f4c722435e2e8428aa5736b768cb0140b09a381e810150b5bf965aaa55ba7e99

Analysis

max time kernel
149s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-07-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PYOhhJc3begnCTC0.exe
Size

16.5MB
MD5

6aaca7d595518426e1e030d77560bbe2
SHA1

021e51122e32976b7e919e96bbcca0c9c4de1553
SHA256

f4c722435e2e8428aa5736b768cb0140b09a381e810150b5bf965aaa55ba7e99
SHA512

e7551c7119e3b4cf7173717666f449ac33129d022fa21cfb206833ef920c15e640ff30dee9dc6617ecb875741fe2e72eece944b739dcd8c79b640f417cf92564
SSDEEP

393216:OzBd2r1utiSDLyjyg5/Y1eoLbAZ4KPBJ7uQpMCpnshWk:8u1utbyjyuY8oLbAZ4KPz7utOG

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1788	PYOhhJc3begnCTC0.exe
1788	PYOhhJc3begnCTC0.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4056	sc.exe
1156	sc.exe
4160	sc.exe
652	sc.exe
4020	sc.exe
3612	sc.exe
3440	sc.exe
764	sc.exe
1404	sc.exe
4552	sc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	PYOhhJc3begnCTC0.exe
1788	PYOhhJc3begnCTC0.exe
1788	PYOhhJc3begnCTC0.exe
1788	PYOhhJc3begnCTC0.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	taskmgr.exe
Token: SeSystemProfilePrivilege	2748	taskmgr.exe
Token: SeCreateGlobalPrivilege	2748	taskmgr.exe
Token: 33	2748	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2748	taskmgr.exe
Token: SeDebugPrivilege	4272	taskmgr.exe
Token: SeSystemProfilePrivilege	4272	taskmgr.exe
Token: SeCreateGlobalPrivilege	4272	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe
4272	taskmgr.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1408	1788	PYOhhJc3begnCTC0.exe	74
PID 1788 wrote to memory of 1408	1788	PYOhhJc3begnCTC0.exe	74
PID 1408 wrote to memory of 3612	1408	cmd.exe	75
PID 1408 wrote to memory of 3612	1408	cmd.exe	75
PID 1788 wrote to memory of 4740	1788	PYOhhJc3begnCTC0.exe	76
PID 1788 wrote to memory of 4740	1788	PYOhhJc3begnCTC0.exe	76
PID 4740 wrote to memory of 3440	4740	cmd.exe	77
PID 4740 wrote to memory of 3440	4740	cmd.exe	77
PID 1788 wrote to memory of 3352	1788	PYOhhJc3begnCTC0.exe	78
PID 1788 wrote to memory of 3352	1788	PYOhhJc3begnCTC0.exe	78
PID 3352 wrote to memory of 764	3352	cmd.exe	79
PID 3352 wrote to memory of 764	3352	cmd.exe	79
PID 1788 wrote to memory of 1460	1788	PYOhhJc3begnCTC0.exe	80
PID 1788 wrote to memory of 1460	1788	PYOhhJc3begnCTC0.exe	80
PID 1460 wrote to memory of 4056	1460	cmd.exe	81
PID 1460 wrote to memory of 4056	1460	cmd.exe	81
PID 1788 wrote to memory of 320	1788	PYOhhJc3begnCTC0.exe	82
PID 1788 wrote to memory of 320	1788	PYOhhJc3begnCTC0.exe	82
PID 320 wrote to memory of 1156	320	cmd.exe	83
PID 320 wrote to memory of 1156	320	cmd.exe	83
PID 1788 wrote to memory of 884	1788	PYOhhJc3begnCTC0.exe	84
PID 1788 wrote to memory of 884	1788	PYOhhJc3begnCTC0.exe	84
PID 884 wrote to memory of 4160	884	cmd.exe	85
PID 884 wrote to memory of 4160	884	cmd.exe	85
PID 1788 wrote to memory of 4288	1788	PYOhhJc3begnCTC0.exe	86
PID 1788 wrote to memory of 4288	1788	PYOhhJc3begnCTC0.exe	86
PID 4288 wrote to memory of 4552	4288	cmd.exe	87
PID 4288 wrote to memory of 4552	4288	cmd.exe	87
PID 1788 wrote to memory of 4844	1788	PYOhhJc3begnCTC0.exe	88
PID 1788 wrote to memory of 4844	1788	PYOhhJc3begnCTC0.exe	88
PID 4844 wrote to memory of 652	4844	cmd.exe	89
PID 4844 wrote to memory of 652	4844	cmd.exe	89
PID 1788 wrote to memory of 3028	1788	PYOhhJc3begnCTC0.exe	90
PID 1788 wrote to memory of 3028	1788	PYOhhJc3begnCTC0.exe	90
PID 3028 wrote to memory of 4020	3028	cmd.exe	91
PID 3028 wrote to memory of 4020	3028	cmd.exe	91
PID 1788 wrote to memory of 2880	1788	PYOhhJc3begnCTC0.exe	92
PID 1788 wrote to memory of 2880	1788	PYOhhJc3begnCTC0.exe	92
PID 2880 wrote to memory of 1404	2880	cmd.exe	93
PID 2880 wrote to memory of 1404	2880	cmd.exe	93
PID 1788 wrote to memory of 5100	1788	PYOhhJc3begnCTC0.exe	94
PID 1788 wrote to memory of 5100	1788	PYOhhJc3begnCTC0.exe	94

C:\Users\Admin\AppData\Local\Temp\PYOhhJc3begnCTC0.exe
"C:\Users\Admin\AppData\Local\Temp\PYOhhJc3begnCTC0.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop faceit > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\sc.exe
    sc stop faceit
    3⤵
    - Launches sc.exe
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bedaisy > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\system32\sc.exe
    sc stop bedaisy
    3⤵
    - Launches sc.exe
    PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop vgk > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\system32\sc.exe
    sc stop vgk
    3⤵
    - Launches sc.exe
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop easyanticheat > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\sc.exe
    sc stop easyanticheat
    3⤵
    - Launches sc.exe
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop aurum > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\system32\sc.exe
    sc stop aurum
    3⤵
    - Launches sc.exe
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mracdrv > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\sc.exe
    sc stop mracdrv
    3⤵
    - Launches sc.exe
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop eseadriver > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\sc.exe
    sc stop eseadriver
    3⤵
    - Launches sc.exe
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop esportaldriver > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\sc.exe
    sc stop esportaldriver
    3⤵
    - Launches sc.exe
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mhyprot2 > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\sc.exe
    sc stop mhyprot2
    3⤵
    - Launches sc.exe
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mhyprot > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\sc.exe
    sc stop mhyprot
    3⤵
    - Launches sc.exe
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:5100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
memory/1788-0-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

Filesize
1.9MB

Download
memory/1788-1-0x00007FFC44090000-0x00007FFC44092000-memory.dmp

Filesize
8KB

Download
memory/1788-3-0x0000000140000000-0x0000000141EA3000-memory.dmp

Filesize
30.6MB

Download
memory/1788-5-0x0000000140000000-0x0000000141EA3000-memory.dmp

Filesize
30.6MB

Download
memory/1788-8-0x00007FFC43EB0000-0x00007FFC4408B000-memory.dmp

Filesize
1.9MB

Download