d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9

General

Target

d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
Size

5.0MB
MD5

ed3f9711abe5e705a9c79a94b3873b38
SHA1

d393a06546d6df07d02b59f3433bab6c5b3e72d7
SHA256

d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9
SHA512

73bee77f771e49c8582724bf3d305d8e0dcec7064f8d72f6bb3b524609d0572e38f87028cdce612913465fe11096f6956872aa379e667f49e8e5d2dabf42004e
SSDEEP

98304:4rpUxlemUQbHcGvgI4zDRVHReaJJ0BoqBT+HuR9rtsAo5hz3a:rYGvh4HxeaABRBxBtsAYz3

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
2724	enobhbvnibqy.exe

Loads dropped DLL 1 IoCs

pid	Process
480	Process not Found

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 2208	2724	enobhbvnibqy.exe	49

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2656	sc.exe
2568	sc.exe
2728	sc.exe
2708	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
1652	d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
2724	enobhbvnibqy.exe
2724	enobhbvnibqy.exe
2724	enobhbvnibqy.exe
2724	enobhbvnibqy.exe
2724	enobhbvnibqy.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2740	powercfg.exe
Token: SeShutdownPrivilege	2644	powercfg.exe
Token: SeShutdownPrivilege	2552	powercfg.exe
Token: SeShutdownPrivilege	2256	powercfg.exe
Token: SeShutdownPrivilege	2624	powercfg.exe
Token: SeShutdownPrivilege	2484	powercfg.exe
Token: SeShutdownPrivilege	2572	powercfg.exe
Token: SeShutdownPrivilege	2368	powercfg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49
PID 2724 wrote to memory of 2208	2724	enobhbvnibqy.exe	49

C:\Users\Admin\AppData\Local\Temp\d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe
"C:\Users\Admin\AppData\Local\Temp\d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "YHWZFBOH"
  2⤵
  - Launches sc.exe
  PID:2656
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "YHWZFBOH" binpath= "C:\ProgramData\wxseyrlosrlz\enobhbvnibqy.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "YHWZFBOH"
  2⤵
  - Launches sc.exe
  PID:2708

C:\ProgramData\wxseyrlosrlz\enobhbvnibqy.exe
C:\ProgramData\wxseyrlosrlz\enobhbvnibqy.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\wxseyrlosrlz\enobhbvnibqy.exe

Filesize
5.0MB

MD5
ed3f9711abe5e705a9c79a94b3873b38

SHA1
d393a06546d6df07d02b59f3433bab6c5b3e72d7

SHA256
d6cee649508d4d5f429f9855d02d154f65d8a50350fb713afb1b12e073f89df9

SHA512
73bee77f771e49c8582724bf3d305d8e0dcec7064f8d72f6bb3b524609d0572e38f87028cdce612913465fe11096f6956872aa379e667f49e8e5d2dabf42004e

Download Submit
memory/2208-7-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2208-8-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2208-6-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2208-5-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2208-4-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing