6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe
Size

4.0MB
MD5

34d317c072f929fdfb9faee7bd0ee53a
SHA1

f067c94120a55b3b929d11714d3f71163e6a4f06
SHA256

6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b
SHA512

f99aa1c4ace2999afc01b0685d4cd614609a3d39c80decf223fa7b6a2d1976377b8104033c86fb8509d7163b89544423dd6796b25269fe8aadce0a9eef723b14
SSDEEP

98304:AkLMIkB3U1I2+EjYsQcSFB4jQDGpBQu7Bl5uS4MBZ:fMIkBk1IvZsQcSwj2GouH5uKZ

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp

Loads dropped DLL 1 IoCs

pid	Process
2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2624	sc.exe
2388	sc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3012	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3060	PING.EXE
2120	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 2124 wrote to memory of 3016	2124	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe	28
PID 3016 wrote to memory of 2824	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	29
PID 3016 wrote to memory of 2824	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	29
PID 3016 wrote to memory of 2824	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	29
PID 3016 wrote to memory of 2824	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	29
PID 2824 wrote to memory of 3060	2824	cmd.exe	31
PID 2824 wrote to memory of 3060	2824	cmd.exe	31
PID 2824 wrote to memory of 3060	2824	cmd.exe	31
PID 2824 wrote to memory of 3060	2824	cmd.exe	31
PID 2824 wrote to memory of 2700	2824	cmd.exe	32
PID 2824 wrote to memory of 2700	2824	cmd.exe	32
PID 2824 wrote to memory of 2700	2824	cmd.exe	32
PID 2824 wrote to memory of 2700	2824	cmd.exe	32
PID 2700 wrote to memory of 2708	2700	net.exe	33
PID 2700 wrote to memory of 2708	2700	net.exe	33
PID 2700 wrote to memory of 2708	2700	net.exe	33
PID 2700 wrote to memory of 2708	2700	net.exe	33
PID 3016 wrote to memory of 2724	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	34
PID 3016 wrote to memory of 2724	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	34
PID 3016 wrote to memory of 2724	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	34
PID 3016 wrote to memory of 2724	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	34
PID 2724 wrote to memory of 2660	2724	cmd.exe	36
PID 2724 wrote to memory of 2660	2724	cmd.exe	36
PID 2724 wrote to memory of 2660	2724	cmd.exe	36
PID 2724 wrote to memory of 2660	2724	cmd.exe	36
PID 2660 wrote to memory of 2608	2660	net.exe	37
PID 2660 wrote to memory of 2608	2660	net.exe	37
PID 2660 wrote to memory of 2608	2660	net.exe	37
PID 2660 wrote to memory of 2608	2660	net.exe	37
PID 3016 wrote to memory of 1160	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	38
PID 3016 wrote to memory of 1160	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	38
PID 3016 wrote to memory of 1160	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	38
PID 3016 wrote to memory of 1160	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	38
PID 1160 wrote to memory of 2120	1160	cmd.exe	40
PID 1160 wrote to memory of 2120	1160	cmd.exe	40
PID 1160 wrote to memory of 2120	1160	cmd.exe	40
PID 1160 wrote to memory of 2120	1160	cmd.exe	40
PID 1160 wrote to memory of 2540	1160	cmd.exe	41
PID 1160 wrote to memory of 2540	1160	cmd.exe	41
PID 1160 wrote to memory of 2540	1160	cmd.exe	41
PID 1160 wrote to memory of 2540	1160	cmd.exe	41
PID 2540 wrote to memory of 2840	2540	net.exe	42
PID 2540 wrote to memory of 2840	2540	net.exe	42
PID 2540 wrote to memory of 2840	2540	net.exe	42
PID 2540 wrote to memory of 2840	2540	net.exe	42
PID 3016 wrote to memory of 2880	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	43
PID 3016 wrote to memory of 2880	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	43
PID 3016 wrote to memory of 2880	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	43
PID 3016 wrote to memory of 2880	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	43
PID 2880 wrote to memory of 3012	2880	cmd.exe	45
PID 2880 wrote to memory of 3012	2880	cmd.exe	45
PID 2880 wrote to memory of 3012	2880	cmd.exe	45
PID 2880 wrote to memory of 3012	2880	cmd.exe	45
PID 3016 wrote to memory of 2536	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	47
PID 3016 wrote to memory of 2536	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	47
PID 3016 wrote to memory of 2536	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	47
PID 3016 wrote to memory of 2536	3016	6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp	47
PID 2536 wrote to memory of 2624	2536	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe
"C:\Users\Admin\AppData\Local\Temp\6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\is-GJA6V.tmp\6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GJA6V.tmp\6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp" /SL5="$4010A,3351591,825344,C:\Users\Admin\AppData\Local\Temp\6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop tacticalrpc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        5⤵
        
        PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c net stop tacticalagent
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\net.exe
      net stop tacticalagent
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        5⤵
        
        PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2120
  - - C:\Windows\SysWOW64\net.exe
      net stop tacticalrmm
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        5⤵
        
        PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM tacticalrmm.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c sc delete tacticalagent
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\sc.exe
      sc delete tacticalagent
      4⤵
      Launches sc.exe
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c sc delete tacticalrpc
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\sc.exe
      sc delete tacticalrpc
      4⤵
      Launches sc.exe
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-GJA6V.tmp\6bd8e820684a2fe378088c9595757a768b03012ba3aa03166e12be96c9e6b25b.tmp

Filesize
3.0MB

MD5
d547472f48c638c6798f0b35558818b2

SHA1
da697cac533f1572d7f900d8bdc36279b3df98d2

SHA256
8bb64c4693dda70055ce2b79f7605a2c1c42e600b9e2b558c11c3f1384f189bd

SHA512
d60b9866a4e96bdf36ea80f032be835921274da89993a4f32557dbd2070e7c10874ab4dd68075271d19490353b8de7c052e1e18d8870d423afb7ea6d11362076

Download Submit
memory/2124-0-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2124-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2124-10-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3016-9-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/3016-11-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download