2d2bd3e5cd3fa994dcea616ed4ad9b128652b61f8ef3e6ff0e83cd9c710a476b

Analysis

max time kernel
91s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlowUp_Public.exe
Size

626KB
MD5

54854d90a9563e3a95d6ef7a584dd6d6
SHA1

521eb6601f9134deb672f8f116078556fa3f922b
SHA256

2d2bd3e5cd3fa994dcea616ed4ad9b128652b61f8ef3e6ff0e83cd9c710a476b
SHA512

879c224b44984871b3c101145663ef58f78053abe9c38b8b52d9bcc048474fca49b9b0b6155b2458ba2725660db1748f21244def6daa8bb3600d375bab72e9c7
SSDEEP

12288:xJmNygWN/gwgAKgdbjXXnf3UK2A2Xg70SWiuoBOZpM:xJmNyg0gRAKMbL/UK2A2bSYYO

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2332	GlowUp_Public.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4480	sc.exe
3836	sc.exe
1292	sc.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4820	taskkill.exe
2648	taskkill.exe
4020	taskkill.exe
3404	taskkill.exe
3872	taskkill.exe
2336	taskkill.exe
4460	taskkill.exe
3972	taskkill.exe
4388	taskkill.exe
2380	taskkill.exe
2692	taskkill.exe
396	taskkill.exe
652	taskkill.exe
4528	taskkill.exe
3184	taskkill.exe
1204	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe
2332	GlowUp_Public.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4836	2332	GlowUp_Public.exe	86
PID 2332 wrote to memory of 4836	2332	GlowUp_Public.exe	86
PID 4836 wrote to memory of 428	4836	cmd.exe	87
PID 4836 wrote to memory of 428	4836	cmd.exe	87
PID 4836 wrote to memory of 540	4836	cmd.exe	89
PID 4836 wrote to memory of 540	4836	cmd.exe	89
PID 4836 wrote to memory of 1916	4836	cmd.exe	88
PID 4836 wrote to memory of 1916	4836	cmd.exe	88
PID 2332 wrote to memory of 1976	2332	GlowUp_Public.exe	101
PID 2332 wrote to memory of 1976	2332	GlowUp_Public.exe	101
PID 1976 wrote to memory of 3184	1976	cmd.exe	102
PID 1976 wrote to memory of 3184	1976	cmd.exe	102
PID 2332 wrote to memory of 4236	2332	GlowUp_Public.exe	103
PID 2332 wrote to memory of 4236	2332	GlowUp_Public.exe	103
PID 4236 wrote to memory of 3872	4236	cmd.exe	104
PID 4236 wrote to memory of 3872	4236	cmd.exe	104
PID 2332 wrote to memory of 3912	2332	GlowUp_Public.exe	106
PID 2332 wrote to memory of 3912	2332	GlowUp_Public.exe	106
PID 3912 wrote to memory of 4480	3912	cmd.exe	105
PID 3912 wrote to memory of 4480	3912	cmd.exe	105
PID 2332 wrote to memory of 464	2332	GlowUp_Public.exe	108
PID 2332 wrote to memory of 464	2332	GlowUp_Public.exe	108
PID 464 wrote to memory of 2692	464	cmd.exe	107
PID 464 wrote to memory of 2692	464	cmd.exe	107
PID 2332 wrote to memory of 4728	2332	GlowUp_Public.exe	111
PID 2332 wrote to memory of 4728	2332	GlowUp_Public.exe	111
PID 4728 wrote to memory of 2336	4728	cmd.exe	110
PID 4728 wrote to memory of 2336	4728	cmd.exe	110
PID 2332 wrote to memory of 4240	2332	GlowUp_Public.exe	113
PID 2332 wrote to memory of 4240	2332	GlowUp_Public.exe	113
PID 4240 wrote to memory of 4460	4240	cmd.exe	114
PID 4240 wrote to memory of 4460	4240	cmd.exe	114
PID 2332 wrote to memory of 3692	2332	GlowUp_Public.exe	115
PID 2332 wrote to memory of 3692	2332	GlowUp_Public.exe	115
PID 3692 wrote to memory of 1204	3692	cmd.exe	116
PID 3692 wrote to memory of 1204	3692	cmd.exe	116
PID 2332 wrote to memory of 3480	2332	GlowUp_Public.exe	140
PID 2332 wrote to memory of 3480	2332	GlowUp_Public.exe	140
PID 3480 wrote to memory of 396	3480	cmd.exe	117
PID 3480 wrote to memory of 396	3480	cmd.exe	117
PID 2332 wrote to memory of 1400	2332	GlowUp_Public.exe	118
PID 2332 wrote to memory of 1400	2332	GlowUp_Public.exe	118
PID 1400 wrote to memory of 4820	1400	cmd.exe	119
PID 1400 wrote to memory of 4820	1400	cmd.exe	119
PID 2332 wrote to memory of 1772	2332	GlowUp_Public.exe	121
PID 2332 wrote to memory of 1772	2332	GlowUp_Public.exe	121
PID 1772 wrote to memory of 2648	1772	cmd.exe	120
PID 1772 wrote to memory of 2648	1772	cmd.exe	120
PID 2332 wrote to memory of 4500	2332	GlowUp_Public.exe	122
PID 2332 wrote to memory of 4500	2332	GlowUp_Public.exe	122
PID 4500 wrote to memory of 3404	4500	cmd.exe	139
PID 4500 wrote to memory of 3404	4500	cmd.exe	139
PID 2332 wrote to memory of 4564	2332	GlowUp_Public.exe	138
PID 2332 wrote to memory of 4564	2332	GlowUp_Public.exe	138
PID 4564 wrote to memory of 4020	4564	cmd.exe	137
PID 4564 wrote to memory of 4020	4564	cmd.exe	137
PID 2332 wrote to memory of 4540	2332	GlowUp_Public.exe	124
PID 2332 wrote to memory of 4540	2332	GlowUp_Public.exe	124
PID 4540 wrote to memory of 652	4540	cmd.exe	123
PID 4540 wrote to memory of 652	4540	cmd.exe	123
PID 2332 wrote to memory of 2148	2332	GlowUp_Public.exe	125
PID 2332 wrote to memory of 2148	2332	GlowUp_Public.exe	125
PID 2148 wrote to memory of 3972	2148	cmd.exe	126
PID 2148 wrote to memory of 3972	2148	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\GlowUp_Public.exe
"C:\Users\Admin\AppData\Local\Temp\GlowUp_Public.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GlowUp_Public.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GlowUp_Public.exe" MD5
    3⤵
    PID:428
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1916
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe > nul
  2⤵
  PID:5100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe > nul
  2⤵
  PID:980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe > nul
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
  2⤵
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BattlEye Service
  2⤵
  PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3456

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:4480

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe
1⤵
- Kills process with taskkill
PID:2648

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\sc.exe
sc stop EasyAntiCheat
1⤵
- Launches sc.exe
PID:3836

C:\Windows\system32\sc.exe
sc stop BattlEye Service
1⤵
- Launches sc.exe
PID:1292

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient - Win64 - Shipping.exe
1⤵
- Kills process with taskkill
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...