967e7d816b6ec752b3d99256dacc0216af80f63046f36d4db699c90219c17ae5

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

memorium.exe
Size

1.6MB
MD5

c4ee913e290d76916d7e7658049491a5
SHA1

9e3e83c128e51a3f8b9a044957a390429e6b5e29
SHA256

967e7d816b6ec752b3d99256dacc0216af80f63046f36d4db699c90219c17ae5
SHA512

06aabdc66e26f2c2f66314cbcb7f7ae8735fd57f4b51778d7866a3a5272b58d15e724b2c4f7cced20614edbb056d6fee82a76828288908cffbc772ab95dbb5f1
SSDEEP

24576:vbw+7NLKcPZFML5xxIOUyTyPUz977wsAKaBApkF77RpoCgfdt6on7iuk77DNj:jwuYLZIYyPUzJAKrq6hp+ZDN

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2208	memorium.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3044	sc.exe
1956	sc.exe
2700	sc.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
2236	taskkill.exe
2948	taskkill.exe
2996	taskkill.exe
2772	taskkill.exe
564	taskkill.exe
1160	taskkill.exe
2732	taskkill.exe
2572	taskkill.exe
2632	taskkill.exe
1976	taskkill.exe
2824	taskkill.exe
2928	taskkill.exe
336	taskkill.exe
2100	taskkill.exe
2620	taskkill.exe
592	taskkill.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe
2208	memorium.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2496	2208	memorium.exe	29
PID 2208 wrote to memory of 2496	2208	memorium.exe	29
PID 2208 wrote to memory of 2496	2208	memorium.exe	29
PID 2496 wrote to memory of 1160	2496	cmd.exe	30
PID 2496 wrote to memory of 1160	2496	cmd.exe	30
PID 2496 wrote to memory of 1160	2496	cmd.exe	30
PID 2208 wrote to memory of 2900	2208	memorium.exe	32
PID 2208 wrote to memory of 2900	2208	memorium.exe	32
PID 2208 wrote to memory of 2900	2208	memorium.exe	32
PID 2900 wrote to memory of 2824	2900	cmd.exe	33
PID 2900 wrote to memory of 2824	2900	cmd.exe	33
PID 2900 wrote to memory of 2824	2900	cmd.exe	33
PID 2208 wrote to memory of 3064	2208	memorium.exe	34
PID 2208 wrote to memory of 3064	2208	memorium.exe	34
PID 2208 wrote to memory of 3064	2208	memorium.exe	34
PID 3064 wrote to memory of 2700	3064	cmd.exe	35
PID 3064 wrote to memory of 2700	3064	cmd.exe	35
PID 3064 wrote to memory of 2700	3064	cmd.exe	35
PID 2208 wrote to memory of 2976	2208	memorium.exe	36
PID 2208 wrote to memory of 2976	2208	memorium.exe	36
PID 2208 wrote to memory of 2976	2208	memorium.exe	36
PID 2976 wrote to memory of 2100	2976	cmd.exe	37
PID 2976 wrote to memory of 2100	2976	cmd.exe	37
PID 2976 wrote to memory of 2100	2976	cmd.exe	37
PID 2208 wrote to memory of 2092	2208	memorium.exe	38
PID 2208 wrote to memory of 2092	2208	memorium.exe	38
PID 2208 wrote to memory of 2092	2208	memorium.exe	38
PID 2092 wrote to memory of 2928	2092	cmd.exe	39
PID 2092 wrote to memory of 2928	2092	cmd.exe	39
PID 2092 wrote to memory of 2928	2092	cmd.exe	39
PID 2208 wrote to memory of 2272	2208	memorium.exe	40
PID 2208 wrote to memory of 2272	2208	memorium.exe	40
PID 2208 wrote to memory of 2272	2208	memorium.exe	40
PID 2272 wrote to memory of 2732	2272	cmd.exe	41
PID 2272 wrote to memory of 2732	2272	cmd.exe	41
PID 2272 wrote to memory of 2732	2272	cmd.exe	41
PID 2208 wrote to memory of 2740	2208	memorium.exe	42
PID 2208 wrote to memory of 2740	2208	memorium.exe	42
PID 2208 wrote to memory of 2740	2208	memorium.exe	42
PID 2740 wrote to memory of 2572	2740	cmd.exe	43
PID 2740 wrote to memory of 2572	2740	cmd.exe	43
PID 2740 wrote to memory of 2572	2740	cmd.exe	43
PID 2208 wrote to memory of 2612	2208	memorium.exe	44
PID 2208 wrote to memory of 2612	2208	memorium.exe	44
PID 2208 wrote to memory of 2612	2208	memorium.exe	44
PID 2612 wrote to memory of 2632	2612	cmd.exe	45
PID 2612 wrote to memory of 2632	2612	cmd.exe	45
PID 2612 wrote to memory of 2632	2612	cmd.exe	45
PID 2208 wrote to memory of 2276	2208	memorium.exe	46
PID 2208 wrote to memory of 2276	2208	memorium.exe	46
PID 2208 wrote to memory of 2276	2208	memorium.exe	46
PID 2276 wrote to memory of 2620	2276	cmd.exe	47
PID 2276 wrote to memory of 2620	2276	cmd.exe	47
PID 2276 wrote to memory of 2620	2276	cmd.exe	47
PID 2208 wrote to memory of 1384	2208	memorium.exe	48
PID 2208 wrote to memory of 1384	2208	memorium.exe	48
PID 2208 wrote to memory of 1384	2208	memorium.exe	48
PID 1384 wrote to memory of 1976	1384	cmd.exe	49
PID 1384 wrote to memory of 1976	1384	cmd.exe	49
PID 1384 wrote to memory of 1976	1384	cmd.exe	49
PID 2208 wrote to memory of 2552	2208	memorium.exe	50
PID 2208 wrote to memory of 2552	2208	memorium.exe	50
PID 2208 wrote to memory of 2552	2208	memorium.exe	50
PID 2552 wrote to memory of 2236	2552	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\memorium.exe
"C:\Users\Admin\AppData\Local\Temp\memorium.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicWebHelper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping.exe > nul
  2⤵
  PID:548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient - Win64 - Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe > nul
  2⤵
  PID:680
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe > nul
  2⤵
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe > nul
  2⤵
  PID:2880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe > nul
  2⤵
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe > nul
  2⤵
  PID:1496
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BattlEye Service
  2⤵
  PID:2804
- - C:\Windows\system32\sc.exe
    sc stop BattlEye Service
    3⤵
    - Launches sc.exe
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
  2⤵
  PID:1984
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...