88977075356dc9e4c81ff59e5ffc004ab3d62070c1062ce7b690a941d5328090

Analysis

max time kernel
157s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCWUpdater64.exe
Size

520KB
MD5

506ce3ed7e4ee4d42c05482ebd9e230f
SHA1

4eb0d15002fad41803818600aa24002581b40bfa
SHA256

29ecf971c9d8b5301171b6f786164a1cea29fbf27e20949635e4b95307b2880b
SHA512

1997a7406afee2c460200addd76aca44478df66a5f5e16d153d4ff6e4e9e2b83fca12f338b4c6a55dfad843dfae243d005d7ef1f3870b376cfe8b21ff83dd74c
SSDEEP

12288:rXx5pL4AQ2OihxroFHt3iXt99bnGPVbL9pGHNu4B2UB:rXxPfet3iXZbnIbGI4rB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
736	PCWProtectorService64.exe
4356	PCWProtector.exe

Loads dropped DLL 6 IoCs

pid	Process
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
736	PCWProtectorService64.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TDCommonLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend64.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\RdUtil.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\WMlogo.bmp	PCWProtectorService64.exe
File opened for modification	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib64.dll	PCWProtectorService64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
4924	PCWProtectorDummy64.exe
4924	PCWProtectorDummy64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
736	PCWProtectorService64.exe
736	PCWProtectorService64.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	PCWUpdater64.exe
Token: SeDebugPrivilege	4740	PCWUpdater64.exe
Token: SeDebugPrivilege	736	PCWProtectorService64.exe
Token: SeDebugPrivilege	4924	PCWProtectorDummy64.exe
Token: SeDebugPrivilege	4356	PCWProtector.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4740	PCWUpdater64.exe
4740	PCWUpdater64.exe
4924	PCWProtectorDummy64.exe
4924	PCWProtectorDummy64.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe
4356	PCWProtector.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4924	736	PCWProtectorService64.exe	92
PID 736 wrote to memory of 4924	736	PCWProtectorService64.exe	92
PID 4924 wrote to memory of 4356	4924	PCWProtectorDummy64.exe	93
PID 4924 wrote to memory of 4356	4924	PCWProtectorDummy64.exe	93
PID 4924 wrote to memory of 4356	4924	PCWProtectorDummy64.exe	93

C:\Users\Admin\AppData\Local\Temp\PCWUpdater64.exe
"C:\Users\Admin\AppData\Local\Temp\PCWUpdater64.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Users\Admin\AppData\Local\Temp\PCWProtectorService64.exe
C:\Users\Admin\AppData\Local\Temp\PCWProtectorService64.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\PCWProtectorDummy64.exe
  C:\Users\Admin\AppData\Local\Temp\PCWProtectorDummy64.exe 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\PCWProtector.exe
    C:\Users\Admin\AppData\Local\Temp\PCWProtector.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PCWProtector.exe

Filesize
567KB

MD5
6ce74b64aee3c89d3939bb15ecfe7888

SHA1
58ec5c6b43b90aaa6fa7919c1dbf46812378efae

SHA256
ccb0bd5f3e296c35b38348cf4f231f93ce9bb57af42c328b0aba9e29103ee391

SHA512
f39486655c3d58a62d5c310ce181da0f7dee61e2d3179571b6c1e25ceba3b20c9061565708b8e7c5c5232ca3210348ed82305a105b3b678fadef7b62a2be8c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWProtector.log

Filesize
875B

MD5
f2ae0c9f3922e6415376f445d0a24d13

SHA1
2f10a74f75a8a30ed4874ff3ccf5ec01565c10cd

SHA256
bddb32001f4be8c3c0cf2f3215a6bddc4097f25cfc9f5fa7d8f9db0a78feabc4

SHA512
0b85ae0b785443e2314021643cb3352508c0d4048619a373e5e92b5d2a4f1f7dab72fcb19edbd872c3a0176c76207f01c0fac983b7bb75797a484bb9efec8318

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWProtector.log

Filesize
970B

MD5
8cb1df50ea75e76463bde6b5d13f708a

SHA1
26990c332a835b9e6a41b5d8f3f4352308ee993f

SHA256
48c90ebce6844f521c158e91990aab6e4c9beba925bea43514ecfd6f80fb7035

SHA512
9959c89f59524b797130d669839cd58ebdffe25ecd631227fdb8ff99b3ef3208742527bd9b20da356f933b0225295101a1c637feebe9a60f0c61146c416d03ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWProtector.log

Filesize
197B

MD5
734cf74c27c710861b640fb27af60a0f

SHA1
f740fed921f194b9b83cd699e7dcd1b6a1851b33

SHA256
30a20468a58b198b52477a8bc3fc35caa338ba12870d89b74615be30d241f7b8

SHA512
c987d7f6683efed602aceb3ba5ef1fb5935d1b5c887d30716daccfef7e4fd62cf7130e935fbf9dc18e0d9e950e0a498bfa3a2ea59f4a453e0f03107b3c04e6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWProtectorService64.exe

Filesize
287KB

MD5
eb2aa21de1026a8a831af0797aac9a78

SHA1
0e5e03f209a50a46ac14246ae46ef19ee14d7233

SHA256
82c4c819c4d543f6131cbc462206e9cdaf4931abe6f73c21b6df4968897572a2

SHA512
89758110eef34b9c08b09cfb10569b0ce4b16788dc68029c12fda84859240d514d2a41827a61e99b9e2a8f1be1ce251a2fd8aeba990dfbb176158f6096ad11e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TftLib64up.dll

Filesize
303KB

MD5
69848fcf204e88745974c7650c4cb133

SHA1
cabb555c3bd71277e61eb5578267e359fd4b0809

SHA256
4cbec29c1857389174f7cd2e52d09b18307f1f58e8587c5102b12ea827a08423

SHA512
26086752234fdc212155620adf50ac6853b4b0515b5bd861a07bbf0eb6eff93c1838fc2911a471912f28195355438198c28eb0d9cef51774e010b79fda4627a2

Download Submit
C:\Windows\SysWOW64\RdUtil.dll

Filesize
274KB

MD5
47c45dc36bbf3c5e6130dcfe37c89347

SHA1
5098af2483b5e2edf205bca47d43b086ddfd8d9d

SHA256
6f149b8ff0e97d0d2dcae5a952e6bdbc6222116eb2f865c7129f32f3fd3c5fa2

SHA512
f99724202d538a554c1bc591f7d50fe3362f42b66d243b8875a4f5d9cece8b817b6d8db35c35a2016b3268be1d0f92fff12127d1ef91be784b563a88e9902c41

Download Submit
C:\Windows\SysWOW64\TDCommonLib.dll

Filesize
212KB

MD5
ac67f6efefd9227789aefa657264508b

SHA1
007b50e73b92d34d3f19b96ffbf64f9289f1d4d8

SHA256
35a1fe7507c35696348fb28c6f3cb5e9c2fe1a8a6966b0a0b8fd469e521f384d

SHA512
af070714a26ccd462933ffc94f8634de8e6e2da57aebf2155444413ae05741e0b6e964a539bb79db893dd75d42339e7f8c2f450c8dc7800fc830f1f606c88f0d

Download Submit
C:\Windows\SysWOW64\TDCommonLib64.dll

Filesize
249KB

MD5
0e00def51125c6b54261001e3bacc19d

SHA1
a361eae15275148b77f8e168bba93e05bb04abe4

SHA256
b5945295ba8cb45903c77057b13d09c80dbd6a31eb64cff1d3a7d486e02d57a1

SHA512
597b83237db5677044ede9eb71e984bc5347e64ab86780707942a8375e4a7fb700e387f10f4dbf392367bdd7ce2ce79db0877f8422ff59e79f046691cdb52aca

Download Submit
C:\Windows\SysWOW64\TDepend.exe

Filesize
387KB

MD5
6581da8becde34bd00604ae3a34fdf22

SHA1
310597bc32305530b9864ad517cdab915bb8310e

SHA256
a46584ab1229da1cf3b16a47e90a651b5d385e5b1c7b61d63e27d0b89148687a

SHA512
6e6e0478075639ebd105c3f8201646c5728be724311ee02500ccf0295e042b57ae072a2e694be5820df44aa47466f687960056ad8bb93e060301ba4f61be0264

Download Submit
C:\Windows\SysWOW64\TDepend64.exe

Filesize
490KB

MD5
b48cdc4af3bda1f3c5fc02deb759cfa2

SHA1
a007d162d5de321cfe7504c4d5212dc139f54fb0

SHA256
dfabe6784c2ab53bac3e579853449a3f57e291dd16af2fc56ebb84a56e8853aa

SHA512
33cc0c7336b8651005cebd466795d90a4a66720267756652c347593868f13fb59d601c46353d714f50fb5f47c21f1c107ca3212f42f743fe725d128e8f3a0496

Download Submit
C:\Windows\SysWOW64\T_Prevent.dll

Filesize
258KB

MD5
c84ed9fe6e818185b971a6d10f0c16b7

SHA1
95daabafe876ebea94b24f8389ca6b0c8330e4af

SHA256
2a3324961c95098164646161108231510135f461d73e8ff07a1ee1216fff286f

SHA512
f1ffbeb198d3974afc03a4c5ca466cfb325db305e6bcb48852816e2bb1a516c441ece2bd74aaecce1e2597d59219e2b2e60c880bf2a98d7634138257ac90d3d4

Download Submit
C:\Windows\SysWOW64\T_Prevent64.dll

Filesize
309KB

MD5
d85f0082a012d73167921468731d1503

SHA1
43e6814e086b8385a3c03fc16526ab39adb7983a

SHA256
85235decb50cb8075a305d42809eb76f2237368d7e8155bc01cb8037c9caa18c

SHA512
3dbf52b866514c0b86fcc5752fc136d71bb4a802342801d64fe0127dfffcb6b8437e89d17fa81489c7cfcddf1c97908f1e1cdeeda67b0a1aabc48e8c78376849

Download Submit
C:\Windows\SysWOW64\TftLib.dll

Filesize
254KB

MD5
7bc750a3e94403913851e41f1028a832

SHA1
d035d67133c760b48522713bd3158ec2bf17fcbc

SHA256
64aaa65abb2d5cfd49c96d349dec267e904457ec70c91fa64d0ee60b0b155817

SHA512
8de51b3bb24cedf37a8a138f5c6177d3f8ad3602b81d387a129b2a7662c53ffe91afbba09b9f26844de535bab29ade8da7e25621efbc032e903882dda3974d61

Download Submit
memory/736-31-0x0000000002210000-0x000000000225A000-memory.dmp

Filesize
296KB

Download
memory/4356-44-0x0000000002B60000-0x0000000002B9E000-memory.dmp

Filesize
248KB

Download