6f777a706c9b00fa1c089edbaad8d079dfa5148a4604655a6fc7058a34a1adc8

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nyxplayerbeta.exe
Size

5.5MB
MD5

346ce564ab0255d0d9274deeec42fb26
SHA1

d33f8685a75b0d4f19621bd938826b30a0c8f935
SHA256

3d6b975962e9cac43df3f97cb3244fb30783e4fcbd2a97499f44f9b77628bc48
SHA512

3c60907bb94839ecd97247d0128b89a62005f47bcae56753101b382dbc9cdffd2f8307ea4ff25a311bbf4f25aba39e4d4b1b2219722986cbcf772bfeb90b359b
SSDEEP

98304:FZ31/NG5kOb1ixlP1IOYes9n+HLDJOi7G/En2Z6Ftl:nF/EkNlPOOYes9IhRnO6

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3016	nyxplayerbeta.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2676	sc.exe
3056	sc.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
2740	taskkill.exe
2716	taskkill.exe
1744	taskkill.exe
1956	taskkill.exe
2856	taskkill.exe
604	taskkill.exe
784	taskkill.exe
2836	taskkill.exe
2872	taskkill.exe
1248	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	nyxplayerbeta.exe
3016	nyxplayerbeta.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	784	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2744	3016	nyxplayerbeta.exe	31
PID 3016 wrote to memory of 2744	3016	nyxplayerbeta.exe	31
PID 3016 wrote to memory of 2744	3016	nyxplayerbeta.exe	31
PID 3016 wrote to memory of 2708	3016	nyxplayerbeta.exe	32
PID 3016 wrote to memory of 2708	3016	nyxplayerbeta.exe	32
PID 3016 wrote to memory of 2708	3016	nyxplayerbeta.exe	32
PID 2744 wrote to memory of 2836	2744	cmd.exe	33
PID 2744 wrote to memory of 2836	2744	cmd.exe	33
PID 2744 wrote to memory of 2836	2744	cmd.exe	33
PID 2708 wrote to memory of 2872	2708	cmd.exe	34
PID 2708 wrote to memory of 2872	2708	cmd.exe	34
PID 2708 wrote to memory of 2872	2708	cmd.exe	34
PID 3016 wrote to memory of 2640	3016	nyxplayerbeta.exe	36
PID 3016 wrote to memory of 2640	3016	nyxplayerbeta.exe	36
PID 3016 wrote to memory of 2640	3016	nyxplayerbeta.exe	36
PID 2640 wrote to memory of 2740	2640	cmd.exe	37
PID 2640 wrote to memory of 2740	2640	cmd.exe	37
PID 2640 wrote to memory of 2740	2640	cmd.exe	37
PID 3016 wrote to memory of 2656	3016	nyxplayerbeta.exe	38
PID 3016 wrote to memory of 2656	3016	nyxplayerbeta.exe	38
PID 3016 wrote to memory of 2656	3016	nyxplayerbeta.exe	38
PID 2656 wrote to memory of 2716	2656	cmd.exe	39
PID 2656 wrote to memory of 2716	2656	cmd.exe	39
PID 2656 wrote to memory of 2716	2656	cmd.exe	39
PID 3016 wrote to memory of 2632	3016	nyxplayerbeta.exe	40
PID 3016 wrote to memory of 2632	3016	nyxplayerbeta.exe	40
PID 3016 wrote to memory of 2632	3016	nyxplayerbeta.exe	40
PID 3016 wrote to memory of 2668	3016	nyxplayerbeta.exe	41
PID 3016 wrote to memory of 2668	3016	nyxplayerbeta.exe	41
PID 3016 wrote to memory of 2668	3016	nyxplayerbeta.exe	41
PID 2668 wrote to memory of 2676	2668	cmd.exe	42
PID 2668 wrote to memory of 2676	2668	cmd.exe	42
PID 2668 wrote to memory of 2676	2668	cmd.exe	42
PID 2632 wrote to memory of 3056	2632	cmd.exe	43
PID 2632 wrote to memory of 3056	2632	cmd.exe	43
PID 2632 wrote to memory of 3056	2632	cmd.exe	43
PID 3016 wrote to memory of 3064	3016	nyxplayerbeta.exe	44
PID 3016 wrote to memory of 3064	3016	nyxplayerbeta.exe	44
PID 3016 wrote to memory of 3064	3016	nyxplayerbeta.exe	44
PID 3064 wrote to memory of 1744	3064	cmd.exe	45
PID 3064 wrote to memory of 1744	3064	cmd.exe	45
PID 3064 wrote to memory of 1744	3064	cmd.exe	45
PID 3016 wrote to memory of 1448	3016	nyxplayerbeta.exe	46
PID 3016 wrote to memory of 1448	3016	nyxplayerbeta.exe	46
PID 3016 wrote to memory of 1448	3016	nyxplayerbeta.exe	46
PID 1448 wrote to memory of 1956	1448	cmd.exe	47
PID 1448 wrote to memory of 1956	1448	cmd.exe	47
PID 1448 wrote to memory of 1956	1448	cmd.exe	47
PID 3016 wrote to memory of 2672	3016	nyxplayerbeta.exe	48
PID 3016 wrote to memory of 2672	3016	nyxplayerbeta.exe	48
PID 3016 wrote to memory of 2672	3016	nyxplayerbeta.exe	48
PID 3016 wrote to memory of 1036	3016	nyxplayerbeta.exe	49
PID 3016 wrote to memory of 1036	3016	nyxplayerbeta.exe	49
PID 3016 wrote to memory of 1036	3016	nyxplayerbeta.exe	49
PID 1036 wrote to memory of 2856	1036	cmd.exe	50
PID 1036 wrote to memory of 2856	1036	cmd.exe	50
PID 1036 wrote to memory of 2856	1036	cmd.exe	50
PID 2672 wrote to memory of 1248	2672	cmd.exe	51
PID 2672 wrote to memory of 1248	2672	cmd.exe	51
PID 2672 wrote to memory of 1248	2672	cmd.exe	51
PID 3016 wrote to memory of 536	3016	nyxplayerbeta.exe	52
PID 3016 wrote to memory of 536	3016	nyxplayerbeta.exe	52
PID 3016 wrote to memory of 536	3016	nyxplayerbeta.exe	52
PID 3016 wrote to memory of 588	3016	nyxplayerbeta.exe	53

C:\Users\Admin\AppData\Local\Temp\nyxplayerbeta.exe
"C:\Users\Admin\AppData\Local\Temp\nyxplayerbeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:588
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-0-0x00000001401CE000-0x0000000140505000-memory.dmp

Filesize
3.2MB

Download
memory/3016-1-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/3016-3-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/3016-5-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/3016-10-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/3016-8-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/3016-6-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/3016-11-0x0000000140000000-0x0000000140A89000-memory.dmp

Filesize
10.5MB

Download
memory/3016-15-0x00000001401CE000-0x0000000140505000-memory.dmp

Filesize
3.2MB

Download
memory/3016-16-0x0000000140000000-0x0000000140A89000-memory.dmp

Filesize
10.5MB

Download