88977075356dc9e4c81ff59e5ffc004ab3d62070c1062ce7b690a941d5328090

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCWUpdater64.exe
Size

520KB
MD5

506ce3ed7e4ee4d42c05482ebd9e230f
SHA1

4eb0d15002fad41803818600aa24002581b40bfa
SHA256

29ecf971c9d8b5301171b6f786164a1cea29fbf27e20949635e4b95307b2880b
SHA512

1997a7406afee2c460200addd76aca44478df66a5f5e16d153d4ff6e4e9e2b83fca12f338b4c6a55dfad843dfae243d005d7ef1f3870b376cfe8b21ff83dd74c
SSDEEP

12288:rXx5pL4AQ2OihxroFHt3iXt99bnGPVbL9pGHNu4B2UB:rXxPfet3iXZbnIbGI4rB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
480	Process not Found
1928	PCWProtectorService64.exe
2640	PCWProtector.exe

Loads dropped DLL 22 IoCs

pid	Process
2640	PCWProtector.exe
2640	PCWProtector.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend64.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\RdUtil.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\WMlogo.bmp	PCWProtectorService64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
2096	PCWProtectorDummy64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
1928	PCWProtectorService64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
1928	PCWProtectorService64.exe
1928	PCWProtectorService64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	PCWUpdater64.exe
Token: SeDebugPrivilege	1956	PCWUpdater64.exe
Token: SeDebugPrivilege	1928	PCWProtectorService64.exe
Token: SeDebugPrivilege	2096	PCWProtectorDummy64.exe
Token: SeDebugPrivilege	2640	PCWProtector.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1956	PCWUpdater64.exe
1956	PCWUpdater64.exe
2096	PCWProtectorDummy64.exe
2096	PCWProtectorDummy64.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe
2640	PCWProtector.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2096	1928	PCWProtectorService64.exe	29
PID 1928 wrote to memory of 2096	1928	PCWProtectorService64.exe	29
PID 1928 wrote to memory of 2096	1928	PCWProtectorService64.exe	29
PID 2096 wrote to memory of 2640	2096	PCWProtectorDummy64.exe	30
PID 2096 wrote to memory of 2640	2096	PCWProtectorDummy64.exe	30
PID 2096 wrote to memory of 2640	2096	PCWProtectorDummy64.exe	30
PID 2096 wrote to memory of 2640	2096	PCWProtectorDummy64.exe	30

C:\Users\Admin\AppData\Local\Temp\PCWUpdater64.exe
"C:\Users\Admin\AppData\Local\Temp\PCWUpdater64.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Users\Admin\AppData\Local\Temp\PCWProtectorService64.exe
C:\Users\Admin\AppData\Local\Temp\PCWProtectorService64.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\PCWProtectorDummy64.exe
  C:\Users\Admin\AppData\Local\Temp\PCWProtectorDummy64.exe 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\PCWProtector.exe
    C:\Users\Admin\AppData\Local\Temp\PCWProtector.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PCWProtector.exe

Filesize
567KB

MD5
6ce74b64aee3c89d3939bb15ecfe7888

SHA1
58ec5c6b43b90aaa6fa7919c1dbf46812378efae

SHA256
ccb0bd5f3e296c35b38348cf4f231f93ce9bb57af42c328b0aba9e29103ee391

SHA512
f39486655c3d58a62d5c310ce181da0f7dee61e2d3179571b6c1e25ceba3b20c9061565708b8e7c5c5232ca3210348ed82305a105b3b678fadef7b62a2be8c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWProtector.log

Filesize
875B

MD5
a199a377c87954d5c6be888c57731712

SHA1
23c70ef9e6a0b4618731cd957806640be12ce008

SHA256
da69709cc8c65c1c4c071383822f06e3ee113aa62f649c1044b8a8addf99429b

SHA512
3f762d4f9c75ac3ed8bbd98574ea86001d0c55b651d2d7e3543b74d61e69205f80cc605fa2714e625d321be76f45a92afa83e2309a103bf3aac09ab9096eb828

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWProtector.log

Filesize
197B

MD5
d1c94dc320c9bf34b8ff2a3729d9e994

SHA1
49b97b3d297258bd3c71a5f7348fa219175647bd

SHA256
883f0d8a53e95bd963e7ad6965a178f2abc281ced76a1cf148d309124ac223d2

SHA512
cb5a7559cb65f4b547c809a00cf5e389ea234b05b67a899f81c449af1f0bd84a132fa77a8a1d683a7f77ae4463b6f2298a672a4cd2fc2528abac0c1c1a4bee66

Download Submit
C:\Windows\SysWOW64\RdUtil.dll

Filesize
274KB

MD5
47c45dc36bbf3c5e6130dcfe37c89347

SHA1
5098af2483b5e2edf205bca47d43b086ddfd8d9d

SHA256
6f149b8ff0e97d0d2dcae5a952e6bdbc6222116eb2f865c7129f32f3fd3c5fa2

SHA512
f99724202d538a554c1bc591f7d50fe3362f42b66d243b8875a4f5d9cece8b817b6d8db35c35a2016b3268be1d0f92fff12127d1ef91be784b563a88e9902c41

Download Submit
C:\Windows\SysWOW64\TDCommonLib.dll

Filesize
212KB

MD5
ac67f6efefd9227789aefa657264508b

SHA1
007b50e73b92d34d3f19b96ffbf64f9289f1d4d8

SHA256
35a1fe7507c35696348fb28c6f3cb5e9c2fe1a8a6966b0a0b8fd469e521f384d

SHA512
af070714a26ccd462933ffc94f8634de8e6e2da57aebf2155444413ae05741e0b6e964a539bb79db893dd75d42339e7f8c2f450c8dc7800fc830f1f606c88f0d

Download Submit
C:\Windows\SysWOW64\TDepend.exe

Filesize
387KB

MD5
6581da8becde34bd00604ae3a34fdf22

SHA1
310597bc32305530b9864ad517cdab915bb8310e

SHA256
a46584ab1229da1cf3b16a47e90a651b5d385e5b1c7b61d63e27d0b89148687a

SHA512
6e6e0478075639ebd105c3f8201646c5728be724311ee02500ccf0295e042b57ae072a2e694be5820df44aa47466f687960056ad8bb93e060301ba4f61be0264

Download Submit
C:\Windows\SysWOW64\T_Prevent.dll

Filesize
258KB

MD5
c84ed9fe6e818185b971a6d10f0c16b7

SHA1
95daabafe876ebea94b24f8389ca6b0c8330e4af

SHA256
2a3324961c95098164646161108231510135f461d73e8ff07a1ee1216fff286f

SHA512
f1ffbeb198d3974afc03a4c5ca466cfb325db305e6bcb48852816e2bb1a516c441ece2bd74aaecce1e2597d59219e2b2e60c880bf2a98d7634138257ac90d3d4

Download Submit
\Users\Admin\AppData\Local\Temp\PCWProtectorService64.exe

Filesize
287KB

MD5
eb2aa21de1026a8a831af0797aac9a78

SHA1
0e5e03f209a50a46ac14246ae46ef19ee14d7233

SHA256
82c4c819c4d543f6131cbc462206e9cdaf4931abe6f73c21b6df4968897572a2

SHA512
89758110eef34b9c08b09cfb10569b0ce4b16788dc68029c12fda84859240d514d2a41827a61e99b9e2a8f1be1ce251a2fd8aeba990dfbb176158f6096ad11e2

Download Submit
\Windows\SysWOW64\TDCommonLib64.dll

Filesize
249KB

MD5
0e00def51125c6b54261001e3bacc19d

SHA1
a361eae15275148b77f8e168bba93e05bb04abe4

SHA256
b5945295ba8cb45903c77057b13d09c80dbd6a31eb64cff1d3a7d486e02d57a1

SHA512
597b83237db5677044ede9eb71e984bc5347e64ab86780707942a8375e4a7fb700e387f10f4dbf392367bdd7ce2ce79db0877f8422ff59e79f046691cdb52aca

Download Submit
\Windows\SysWOW64\TDepend64.exe

Filesize
490KB

MD5
b48cdc4af3bda1f3c5fc02deb759cfa2

SHA1
a007d162d5de321cfe7504c4d5212dc139f54fb0

SHA256
dfabe6784c2ab53bac3e579853449a3f57e291dd16af2fc56ebb84a56e8853aa

SHA512
33cc0c7336b8651005cebd466795d90a4a66720267756652c347593868f13fb59d601c46353d714f50fb5f47c21f1c107ca3212f42f743fe725d128e8f3a0496

Download Submit
\Windows\SysWOW64\T_Prevent64.dll

Filesize
309KB

MD5
d85f0082a012d73167921468731d1503

SHA1
43e6814e086b8385a3c03fc16526ab39adb7983a

SHA256
85235decb50cb8075a305d42809eb76f2237368d7e8155bc01cb8037c9caa18c

SHA512
3dbf52b866514c0b86fcc5752fc136d71bb4a802342801d64fe0127dfffcb6b8437e89d17fa81489c7cfcddf1c97908f1e1cdeeda67b0a1aabc48e8c78376849

Download Submit
\Windows\SysWOW64\TftLib.dll

Filesize
254KB

MD5
7bc750a3e94403913851e41f1028a832

SHA1
d035d67133c760b48522713bd3158ec2bf17fcbc

SHA256
64aaa65abb2d5cfd49c96d349dec267e904457ec70c91fa64d0ee60b0b155817

SHA512
8de51b3bb24cedf37a8a138f5c6177d3f8ad3602b81d387a129b2a7662c53ffe91afbba09b9f26844de535bab29ade8da7e25621efbc032e903882dda3974d61

Download Submit
\Windows\SysWOW64\TftLib64.dll

Filesize
303KB

MD5
69848fcf204e88745974c7650c4cb133

SHA1
cabb555c3bd71277e61eb5578267e359fd4b0809

SHA256
4cbec29c1857389174f7cd2e52d09b18307f1f58e8587c5102b12ea827a08423

SHA512
26086752234fdc212155620adf50ac6853b4b0515b5bd861a07bbf0eb6eff93c1838fc2911a471912f28195355438198c28eb0d9cef51774e010b79fda4627a2

Download Submit
memory/1928-36-0x0000000000A40000-0x0000000000A8A000-memory.dmp

Filesize
296KB

Download
memory/2640-32-0x0000000000630000-0x000000000066E000-memory.dmp

Filesize
248KB

Download