a3ca4ac4e833741e37b6d52a6b769f352c94ae117f176f7b7c781985bb0cc2b1

Analysis

max time kernel
123s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 01:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b9a9b563966720dddf985a894e6ba75.exe
Size

36KB
MD5

3b9a9b563966720dddf985a894e6ba75
SHA1

067fb625362303c5a4b45437bdb1e9e9d9f0d045
SHA256

a3ca4ac4e833741e37b6d52a6b769f352c94ae117f176f7b7c781985bb0cc2b1
SHA512

b7e8e27950840df02bb5b65540fb534ccb5003599f5ed867522bb7c98585048c3b761e22db088848f39f50a3a7aedc9f51932f6c929224a5549f0cac2ef7555b
SSDEEP

384:j/lq4MRc6oI1LCIXN/lTJW0mhwdwlo89NtRzDP043vWlWoE:xq4qoI1LCSJW0mhvljNtRvt3m

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2160	sc.exe
2932	sc.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2436	3b9a9b563966720dddf985a894e6ba75.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1132	2436	3b9a9b563966720dddf985a894e6ba75.exe	28
PID 2436 wrote to memory of 1132	2436	3b9a9b563966720dddf985a894e6ba75.exe	28
PID 2436 wrote to memory of 1132	2436	3b9a9b563966720dddf985a894e6ba75.exe	28
PID 2436 wrote to memory of 1132	2436	3b9a9b563966720dddf985a894e6ba75.exe	28
PID 2436 wrote to memory of 2600	2436	3b9a9b563966720dddf985a894e6ba75.exe	29
PID 2436 wrote to memory of 2600	2436	3b9a9b563966720dddf985a894e6ba75.exe	29
PID 2436 wrote to memory of 2600	2436	3b9a9b563966720dddf985a894e6ba75.exe	29
PID 2436 wrote to memory of 2600	2436	3b9a9b563966720dddf985a894e6ba75.exe	29
PID 1132 wrote to memory of 2996	1132	net.exe	32
PID 1132 wrote to memory of 2996	1132	net.exe	32
PID 1132 wrote to memory of 2996	1132	net.exe	32
PID 1132 wrote to memory of 2996	1132	net.exe	32
PID 2600 wrote to memory of 1356	2600	net.exe	33
PID 2600 wrote to memory of 1356	2600	net.exe	33
PID 2600 wrote to memory of 1356	2600	net.exe	33
PID 2600 wrote to memory of 1356	2600	net.exe	33
PID 2436 wrote to memory of 2160	2436	3b9a9b563966720dddf985a894e6ba75.exe	34
PID 2436 wrote to memory of 2160	2436	3b9a9b563966720dddf985a894e6ba75.exe	34
PID 2436 wrote to memory of 2160	2436	3b9a9b563966720dddf985a894e6ba75.exe	34
PID 2436 wrote to memory of 2160	2436	3b9a9b563966720dddf985a894e6ba75.exe	34
PID 2436 wrote to memory of 2932	2436	3b9a9b563966720dddf985a894e6ba75.exe	35
PID 2436 wrote to memory of 2932	2436	3b9a9b563966720dddf985a894e6ba75.exe	35
PID 2436 wrote to memory of 2932	2436	3b9a9b563966720dddf985a894e6ba75.exe	35
PID 2436 wrote to memory of 2932	2436	3b9a9b563966720dddf985a894e6ba75.exe	35
PID 2436 wrote to memory of 2768	2436	3b9a9b563966720dddf985a894e6ba75.exe	39
PID 2436 wrote to memory of 2768	2436	3b9a9b563966720dddf985a894e6ba75.exe	39
PID 2436 wrote to memory of 2768	2436	3b9a9b563966720dddf985a894e6ba75.exe	39
PID 2436 wrote to memory of 2768	2436	3b9a9b563966720dddf985a894e6ba75.exe	39

C:\Users\Admin\AppData\Local\Temp\3b9a9b563966720dddf985a894e6ba75.exe
"C:\Users\Admin\AppData\Local\Temp\3b9a9b563966720dddf985a894e6ba75.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\net.exe
  net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    PID:2996
- C:\Windows\SysWOW64\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1356
- C:\Windows\SysWOW64\sc.exe
  sc delete wscsvc
  2⤵
  - Launches sc.exe
  PID:2160
- C:\Windows\SysWOW64\sc.exe
  sc delete sharedaccess
  2⤵
  - Launches sc.exe
  PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\3b9a9b563966720dddf985a894e6ba75.bat C:\Users\Admin\AppData\Local\Temp\3b9a9b563966720dddf985a894e6ba75.exe C:\Users\Admin\AppData\Local\Temp\3b9a9b563966720dddf985a894e6ba75.bat
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b9a9b563966720dddf985a894e6ba75.bat

Filesize
69B

MD5
e3b0a4ae48f7cfe95b51f8d3cfd329d0

SHA1
16d9435d895dcf1680baf5b8ebc6342f561af049

SHA256
90423a49e145f44c6cefc80ba4351d04a4eaaee2b86e38aad1d9927fbad3d7bf

SHA512
5abd674b6e8896bedacd7e0ae593d49771f5c5a036adab1963a37e38f5f2cf185b157d101e97c6e1572b5ae4dfcbfa0470871b2faa0a8d96c6dae19b1329b9f3

Download Submit
memory/2436-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download