Analysis

  • max time kernel
    1s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 12:29

General

  • Target

    Finals-Hack-main.exe

  • Size

    58.2MB

  • MD5

    00d14fa33fb1c9edd51ac7c47d2510f5

  • SHA1

    5adf21e21622a439e211749823b54c01d8358e49

  • SHA256

    b4b357887dfb39ceb3f3bf4c2c6e54839680a51befa3ef4e6b5ac5692b4d0df0

  • SHA512

    b03726dd3b52541e203448e858a12765df2dc1a57086e945c0bbb15ba73fd9e6cde9ad41e69442856617cc8890c0ae1955b7b71d8c5f7fc562426fe05ba9cf46

  • SSDEEP

    393216:u7SMdOjyyS2g0fxhOqy9goMLsADn0xIdunHm+:uFb2glA7L52nG+

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Stops running service(s) 3 TTPs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe
    "C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
      2⤵
        PID:944
      • C:\Windows\System32\Wbem\wmic.exe
        wmic csproduct get uuid
        2⤵
          PID:2688
        • C:\Users\Admin\AppData\Roaming\driver3.exe
          C:\Users\Admin\AppData\Roaming\driver3.exe
          2⤵
            PID:1848
          • C:\Users\Admin\AppData\Roaming\driver1.exe
            C:\Users\Admin\AppData\Roaming\driver1.exe
            2⤵
              PID:1856
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                3⤵
                  PID:1760
              • C:\Users\Admin\AppData\Roaming\driver2.exe
                C:\Users\Admin\AppData\Roaming\driver2.exe
                2⤵
                  PID:2368
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe delete "XSVRRPDE"
                    3⤵
                    • Launches sc.exe
                    PID:1084
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe start "XSVRRPDE"
                    3⤵
                    • Launches sc.exe
                    PID:1816
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop eventlog
                    3⤵
                    • Launches sc.exe
                    PID:1516
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"
                    3⤵
                    • Launches sc.exe
                    PID:2052
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    3⤵
                      PID:1444
                    • C:\Windows\system32\powercfg.exe
                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      3⤵
                        PID:280
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                        3⤵
                          PID:2096
                        • C:\Windows\system32\powercfg.exe
                          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                          3⤵
                            PID:620
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop dosvc
                            3⤵
                            • Launches sc.exe
                            PID:852
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop bits
                            3⤵
                            • Launches sc.exe
                            PID:304
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop wuauserv
                            3⤵
                            • Launches sc.exe
                            PID:480
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop WaaSMedicSvc
                            3⤵
                            • Launches sc.exe
                            PID:596
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop UsoSvc
                            3⤵
                            • Launches sc.exe
                            PID:1964
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                            3⤵
                              PID:1960
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                              3⤵
                                PID:1196
                          • C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
                            C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
                            1⤵
                              PID:1156
                              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                2⤵
                                  PID:1168
                                • C:\Windows\system32\svchost.exe
                                  svchost.exe
                                  2⤵
                                    PID:2632
                                  • C:\Windows\system32\conhost.exe
                                    C:\Windows\system32\conhost.exe
                                    2⤵
                                      PID:2032
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      2⤵
                                        PID:2356
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        2⤵
                                          PID:1604
                                        • C:\Windows\system32\powercfg.exe
                                          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                          2⤵
                                            PID:1724
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                            2⤵
                                              PID:2092
                                            • C:\Windows\system32\sc.exe
                                              C:\Windows\system32\sc.exe stop dosvc
                                              2⤵
                                              • Launches sc.exe
                                              PID:1872
                                            • C:\Windows\system32\sc.exe
                                              C:\Windows\system32\sc.exe stop bits
                                              2⤵
                                              • Launches sc.exe
                                              PID:888
                                            • C:\Windows\system32\sc.exe
                                              C:\Windows\system32\sc.exe stop wuauserv
                                              2⤵
                                              • Launches sc.exe
                                              PID:2992
                                            • C:\Windows\system32\sc.exe
                                              C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                              2⤵
                                              • Launches sc.exe
                                              PID:2304
                                            • C:\Windows\system32\sc.exe
                                              C:\Windows\system32\sc.exe stop UsoSvc
                                              2⤵
                                              • Launches sc.exe
                                              PID:568
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                              2⤵
                                                PID:1776
                                            • C:\Windows\system32\wusa.exe
                                              wusa /uninstall /kb:890830 /quiet /norestart
                                              1⤵
                                                PID:1504
                                              • C:\Windows\system32\wusa.exe
                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                1⤵
                                                  PID:604
                                                • C:\Windows\SysWOW64\dialer.exe
                                                  "C:\Windows\system32\dialer.exe"
                                                  1⤵
                                                    PID:2864

                                                  Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • memory/944-11-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/944-7-0x0000000002CC0000-0x0000000002D40000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/944-6-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/944-10-0x0000000002CC0000-0x0000000002D40000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/944-9-0x0000000002CC0000-0x0000000002D40000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/944-8-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/944-4-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/944-5-0x00000000029E0000-0x00000000029E8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1156-121-0x000000013F600000-0x0000000140321000-memory.dmp

                                                          Filesize

                                                          13.1MB

                                                        • memory/1156-145-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/1156-143-0x000000013F600000-0x0000000140321000-memory.dmp

                                                          Filesize

                                                          13.1MB

                                                        • memory/1156-122-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/1156-117-0x000000013F600000-0x0000000140321000-memory.dmp

                                                          Filesize

                                                          13.1MB

                                                        • memory/1156-120-0x0000000077750000-0x0000000077752000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/1168-124-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/1168-130-0x000000000150B000-0x0000000001572000-memory.dmp

                                                          Filesize

                                                          412KB

                                                        • memory/1168-129-0x0000000001500000-0x0000000001580000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1168-127-0x0000000001500000-0x0000000001580000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1168-126-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/1168-128-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/1168-125-0x0000000001500000-0x0000000001580000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1196-102-0x0000000002B10000-0x0000000002B90000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1196-99-0x000000001B680000-0x000000001B962000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                        • memory/1196-104-0x0000000002B10000-0x0000000002B90000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1196-103-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/1196-101-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/1196-100-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/1196-106-0x0000000002B10000-0x0000000002B90000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1196-105-0x0000000002B10000-0x0000000002B90000-memory.dmp

                                                          Filesize

                                                          512KB

                                                        • memory/1196-107-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

                                                          Filesize

                                                          9.6MB

                                                        • memory/1760-163-0x00000000000D0000-0x0000000000158000-memory.dmp

                                                          Filesize

                                                          544KB

                                                        • memory/1760-165-0x0000000003040000-0x0000000003440000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/1760-167-0x0000000003040000-0x0000000003440000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/1760-170-0x0000000003040000-0x0000000003440000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/1760-171-0x0000000076170000-0x00000000761B7000-memory.dmp

                                                          Filesize

                                                          284KB

                                                        • memory/1760-174-0x0000000003040000-0x0000000003440000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/1760-168-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/1760-166-0x0000000003040000-0x0000000003440000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/1760-157-0x00000000000D0000-0x0000000000158000-memory.dmp

                                                          Filesize

                                                          544KB

                                                        • memory/1760-159-0x00000000000D0000-0x0000000000158000-memory.dmp

                                                          Filesize

                                                          544KB

                                                        • memory/1760-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1760-164-0x00000000000D0000-0x0000000000158000-memory.dmp

                                                          Filesize

                                                          544KB

                                                        • memory/1856-161-0x000000013FD70000-0x000000014002A000-memory.dmp

                                                          Filesize

                                                          2.7MB

                                                        • memory/2032-132-0x0000000140000000-0x000000014000E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2032-135-0x0000000140000000-0x000000014000E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2032-137-0x0000000140000000-0x000000014000E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2032-134-0x0000000140000000-0x000000014000E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2032-133-0x0000000140000000-0x000000014000E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2032-131-0x0000000140000000-0x000000014000E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/2368-85-0x0000000077750000-0x0000000077752000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/2368-90-0x0000000077750000-0x0000000077752000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/2368-114-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/2368-112-0x000000013FD70000-0x0000000140A91000-memory.dmp

                                                          Filesize

                                                          13.1MB

                                                        • memory/2368-86-0x000000013FD70000-0x0000000140A91000-memory.dmp

                                                          Filesize

                                                          13.1MB

                                                        • memory/2368-88-0x0000000077750000-0x0000000077752000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/2368-92-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/2632-153-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-144-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-140-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-148-0x00000000000B0000-0x00000000000D0000-memory.dmp

                                                          Filesize

                                                          128KB

                                                        • memory/2632-152-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-139-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-154-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-141-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-142-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-183-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-150-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-147-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-146-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2632-151-0x0000000140000000-0x0000000140848000-memory.dmp

                                                          Filesize

                                                          8.3MB

                                                        • memory/2864-176-0x0000000001E00000-0x0000000002200000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/2864-172-0x0000000000080000-0x0000000000089000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2864-180-0x0000000076170000-0x00000000761B7000-memory.dmp

                                                          Filesize

                                                          284KB

                                                        • memory/2864-182-0x0000000001E00000-0x0000000002200000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/2864-181-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB

                                                        • memory/2864-179-0x0000000001E00000-0x0000000002200000-memory.dmp

                                                          Filesize

                                                          4.0MB

                                                        • memory/2864-177-0x00000000775A0000-0x0000000077749000-memory.dmp

                                                          Filesize

                                                          1.7MB