Analysis
-
max time kernel
134s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 19:06
Static task
static1
1 signatures
General
-
Target
GAY_JAY.exe
-
Size
15.7MB
-
MD5
cd033bf8a5bb34a6ac409752913d99b1
-
SHA1
9940a283a66e317dacef20307a69a4d077828650
-
SHA256
6f83c2201fd7aea7b1348427c31bb1bf4d1def99f686ff7eaf92484deb45f853
-
SHA512
75d240a94e34b5f01854c653866c957710ddb314d3fe5d989fc9d80db0c7dc0ba0ab27e4843f45614a398da9fcfed6f2695b8e43c4dd3ebaf12d7693617552ad
-
SSDEEP
393216:TYsciS2hPdrnU5u9TGGHA9oviG3/Vb9Y95B4VGSW:EsxPdrnU5u9R6ai4VbqB4s
Malware Config
Signatures
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3560 sc.exe 3668 sc.exe 2148 sc.exe 4348 sc.exe -
Kills process with taskkill 16 IoCs
pid Process 3724 taskkill.exe 3772 taskkill.exe 3756 taskkill.exe 2904 taskkill.exe 2916 taskkill.exe 3340 taskkill.exe 4584 taskkill.exe 4648 taskkill.exe 3664 taskkill.exe 2500 taskkill.exe 2236 taskkill.exe 4392 taskkill.exe 5096 taskkill.exe 3468 taskkill.exe 4632 taskkill.exe 2396 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4700 GAY_JAY.exe 4700 GAY_JAY.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4584 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 3724 taskkill.exe Token: SeDebugPrivilege 4632 taskkill.exe Token: SeDebugPrivilege 2904 taskkill.exe Token: SeDebugPrivilege 4648 taskkill.exe Token: SeDebugPrivilege 5096 taskkill.exe Token: SeDebugPrivilege 3664 taskkill.exe Token: SeDebugPrivilege 3468 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 2236 taskkill.exe Token: SeDebugPrivilege 4392 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 2916 taskkill.exe Token: SeDebugPrivilege 3340 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4700 wrote to memory of 3880 4700 GAY_JAY.exe 86 PID 4700 wrote to memory of 3880 4700 GAY_JAY.exe 86 PID 4700 wrote to memory of 3508 4700 GAY_JAY.exe 87 PID 4700 wrote to memory of 3508 4700 GAY_JAY.exe 87 PID 4700 wrote to memory of 2104 4700 GAY_JAY.exe 88 PID 4700 wrote to memory of 2104 4700 GAY_JAY.exe 88 PID 4700 wrote to memory of 3804 4700 GAY_JAY.exe 89 PID 4700 wrote to memory of 3804 4700 GAY_JAY.exe 89 PID 4700 wrote to memory of 1720 4700 GAY_JAY.exe 90 PID 4700 wrote to memory of 1720 4700 GAY_JAY.exe 90 PID 4700 wrote to memory of 4628 4700 GAY_JAY.exe 91 PID 4700 wrote to memory of 4628 4700 GAY_JAY.exe 91 PID 4700 wrote to memory of 2900 4700 GAY_JAY.exe 92 PID 4700 wrote to memory of 2900 4700 GAY_JAY.exe 92 PID 4700 wrote to memory of 2880 4700 GAY_JAY.exe 93 PID 4700 wrote to memory of 2880 4700 GAY_JAY.exe 93 PID 3804 wrote to memory of 4584 3804 cmd.exe 94 PID 3804 wrote to memory of 4584 3804 cmd.exe 94 PID 3508 wrote to memory of 3772 3508 cmd.exe 95 PID 3508 wrote to memory of 3772 3508 cmd.exe 95 PID 2104 wrote to memory of 3724 2104 cmd.exe 97 PID 2104 wrote to memory of 3724 2104 cmd.exe 97 PID 1720 wrote to memory of 4348 1720 cmd.exe 98 PID 1720 wrote to memory of 4348 1720 cmd.exe 98 PID 2880 wrote to memory of 968 2880 cmd.exe 96 PID 2880 wrote to memory of 968 2880 cmd.exe 96 PID 4628 wrote to memory of 3756 4628 cmd.exe 99 PID 4628 wrote to memory of 3756 4628 cmd.exe 99 PID 4700 wrote to memory of 4056 4700 GAY_JAY.exe 101 PID 4700 wrote to memory of 4056 4700 GAY_JAY.exe 101 PID 4700 wrote to memory of 4768 4700 GAY_JAY.exe 102 PID 4700 wrote to memory of 4768 4700 GAY_JAY.exe 102 PID 4700 wrote to memory of 3060 4700 GAY_JAY.exe 103 PID 4700 wrote to memory of 3060 4700 GAY_JAY.exe 103 PID 4700 wrote to memory of 5088 4700 GAY_JAY.exe 104 PID 4700 wrote to memory of 5088 4700 GAY_JAY.exe 104 PID 4700 wrote to memory of 4296 4700 GAY_JAY.exe 105 PID 4700 wrote to memory of 4296 4700 GAY_JAY.exe 105 PID 4700 wrote to memory of 116 4700 GAY_JAY.exe 106 PID 4700 wrote to memory of 116 4700 GAY_JAY.exe 106 PID 4296 wrote to memory of 2904 4296 cmd.exe 107 PID 4296 wrote to memory of 2904 4296 cmd.exe 107 PID 4056 wrote to memory of 4632 4056 cmd.exe 108 PID 4056 wrote to memory of 4632 4056 cmd.exe 108 PID 4768 wrote to memory of 4648 4768 cmd.exe 109 PID 4768 wrote to memory of 4648 4768 cmd.exe 109 PID 5088 wrote to memory of 3560 5088 cmd.exe 111 PID 5088 wrote to memory of 3560 5088 cmd.exe 111 PID 3060 wrote to memory of 5096 3060 cmd.exe 110 PID 3060 wrote to memory of 5096 3060 cmd.exe 110 PID 4700 wrote to memory of 1336 4700 GAY_JAY.exe 112 PID 4700 wrote to memory of 1336 4700 GAY_JAY.exe 112 PID 4700 wrote to memory of 728 4700 GAY_JAY.exe 113 PID 4700 wrote to memory of 728 4700 GAY_JAY.exe 113 PID 4700 wrote to memory of 1488 4700 GAY_JAY.exe 114 PID 4700 wrote to memory of 1488 4700 GAY_JAY.exe 114 PID 4700 wrote to memory of 784 4700 GAY_JAY.exe 115 PID 4700 wrote to memory of 784 4700 GAY_JAY.exe 115 PID 4700 wrote to memory of 1304 4700 GAY_JAY.exe 116 PID 4700 wrote to memory of 1304 4700 GAY_JAY.exe 116 PID 4700 wrote to memory of 4884 4700 GAY_JAY.exe 117 PID 4700 wrote to memory of 4884 4700 GAY_JAY.exe 117 PID 4700 wrote to memory of 4184 4700 GAY_JAY.exe 118 PID 4700 wrote to memory of 4184 4700 GAY_JAY.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\GAY_JAY.exe"C:\Users\Admin\AppData\Local\Temp\GAY_JAY.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 72⤵PID:3880
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4348
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GAY_JAY.exe" MD52⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GAY_JAY.exe" MD53⤵PID:968
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3560
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:116
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:1336
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:728
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:1488
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:784
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3668
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1304
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:4884
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵PID:4184
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵PID:3840
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵PID:2204
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵PID:1456
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:2148
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵PID:1328
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵PID:3108
-