Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 05:37

General

  • Target

    WL1FIKZrIDoFw7XzP7SHK27KGML6JFbu.exe

  • Size

    9.5MB

  • MD5

    e6d512680551588927a4be527845d488

  • SHA1

    1d4c4fe2f8804313e0db9b58bc58414a5117f688

  • SHA256

    9fb32a17637b8291d56b2dfad58469416f146235a37a750587eb1a993063c19d

  • SHA512

    f915a973ce546e7d3a3e61e658f478e8c1d9c2d93377f984efc0dede796762fd923866d62bbf67e48aaa92eafb71555e75c6762406765bfd62ba00e1d342df17

  • SSDEEP

    196608:TnYm6jQF25UTqU6PbYi7SIySIZc6RfS2oZ6i8TBP4J5:TnPeU6r7SrZc6R62sL8d4

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WL1FIKZrIDoFw7XzP7SHK27KGML6JFbu.exe
    "C:\Users\Admin\AppData\Local\Temp\WL1FIKZrIDoFw7XzP7SHK27KGML6JFbu.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        SystemSettingsAdminFlows.exe SetInternetTime 1
        3⤵
          PID:2328
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4684
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3932
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4596
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2396
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3952
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4968
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:3944
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\system32\sc.exe
            sc stop HTTPDebuggerPro
            3⤵
            • Launches sc.exe
            PID:1004
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\system32\sc.exe
            sc stop HTTPDebuggerProSdk
            3⤵
            • Launches sc.exe
            PID:4948
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Windows\system32\sc.exe
            sc stop KProcessHacker3
            3⤵
            • Launches sc.exe
            PID:1040
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:668
          • C:\Windows\system32\sc.exe
            sc stop KProcessHacker2
            3⤵
            • Launches sc.exe
            PID:2772
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\system32\sc.exe
            sc stop KProcessHacker1
            3⤵
            • Launches sc.exe
            PID:4344
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4888
          • C:\Windows\system32\sc.exe
            sc stop wireshark
            3⤵
            • Launches sc.exe
            PID:5076
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
          2⤵
            PID:688
            • C:\Windows\system32\sc.exe
              sc stop npf
              3⤵
              • Launches sc.exe
              PID:860
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
            2⤵
              PID:3016
              • C:\Windows\system32\SystemSettingsAdminFlows.exe
                SystemSettingsAdminFlows.exe SetInternetTime 1
                3⤵
                  PID:2608
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                2⤵
                  PID:884
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2256
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                  2⤵
                    PID:3076
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2468
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                    2⤵
                      PID:760
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4020
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                      2⤵
                        PID:2224
                        • C:\Windows\system32\taskkill.exe
                          taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1344

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1888-0-0x00007FF602B49000-0x00007FF603338000-memory.dmp

                      Filesize

                      7.9MB

                    • memory/1888-2-0x00007FFAFA3A0000-0x00007FFAFA3A2000-memory.dmp

                      Filesize

                      8KB

                    • memory/1888-1-0x00007FFAFA390000-0x00007FFAFA392000-memory.dmp

                      Filesize

                      8KB

                    • memory/1888-3-0x00007FF602A50000-0x00007FF603CC1000-memory.dmp

                      Filesize

                      18.4MB

                    • memory/1888-5-0x00007FF602A50000-0x00007FF603CC1000-memory.dmp

                      Filesize

                      18.4MB

                    • memory/1888-9-0x00007FF602A50000-0x00007FF603CC1000-memory.dmp

                      Filesize

                      18.4MB

                    • memory/1888-10-0x0000026F679F0000-0x0000026F679F1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1888-13-0x0000026F67A20000-0x0000026F67A21000-memory.dmp

                      Filesize

                      4KB

                    • memory/1888-48-0x00007FF602B49000-0x00007FF603338000-memory.dmp

                      Filesize

                      7.9MB

                    • memory/1888-49-0x00007FF602A50000-0x00007FF603CC1000-memory.dmp

                      Filesize

                      18.4MB