Overview

overview

8

Static

static

7

Lowez Exte...ol.exe

windows7-x64

7

Lowez Exte...ol.exe

windows10-2004-x64

7

Lowez Exte...al.exe

windows7-x64

8

Lowez Exte...al.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lowez External/Lowez External/2. Cheat/Lowez External.exe

  • Size

    714KB

  • MD5

    8fddd1e31a5d782f4ee47a6de32e69eb

  • SHA1

    a961f0ff83d6b13ebfb82a103ff217f62bff9830

  • SHA256

    1e060cd7e39930b5d872e4edb4854d4c29a72a6262da052014176abbb8a98deb

  • SHA512

    575535bace7ef646405d55a08986a3e86bdb80e9cbb6235e0b5db12aa6dfc8a7f25f7625902ff4f35f0510bf86f9f9253456334311a8ae7c74bfc5a2742578a5

  • SSDEEP

    6144:QV+n+Zr3hlHXOE9kskcEWFg69qnhpCIcp1H52FZi5kKWld3s9QGlO1ZDvdQlTzI3:Q6QHXwZWh9qnhpDc1X+Xr38k1ZDvgT1

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lowez External\Lowez External\2. Cheat\Lowez External.exe
    "C:\Users\Admin\AppData\Local\Temp\Lowez External\Lowez External\2. Cheat\Lowez External.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:2488
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:1244
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:2404
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\kdmapper.exe C:\Users\driver.sys
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4352
            • C:\Users\kdmapper.exe
              C:\Users\kdmapper.exe C:\Users\driver.sys
              3⤵
              • Sets service image path in registry
              • Executes dropped EXE
              • Suspicious behavior: LoadsDriver
              • Suspicious use of AdjustPrivilegeToken
              PID:2336
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:3652
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:5012
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:4692

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\kdmapper.exe
                Filesize

                140KB

                MD5

                ac15ff5be766b5819ea274d0eb6a37f4

                SHA1

                7de774980c521edc03d701a9090dc033393ef479

                SHA256

                98d3fd9e34b866769899f0d419e9480c792315d0dfc8e5c429655f085a529e97

                SHA512

                31506c1fb56f5e5f0dbae72d5d86443628b0f2a46d93edd955ff0f634759d0e828b6ac149e71078f4cf304ac9f7af11609406bebea6625796f3127b69fbfceee

                Download Submit