Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 21:15

General

  • Target

    db74b260d63cc46c4b63d0cb939dc770N.exe

  • Size

    247KB

  • MD5

    db74b260d63cc46c4b63d0cb939dc770

  • SHA1

    475c95d76802dde5e8772782c2e33e87268e52a3

  • SHA256

    54bbeb56251be2a7f4d223bd310d9a99bec08dfca266108e01dce27c6e63f14c

  • SHA512

    b6795610a536d1f692c872934414980bde6bc8036238d43e49d9e26b1b84f8a9d1839caebadc1dda7db558d2f3f830c260f637521364052f57555be7374b8af8

  • SSDEEP

    3072:Og9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgx9bT:UeC4EwZFoobUk8qp0qpgH

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
  • Stops running service(s) 4 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe
    "C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config wdfilter start=disabled
      2⤵
      • Launches sc.exe
      PID:2792
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WerSvc start=disabled
      2⤵
      • Launches sc.exe
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\jzvkkezv.bat
      "C:\Users\Admin\AppData\Local\Temp\jzvkkezv.bat" ok
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config wdfilter start=disabled
        3⤵
        • Launches sc.exe
        PID:1384
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config WerSvc start=disabled
        3⤵
        • Launches sc.exe
        PID:2500
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\system32\sc.exe
          sc stop wdfilter
          4⤵
          • Launches sc.exe
          PID:856
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config WinDefend start=disabled
        3⤵
        • Launches sc.exe
        PID:1904
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:276
        • C:\Windows\system32\sc.exe
          sc stop WerSvc
          4⤵
          • Launches sc.exe
          PID:2436
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
        3⤵
        • Launches sc.exe
        PID:2732
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\system32\sc.exe
          sc stop WdNisSvc
          4⤵
          • Launches sc.exe
          PID:2960
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
        3⤵
        • Launches sc.exe
        PID:1848
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\system32\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          PID:2148
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
        3⤵
          PID:1992
          • C:\Windows\system32\sc.exe
            sc stop XblGameSave
            4⤵
            • Launches sc.exe
            PID:2228
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:976
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
          3⤵
            PID:356
            • C:\Windows\system32\sc.exe
              sc stop wdfilter
              4⤵
              • Launches sc.exe
              PID:1284
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc stop faceit
            3⤵
              PID:1948
              • C:\Windows\system32\sc.exe
                sc stop faceit
                4⤵
                • Launches sc.exe
                PID:2980
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61243324-94b6-4d5a-8862-d331c2b19942.bat"
            2⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\system32\attrib.exe
              attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"
              3⤵
              • Views/modifies file attributes
              PID:2892
            • C:\Windows\system32\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
              3⤵
                PID:2988
              • C:\Windows\system32\timeout.exe
                timeout /T 1
                3⤵
                • Delays execution with timeout.exe
                PID:3024
              • C:\Windows\system32\attrib.exe
                attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"
                3⤵
                • Views/modifies file attributes
                PID:1656
              • C:\Windows\system32\wevtutil.exe
                wevtutil el
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1324
              • C:\Windows\system32\attrib.exe
                attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\61243324-94b6-4d5a-8862-d331c2b19942.bat"
                3⤵
                • Views/modifies file attributes
                PID:1560

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\61243324-94b6-4d5a-8862-d331c2b19942.bat

                  Filesize

                  652B

                  MD5

                  d9f7116c8568714a7762320e9cfd813c

                  SHA1

                  a2955f47772dc6b97034c3dd01d210c359ea6e67

                  SHA256

                  d4c93b6768e80816c8e3a5487d2566d7dba3e6c0fe0958441719e3581e2c9f7c

                  SHA512

                  a90ba59c968a4df9643751f3b55daaf1e72f068b826e1507d2b1b7869ea9458c2672a30b10b53646b3df7673a4a473f479bdcfc60c6e329a87a358061346e68b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  3d0e83d81955328142abc1c1472bf7e7

                  SHA1

                  41dcf9560b8a9a894cc2a0c12c8fb6210c95651d

                  SHA256

                  50544c06477b55eee30c905c96a51bce255a1c4f4d2611ffb4ab43c30f4ae6d2

                  SHA512

                  1330313769fbd2ef437160b3666a20c0db4afdc3ecd8d970ea477c6ecd87e4453907b7841a8dbf729e95d4c3184b34e9e5e81b4954f8027f9abba7a645381baf

                • C:\Users\Admin\AppData\Roaming\spf\unknown.log

                  Filesize

                  190B

                  MD5

                  cbee423360a1e4119dece52baf150fd5

                  SHA1

                  8a9ff309e532379cb96edcf8281f2e24f18835cd

                  SHA256

                  0a2381a0242f7c4c7bac24f4b067e1cacfe2e74ca692e35b87f02b6511e6799a

                  SHA512

                  b1cd02478890a00261213f418fc9daa8a5fbd6234c9c7db100694503d414e76c86673ddf1055e23982eea0403e36e580a5951be07bd7a0af6a35b4e0ef11f9e3

                • \Users\Admin\AppData\Local\Temp\jzvkkezv.bat

                  Filesize

                  248KB

                  MD5

                  ef1cddbd63fe2c9ef4d58cfa2080a7ee

                  SHA1

                  988a3c9c13fde44d9a5dab05802fbcc5a7a7c363

                  SHA256

                  702f662eae282adbc73cb6d6d545fd902d799b243a3179c8e4e6cd7fa0ed034d

                  SHA512

                  4224504464b72e197d83c6cd07e687ff39a5fbfa8c4f9ff6160db09e91fb4c5ebe7cdf54d7a9a154dc565b0f21396a09a932a77ca11e69ab16ef6feb1b54b5ee

                • memory/976-35-0x000000001B790000-0x000000001BA72000-memory.dmp

                  Filesize

                  2.9MB

                • memory/976-36-0x00000000004E0000-0x00000000004E8000-memory.dmp

                  Filesize

                  32KB

                • memory/2020-28-0x000000001B5B0000-0x000000001B892000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2020-29-0x0000000002970000-0x0000000002978000-memory.dmp

                  Filesize

                  32KB

                • memory/2268-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

                  Filesize

                  4KB

                • memory/2268-18-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2268-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2268-1-0x000000013F470000-0x000000013F4AE000-memory.dmp

                  Filesize

                  248KB

                • memory/3064-17-0x000000013F130000-0x000000013F16E000-memory.dmp

                  Filesize

                  248KB