Overview
overview
10Static
static
3Finals-Hack-main.exe
windows7-x64
8Finals-Hack-main.exe
windows10-2004-x64
10opengl32.dll
windows7-x64
1opengl32.dll
windows10-2004-x64
1profile/bo...s.html
windows7-x64
1profile/bo...s.html
windows10-2004-x64
1profile/ca...5.html
windows7-x64
1profile/ca...5.html
windows10-2004-x64
1profile/ca...3.html
windows7-x64
1profile/ca...3.html
windows10-2004-x64
10074E7EADB...8F2.js
windows7-x64
10074E7EADB...8F2.js
windows10-2004-x64
100BE7F9DA5...CA7.js
windows7-x64
100BE7F9DA5...CA7.js
windows10-2004-x64
100EE605E0E...8A7.js
windows7-x64
100EE605E0E...8A7.js
windows10-2004-x64
1profile/ca...9AD.js
windows7-x64
1profile/ca...9AD.js
windows10-2004-x64
101F3FC5B94...196.js
windows7-x64
101F3FC5B94...196.js
windows10-2004-x64
1031D7C56C6...D26.js
windows7-x64
1031D7C56C6...D26.js
windows10-2004-x64
1profile/ca...C42.js
windows7-x64
1profile/ca...C42.js
windows10-2004-x64
10453FDBE33...772.js
windows7-x64
10453FDBE33...772.js
windows10-2004-x64
1profile/ca...993.js
windows7-x64
1profile/ca...993.js
windows10-2004-x64
1profile/ca...79A.gz
windows7-x64
3profile/ca...79A.gz
windows10-2004-x64
7profile/ca...415.js
windows7-x64
1profile/ca...415.js
windows10-2004-x64
1Analysis
-
max time kernel
1s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
Finals-Hack-main.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Finals-Hack-main.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
opengl32.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
opengl32.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
profile/bookmarks.html
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
profile/bookmarks.html
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
profile/cache2/doomed/285.html
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
profile/cache2/doomed/285.html
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
profile/cache2/doomed/5823.html
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
profile/cache2/doomed/5823.html
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
0074E7EADB9AF6975D36F41996674786A91D38F2.js
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
0074E7EADB9AF6975D36F41996674786A91D38F2.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
00BE7F9DA523AB29705009AE318BC8D1EA1A1CA7.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
00EE605E0EFE18DE2959AF4F77D0FB4EC68B98A7.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral17
Sample
profile/cache2/entries/010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
profile/cache2/entries/010E3AB989ADBA95700DC330B0408A3E24B1B9AD.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
01F3FC5B949F3F17401995A81248637154FAA196.js
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
01F3FC5B949F3F17401995A81248637154FAA196.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
031D7C56C6FB471AE5EF12487A9712C96B2D7D26.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
profile/cache2/entries/045303EF7EAD8BA16789BEC1A684893679CE6C42.js
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
profile/cache2/entries/045303EF7EAD8BA16789BEC1A684893679CE6C42.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
0453FDBE339FFAC08D19DC5A3BAA262994C36772.js
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
0453FDBE339FFAC08D19DC5A3BAA262994C36772.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
profile/cache2/entries/069AB8E0648CD57EE5B643E9F27C19E121B91993.js
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
profile/cache2/entries/069AB8E0648CD57EE5B643E9F27C19E121B91993.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
profile/cache2/entries/0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
profile/cache2/entries/0762816DDF82FA4D7AF3935CAF9C0FACBF9C379A.gz
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
profile/cache2/entries/0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
profile/cache2/entries/0A1250CA87E7D3AD993AEB6BBDC2690F21099415.js
Resource
win10v2004-20231215-en
General
-
Target
Finals-Hack-main.exe
-
Size
58.2MB
-
MD5
00d14fa33fb1c9edd51ac7c47d2510f5
-
SHA1
5adf21e21622a439e211749823b54c01d8358e49
-
SHA256
b4b357887dfb39ceb3f3bf4c2c6e54839680a51befa3ef4e6b5ac5692b4d0df0
-
SHA512
b03726dd3b52541e203448e858a12765df2dc1a57086e945c0bbb15ba73fd9e6cde9ad41e69442856617cc8890c0ae1955b7b71d8c5f7fc562426fe05ba9cf46
-
SSDEEP
393216:u7SMdOjyyS2g0fxhOqy9goMLsADn0xIdunHm+:uFb2glA7L52nG+
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral1/memory/2368-86-0x000000013FD70000-0x0000000140A91000-memory.dmp vmprotect behavioral1/memory/2368-112-0x000000013FD70000-0x0000000140A91000-memory.dmp vmprotect behavioral1/memory/1156-121-0x000000013F600000-0x0000000140321000-memory.dmp vmprotect behavioral1/memory/1156-117-0x000000013F600000-0x0000000140321000-memory.dmp vmprotect -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 596 sc.exe 1964 sc.exe 888 sc.exe 2304 sc.exe 480 sc.exe 2992 sc.exe 568 sc.exe 1816 sc.exe 1084 sc.exe 1872 sc.exe 1516 sc.exe 2052 sc.exe 852 sc.exe 304 sc.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2848 wrote to memory of 944 2848 Finals-Hack-main.exe 29 PID 2848 wrote to memory of 944 2848 Finals-Hack-main.exe 29 PID 2848 wrote to memory of 944 2848 Finals-Hack-main.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""2⤵PID:944
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵PID:2688
-
-
C:\Users\Admin\AppData\Roaming\driver3.exeC:\Users\Admin\AppData\Roaming\driver3.exe2⤵PID:1848
-
-
C:\Users\Admin\AppData\Roaming\driver1.exeC:\Users\Admin\AppData\Roaming\driver1.exe2⤵PID:1856
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵PID:1760
-
-
-
C:\Users\Admin\AppData\Roaming\driver2.exeC:\Users\Admin\AppData\Roaming\driver2.exe2⤵PID:2368
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "XSVRRPDE"3⤵
- Launches sc.exe
PID:1084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "XSVRRPDE"3⤵
- Launches sc.exe
PID:1816
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1516
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"3⤵
- Launches sc.exe
PID:2052
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:1444
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:280
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:2096
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:620
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:852
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:304
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:480
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1960
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵PID:1196
-
-
-
C:\ProgramData\urumgbrirqvd\nujvppwoatti.exeC:\ProgramData\urumgbrirqvd\nujvppwoatti.exe1⤵PID:1156
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:1168
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:2632
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2356
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:1604
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1724
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:2092
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1872
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:888
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2992
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2304
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1776
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵PID:1504
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵PID:604
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"1⤵PID:2864