8df8f59c744cc74d93092dfa06a2b68906c0434ad20292414aedfb4c0d929d6e

Analysis

max time kernel
65s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
18/01/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celex (cracked).exe
Size

2.7MB
MD5

7b0750070fed30ea3e66de3c90abf68d
SHA1

0d657289adf669f3b0c9c6ef643997d56c79531a
SHA256

8df8f59c744cc74d93092dfa06a2b68906c0434ad20292414aedfb4c0d929d6e
SHA512

c8f9110a233535faec6902940f119e85486ae9c901b954f9e950b04cd960f859c434376fa52a08bd7c7a3bd82842bbdaae88527cda93ca1e8cf6a2590bc443a6
SSDEEP

49152:sMzZR3CQk3a8iUqvra6DsSlxLqX16wx+VqWiozcU4+zA5B41/vjlPnqVffwLRJ5B:sSZR7kKTvrrxL66faozdhzAgsRfuRJ5B

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Celex (cracked).exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2812	sc.exe
3388	sc.exe
1676	sc.exe
1296	sc.exe
400	sc.exe
3664	sc.exe
4044	sc.exe
688	sc.exe
3008	sc.exe
3860	sc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4360	Celex (cracked).exe
1848	powershell.exe
1848	powershell.exe
4360	Celex (cracked).exe
4360	Celex (cracked).exe
4360	Celex (cracked).exe
4360	Celex (cracked).exe
4360	Celex (cracked).exe
4360	Celex (cracked).exe
4360	Celex (cracked).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4184	2312	cmd.exe	92
PID 2312 wrote to memory of 4184	2312	cmd.exe	92
PID 4360 wrote to memory of 3292	4360	Celex (cracked).exe	98
PID 4360 wrote to memory of 3292	4360	Celex (cracked).exe	98
PID 4360 wrote to memory of 3292	4360	Celex (cracked).exe	98

C:\Users\Admin\AppData\Local\Temp\Celex (cracked).exe
"C:\Users\Admin\AppData\Local\Temp\Celex (cracked).exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4184
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3388
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "RQZMZQAE"
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "RQZMZQAE" binpath= "C:\ProgramData\CelexCRACKED" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "RQZMZQAE"
  2⤵
  - Launches sc.exe
  PID:4044
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:688

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
PID:4536

C:\ProgramData\CelexCRACKED
C:\ProgramData\CelexCRACKED
1⤵
PID:2588
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3048
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2860

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4460

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4324

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CelexCRACKED

Filesize
204KB

MD5
36df31900e889a4099b2d60bcc6f42c9

SHA1
f7271e33da7e60da1b54408325a94fe0d40f504a

SHA256
770e14f5728475c70b11f5a0c5577913085ed1c8191597126992633a1361ec7b

SHA512
239d46296c9d84c65d1c05661b7b21cb2a4904a888b755ab52da9be0080c83385ecac9a61670a799db18d30c408b7da95243221ec0d96160968cd9ed153048d9

Download Submit
C:\ProgramData\CelexCRACKED

Filesize
181KB

MD5
fb8d4da9a08ac91f94077dd9d9fb3c75

SHA1
6911f85b1b0319d38482733370bb78b663062dd8

SHA256
ada2be8c01a49dae0756ec49da2711d26c19dad2ea2263272a28b0dd4798dbed

SHA512
ca421782f14b44d7ec9578d65efc96e1f22917de7fbfe309bbcb1418b12599036b14d88613415717c6730dc0e879daa5222607463fb936b027972bf11a53611a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_105zels5.sj0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
4KB

MD5
7da4ddde490bb65c402bf05d11f619b5

SHA1
8449bfe6190a7564108ffcec52824699ab339883

SHA256
6aa519846c77845366cc5e9ba0292c18e3fa271b0b3a2fbfb83c0c27c3d57f31

SHA512
d967bdbaff2f7bf7fe33fd0731c3516a2e08fa67e682dd6f9b3b62ba3b25c9683cf4200060ae237fc1c04b4936f6861ca4ac83704756ac2a0c228e9e30b49774

Download Submit
memory/436-56-0x00007FFD72163000-0x00007FFD72164000-memory.dmp

Filesize
4KB

Download
memory/436-46-0x00000231019D0000-0x00000231019FB000-memory.dmp

Filesize
172KB

Download
memory/436-39-0x00000231019D0000-0x00000231019FB000-memory.dmp

Filesize
172KB

Download
memory/436-52-0x00007FFD72166000-0x00007FFD72167000-memory.dmp

Filesize
4KB

Download
memory/436-51-0x00007FFD72164000-0x00007FFD72165000-memory.dmp

Filesize
4KB

Download
memory/464-55-0x00000271B4350000-0x00000271B437B000-memory.dmp

Filesize
172KB

Download
memory/464-48-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/464-45-0x00000271B4350000-0x00000271B437B000-memory.dmp

Filesize
172KB

Download
memory/632-88-0x000001EBC36B0000-0x000001EBC36DB000-memory.dmp

Filesize
172KB

Download
memory/632-87-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/632-37-0x00007FFD72166000-0x00007FFD72167000-memory.dmp

Filesize
4KB

Download
memory/632-31-0x000001EBC36B0000-0x000001EBC36DB000-memory.dmp

Filesize
172KB

Download
memory/632-27-0x000001EBC3680000-0x000001EBC36A4000-memory.dmp

Filesize
144KB

Download
memory/632-34-0x00007FFD72163000-0x00007FFD72164000-memory.dmp

Filesize
4KB

Download
memory/692-32-0x000001F1B88E0000-0x000001F1B890B000-memory.dmp

Filesize
172KB

Download
memory/692-43-0x00007FFD72164000-0x00007FFD72165000-memory.dmp

Filesize
4KB

Download
memory/692-35-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/692-41-0x000001F1B88E0000-0x000001F1B890B000-memory.dmp

Filesize
172KB

Download
memory/948-61-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/948-99-0x000002415F9B0000-0x000002415F9DB000-memory.dmp

Filesize
172KB

Download
memory/948-62-0x000002415F9B0000-0x000002415F9DB000-memory.dmp

Filesize
172KB

Download
memory/948-59-0x000002415F9B0000-0x000002415F9DB000-memory.dmp

Filesize
172KB

Download
memory/980-49-0x000001F02FE60000-0x000001F02FE8B000-memory.dmp

Filesize
172KB

Download
memory/980-42-0x000001F02FE60000-0x000001F02FE8B000-memory.dmp

Filesize
172KB

Download
memory/980-44-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1048-109-0x0000019466140000-0x000001946616B000-memory.dmp

Filesize
172KB

Download
memory/1048-68-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1048-66-0x0000019466140000-0x000001946616B000-memory.dmp

Filesize
172KB

Download
memory/1056-69-0x0000029058BB0000-0x0000029058BDB000-memory.dmp

Filesize
172KB

Download
memory/1056-130-0x0000029058BB0000-0x0000029058BDB000-memory.dmp

Filesize
172KB

Download
memory/1056-73-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1072-72-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1072-70-0x000001D3339B0000-0x000001D3339DB000-memory.dmp

Filesize
172KB

Download
memory/1072-139-0x000001D3339B0000-0x000001D3339DB000-memory.dmp

Filesize
172KB

Download
memory/1148-143-0x000001F255E90000-0x000001F255EBB000-memory.dmp

Filesize
172KB

Download
memory/1148-75-0x000001F255E90000-0x000001F255EBB000-memory.dmp

Filesize
172KB

Download
memory/1148-79-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1148-81-0x000001F255E90000-0x000001F255EBB000-memory.dmp

Filesize
172KB

Download
memory/1252-95-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1252-89-0x0000021C8A970000-0x0000021C8A99B000-memory.dmp

Filesize
172KB

Download
memory/1280-93-0x000002171C860000-0x000002171C88B000-memory.dmp

Filesize
172KB

Download
memory/1280-96-0x00007FFD32150000-0x00007FFD32160000-memory.dmp

Filesize
64KB

Download
memory/1316-104-0x000002B559E90000-0x000002B559EBB000-memory.dmp

Filesize
172KB

Download
memory/1332-120-0x0000025B9F990000-0x0000025B9F9BB000-memory.dmp

Filesize
172KB

Download
memory/1848-15-0x00007FFD50F90000-0x00007FFD51A52000-memory.dmp

Filesize
10.8MB

Download
memory/1848-9-0x00007FFD50F90000-0x00007FFD51A52000-memory.dmp

Filesize
10.8MB

Download
memory/1848-12-0x0000024F70800000-0x0000024F70810000-memory.dmp

Filesize
64KB

Download
memory/1848-8-0x0000024F70810000-0x0000024F70832000-memory.dmp

Filesize
136KB

Download
memory/1848-11-0x0000024F70800000-0x0000024F70810000-memory.dmp

Filesize
64KB

Download
memory/1848-10-0x0000024F70800000-0x0000024F70810000-memory.dmp

Filesize
64KB

Download
memory/3292-83-0x00007FFD720C0000-0x00007FFD722C9000-memory.dmp

Filesize
2.0MB

Download
memory/3292-22-0x00007FFD720C0000-0x00007FFD722C9000-memory.dmp

Filesize
2.0MB

Download
memory/3292-23-0x00007FFD70130000-0x00007FFD701ED000-memory.dmp

Filesize
756KB

Download
memory/3292-16-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3292-17-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3292-21-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3292-24-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3292-19-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3292-18-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4536-77-0x000002963DDC0000-0x000002963DDD0000-memory.dmp

Filesize
64KB

Download
memory/4536-124-0x00007FFD50F90000-0x00007FFD51A52000-memory.dmp

Filesize
10.8MB

Download
memory/4536-125-0x000002963DDC0000-0x000002963DDD0000-memory.dmp

Filesize
64KB

Download
memory/4536-80-0x000002963DDC0000-0x000002963DDD0000-memory.dmp

Filesize
64KB

Download
memory/4536-141-0x000002963DDC0000-0x000002963DDD0000-memory.dmp

Filesize
64KB

Download
memory/4536-142-0x000002963E310000-0x000002963E3C3000-memory.dmp

Filesize
716KB

Download
memory/4536-123-0x000002963DDC0000-0x000002963DDD0000-memory.dmp

Filesize
64KB

Download
memory/4536-150-0x000002963E2E0000-0x000002963E2EA000-memory.dmp

Filesize
40KB

Download
memory/4536-74-0x00007FFD50F90000-0x00007FFD51A52000-memory.dmp

Filesize
10.8MB

Download
memory/4536-202-0x000002963E3D0000-0x000002963E3DA000-memory.dmp

Filesize
40KB

Download
memory/4536-242-0x000002963E3E0000-0x000002963E3E8000-memory.dmp

Filesize
32KB

Download
memory/4536-247-0x000002963DDC0000-0x000002963DDD0000-memory.dmp

Filesize
64KB

Download