Overview

overview

5

Static

static

3

BadwareFree.exe

windows7-x64

5

BadwareFree.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    7s
  • max time network
    4s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BadwareFree.exe

  • Size

    7.2MB

  • MD5

    6ec04fa24f0695f286801366108942f3

  • SHA1

    309ee6a08c8ab0159dc3137865b6cfeb9f3e4e04

  • SHA256

    ae27243a53f4c399aeb6bb39e67fa79f8378d51ef6b4fef9263791ec1acb6e78

  • SHA512

    d835f387bb19b353f58eb72a94c2b32857826f3f1322c7b5be253a6dc3b2c6a9cf4cd0340ab001df74092899346bd0e4d1dfa8c5c8d77a2893b418311103a6b5

  • SSDEEP

    98304:cMYzS+CQQ4vBmVK0Psj6+qU483Aj9urJBSzrAhzZVT6e3JKPfjV4ZTNy6oeZ2gCc:KS4qKsW80FIryV4fZo0/

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Kills process with taskkill 25 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BadwareFree.exe
    "C:\Users\Admin\AppData\Local\Temp\BadwareFree.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 04
      2⤵
        PID:4176
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im epicgameslauncher.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:852
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:2420
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:4616
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:2128
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4860
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im KsDumperClient.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2372
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2900
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im KsDumper.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:332
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1012
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im HTTPDebuggerUI.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2920
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2524
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im HTTPDebuggerSvc.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4800
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3224
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im ProcessHacker.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3972
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4932
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im idaq.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1232
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1416
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im idaq64.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5092
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4780
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Wireshark.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1448
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2768
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Fiddler.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3640
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3984
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im FiddlerEverywhere.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4480
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3428
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Xenos64.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1296
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Xenos.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2544
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4680
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Xenos32.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2732
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
              2⤵
                PID:1372
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im de4dot.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1088
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
                2⤵
                  PID:4144
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im Cheat Engine.exe
                    3⤵
                    • Kills process with taskkill
                    PID:1328
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
                  2⤵
                    PID:3248
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im cheatengine-x86_64.exe
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4308
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
                    2⤵
                      PID:1920
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3892
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
                      2⤵
                        PID:3320
                        • C:\Windows\system32\taskkill.exe
                          taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2032
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
                        2⤵
                          PID:4652
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im MugenJinFuu-i386.exe
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3660
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
                          2⤵
                            PID:2812
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im cheatengine-x86_64.exe
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2984
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
                            2⤵
                              PID:3484
                              • C:\Windows\system32\taskkill.exe
                                taskkill /f /im cheatengine-i386.exe
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3400
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
                              2⤵
                                PID:4840
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
                                  3⤵
                                  • Kills process with taskkill
                                  PID:1336
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
                                2⤵
                                  PID:1056
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im KsDumper.exe
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3520
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
                                  2⤵
                                    PID:4124
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /f /im OllyDbg.exe
                                      3⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:528

                                Network

                                MITRE ATT&CK Matrix

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/4760-0-0x00007FFCE8910000-0x00007FFCE8912000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/4760-3-0x000000014041E000-0x0000000140865000-memory.dmp

                                  Filesize

                                  4.3MB

                                  Download

                                • memory/4760-4-0x0000000140000000-0x0000000140F9C000-memory.dmp

                                  Filesize

                                  15.6MB

                                  Download