Analysis
-
max time kernel
0s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 08:32
General
-
Target
cOOla_unban.exe
-
Size
5.6MB
-
MD5
6857f16046fd533188f28606ae7586ab
-
SHA1
230bb3ad33960731a4ec637469197fe07d8c3234
-
SHA256
b3cbb74a4236bd44bb4bdc9d3ce5515a52abb470804de9949818d5d4989cacc5
-
SHA512
a5d8142c80d10cc9d5b4607ae6f6dffb5f96383e07194a226a575cf4c11b81730a57ea4c8423753c4cf7dc02cb2598fc2aafc0c4b0b695bd4c947921809ca3a6
-
SSDEEP
98304:JYsLCpbM7aFsTiyrkrGKsSdYNTQqv5uCtL2FdIjt4+gpitlCqg67g7xLxRWY:esL8bMRjrPKsSez5uIjVgpIlCq7g7XR5
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral1/memory/4840-3-0x00007FF730EA0000-0x00007FF731849000-memory.dmp vmprotect behavioral1/memory/4840-0-0x00007FF730EA0000-0x00007FF731849000-memory.dmp vmprotect behavioral1/memory/4840-7-0x00007FF730EA0000-0x00007FF731849000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4840 cOOla_unban.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4312 sc.exe -
Kills process with taskkill 5 IoCs
pid Process 4640 taskkill.exe 1440 taskkill.exe 2656 taskkill.exe 4896 taskkill.exe 3208 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe 4840 cOOla_unban.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4896 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4840 wrote to memory of 4880 4840 cOOla_unban.exe 92 PID 4840 wrote to memory of 4880 4840 cOOla_unban.exe 92 PID 4840 wrote to memory of 2088 4840 cOOla_unban.exe 94 PID 4840 wrote to memory of 2088 4840 cOOla_unban.exe 94 PID 2088 wrote to memory of 4256 2088 cmd.exe 93 PID 2088 wrote to memory of 4256 2088 cmd.exe 93 PID 2088 wrote to memory of 1484 2088 cmd.exe 96 PID 2088 wrote to memory of 1484 2088 cmd.exe 96 PID 2088 wrote to memory of 4292 2088 cmd.exe 95 PID 2088 wrote to memory of 4292 2088 cmd.exe 95 PID 4880 wrote to memory of 4896 4880 cmd.exe 97 PID 4880 wrote to memory of 4896 4880 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4292
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵PID:3188
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:4440
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵PID:1932
-
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD51⤵PID:4256
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T1⤵
- Kills process with taskkill
PID:4640
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T1⤵
- Kills process with taskkill
PID:1440
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T1⤵
- Kills process with taskkill
PID:2656