05ebc91b15a028b802e6d39ffdb850ca4ae5692f15e60f1e31a5a8aee666e8bc

Analysis

max time kernel
23s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doxing.exe
Size

5.3MB
MD5

6fe4ed5bdec8d9f3a53e28c542c949f0
SHA1

3109ef8e7bc5c8942f32911c26e2921db0368d39
SHA256

05ebc91b15a028b802e6d39ffdb850ca4ae5692f15e60f1e31a5a8aee666e8bc
SHA512

afa1443a927af2654e315706bfe5c2b0a3ab40f549e2a2bf9c1ab7b454ec6322b1de8d74115bc82a395e3fd0626fac794ffba2ecf77b12d218dc4914a171ae11
SSDEEP

98304:kRdakq5DPgHzhNyXQqg2LjjVSeyG7/Mr2k4bSE37rssVlosp:mu5DsHuMIjVRyG7/MySE3748zp

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Doxing.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4336	updater.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Doxing.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2396	2468	Doxing.exe	113

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
664	sc.exe
1120	sc.exe
4184	sc.exe
2844	sc.exe
1144	sc.exe
2620	sc.exe
2968	sc.exe
2336	sc.exe
4748	sc.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2468	Doxing.exe
2760	powershell.exe
2760	powershell.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2468	Doxing.exe
2396	dialer.exe
2396	dialer.exe
2468	Doxing.exe
2396	dialer.exe
2396	dialer.exe
2468	Doxing.exe
2468	Doxing.exe
4336	updater.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeShutdownPrivilege	4696	powercfg.exe
Token: SeCreatePagefilePrivilege	4696	powercfg.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeCreatePagefilePrivilege	1368	powercfg.exe
Token: SeShutdownPrivilege	1996	powercfg.exe
Token: SeCreatePagefilePrivilege	1996	powercfg.exe
Token: SeShutdownPrivilege	3972	powercfg.exe
Token: SeCreatePagefilePrivilege	3972	powercfg.exe
Token: SeDebugPrivilege	2396	dialer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3144	3656	cmd.exe	97
PID 3656 wrote to memory of 3144	3656	cmd.exe	97
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2468 wrote to memory of 2396	2468	Doxing.exe	113
PID 2396 wrote to memory of 612	2396	dialer.exe	3
PID 2396 wrote to memory of 672	2396	dialer.exe	1
PID 2396 wrote to memory of 956	2396	dialer.exe	80
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 2396 wrote to memory of 1020	2396	dialer.exe	10
PID 2396 wrote to memory of 392	2396	dialer.exe	79
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 2396 wrote to memory of 708	2396	dialer.exe	13
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 2396 wrote to memory of 1040	2396	dialer.exe	12
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 2396 wrote to memory of 1100	2396	dialer.exe	17
PID 2396 wrote to memory of 1112	2396	dialer.exe	14
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 2396 wrote to memory of 1148	2396	dialer.exe	16
PID 672 wrote to memory of 2712	672	lsass.exe	65
PID 2396 wrote to memory of 1160	2396	dialer.exe	15

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1100

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\Doxing.exe
"C:\Users\Admin\AppData\Local\Temp\Doxing.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1120
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:4184
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2844

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4336
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\Chrome\updater.exe

Filesize
1.3MB

MD5
75945ce6d11eaf422c6d2cf4a478c430

SHA1
bdfb3e64471944948b6a68df3966bae4d1c1ce55

SHA256
1464cd7eb9c1df9965f3b5417a7eb8d726a38ddf06c899cef4f03d86a8d3a9ad

SHA512
3c8fdab91dc592d8e2e64f381881cde5773c72ce9cb504f92d827dc563baddfc98bc3ca66cdf0a31a69bf3e30733f331cb0b8c5d411fce05afb189efc425e724

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
9eeed9edb973a642450610c2a163bffd

SHA1
919be696477d91aaeb1236823555bebe46989b30

SHA256
ed5babe0affd33bebbe543ce9d98c1d8bb64ac605d5a92c80513d183bf7e8b45

SHA512
2dc24c79a10f97cd95ce88fe1cdc09e33ba8bd2808d72680697bac35aa7ef76a956c5d547131b58f40dee43230e9bf0d7e6cf112291dbf08372111c563495f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_us4cl2zb.pri.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/392-47-0x000001F8BCCD0000-0x000001F8BCCFB000-memory.dmp

Filesize
172KB

Download
memory/392-56-0x000001F8BCCD0000-0x000001F8BCCFB000-memory.dmp

Filesize
172KB

Download
memory/392-50-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/612-30-0x000001DD18C50000-0x000001DD18C7B000-memory.dmp

Filesize
172KB

Download
memory/612-37-0x00007FFBB30CF000-0x00007FFBB30D0000-memory.dmp

Filesize
4KB

Download
memory/612-33-0x00007FFBB30CD000-0x00007FFBB30CE000-memory.dmp

Filesize
4KB

Download
memory/612-28-0x000001DD18C20000-0x000001DD18C44000-memory.dmp

Filesize
144KB

Download
memory/672-45-0x00007FFBB30CF000-0x00007FFBB30D0000-memory.dmp

Filesize
4KB

Download
memory/672-48-0x00007FFBB30CC000-0x00007FFBB30CD000-memory.dmp

Filesize
4KB

Download
memory/672-42-0x00007FFBB30CD000-0x00007FFBB30CE000-memory.dmp

Filesize
4KB

Download
memory/672-31-0x000001F402060000-0x000001F40208B000-memory.dmp

Filesize
172KB

Download
memory/672-34-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/708-57-0x000002D423370000-0x000002D42339B000-memory.dmp

Filesize
172KB

Download
memory/708-52-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/708-49-0x000002D423370000-0x000002D42339B000-memory.dmp

Filesize
172KB

Download
memory/956-38-0x000001A3FDBB0000-0x000001A3FDBDB000-memory.dmp

Filesize
172KB

Download
memory/956-43-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/956-51-0x000001A3FDBB0000-0x000001A3FDBDB000-memory.dmp

Filesize
172KB

Download
memory/1020-39-0x000001EAB78B0000-0x000001EAB78DB000-memory.dmp

Filesize
172KB

Download
memory/1020-54-0x000001EAB78B0000-0x000001EAB78DB000-memory.dmp

Filesize
172KB

Download
memory/1040-65-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/1040-63-0x000001E972960000-0x000001E97298B000-memory.dmp

Filesize
172KB

Download
memory/1100-70-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/1100-68-0x0000023AE8F20000-0x0000023AE8F4B000-memory.dmp

Filesize
172KB

Download
memory/1112-71-0x000001E7F96A0000-0x000001E7F96CB000-memory.dmp

Filesize
172KB

Download
memory/1112-74-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/1148-76-0x000001DB87CF0000-0x000001DB87D1B000-memory.dmp

Filesize
172KB

Download
memory/1148-77-0x00007FFB730B0000-0x00007FFB730C0000-memory.dmp

Filesize
64KB

Download
memory/2396-24-0x00007FFBB1E50000-0x00007FFBB1F0E000-memory.dmp

Filesize
760KB

Download
memory/2396-18-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2396-17-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2396-19-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2396-23-0x00007FFBB3030000-0x00007FFBB3225000-memory.dmp

Filesize
2.0MB

Download
memory/2396-20-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2396-25-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2396-22-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2760-10-0x00007FFB94370000-0x00007FFB94E31000-memory.dmp

Filesize
10.8MB

Download
memory/2760-5-0x000001CAF2A30000-0x000001CAF2A52000-memory.dmp

Filesize
136KB

Download
memory/2760-12-0x000001CAF0880000-0x000001CAF0890000-memory.dmp

Filesize
64KB

Download
memory/2760-15-0x00007FFB94370000-0x00007FFB94E31000-memory.dmp

Filesize
10.8MB

Download
memory/2760-11-0x000001CAF0880000-0x000001CAF0890000-memory.dmp

Filesize
64KB

Download
memory/4784-80-0x00007FFB946C0000-0x00007FFB95181000-memory.dmp

Filesize
10.8MB

Download