3752 wrote to memory of 4440 3752 cOOla_unban.exe 99 PID 3752 wrote to memory of 4440 3752 cOOla_unban.exe 99 PID 4440 wrote to memory of 2448 4440 cmd.exe 100 PID 4440 wrote to memory of 2448 4440 cmd.exe 100 PID 3752 wrote to memory of 1392 3752 cOOla_unban.exe 101 PID 3752 wrote to memory of 1392 3752 cOOla_unban.exe 101 PID 1392 wrote to memory of 2744 1392 cmd.exe 102 PID 1392 wrote to memory of 2744 1392 cmd.exe 102 PID 3752 wrote to memory of 4168 3752 cOOla_unban.exe 103 PID 3752 wrote to memory of 4168 3752 cOOla_unban.exe 103 PID 4168 wrote to memory of 1504 4168 cmd.exe 104 PID 4168 wrote to memory of 1504 4168 cmd.exe 104 PID 3752 wrote to memory of 4416 3752 cOOla_unban.exe 105 PID 3752 wrote to memory of 4416 3752 cOOla_unban.exe 105 PID 4416 wrote to memory of 4668 4416 cmd.exe 106 PID 4416 wrote to memory of 4668 4416 cmd.exe 106 PID 3752 wrote to memory of 4292 3752 cOOla_unban.exe 108 PID 3752 wrote to memory of 4292 3752 cOOla_unban.exe 108 PID 4292 wrote to memory of 4044 4292 cmd.exe 109 PID 4292 wrote to memory of 4044 4292 cmd.exe 109 PID 3752 wrote to memory of 5080 3752 cOOla_unban.exe 111 PID 3752 wrote to memory of 5080 3752 cOOla_unban.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD53⤵PID:1932
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:1096
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5080
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688