Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
db74b260d63cc46c4b63d0cb939dc770N.exe
Resource
win7-20240903-en
General
-
Target
db74b260d63cc46c4b63d0cb939dc770N.exe
-
Size
247KB
-
MD5
db74b260d63cc46c4b63d0cb939dc770
-
SHA1
475c95d76802dde5e8772782c2e33e87268e52a3
-
SHA256
54bbeb56251be2a7f4d223bd310d9a99bec08dfca266108e01dce27c6e63f14c
-
SHA512
b6795610a536d1f692c872934414980bde6bc8036238d43e49d9e26b1b84f8a9d1839caebadc1dda7db558d2f3f830c260f637521364052f57555be7374b8af8
-
SSDEEP
3072:Og9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgx9bT:UeC4EwZFoobUk8qp0qpgH
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" db74b260d63cc46c4b63d0cb939dc770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" db74b260d63cc46c4b63d0cb939dc770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" db74b260d63cc46c4b63d0cb939dc770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jzvkkezv.bat Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jzvkkezv.bat Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jzvkkezv.bat Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection db74b260d63cc46c4b63d0cb939dc770N.exe -
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3064 jzvkkezv.bat -
Loads dropped DLL 1 IoCs
pid Process 2268 db74b260d63cc46c4b63d0cb939dc770N.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features db74b260d63cc46c4b63d0cb939dc770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features jzvkkezv.bat -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 api.ipify.org -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2436 sc.exe 2960 sc.exe 2792 sc.exe 1384 sc.exe 856 sc.exe 2732 sc.exe 2148 sc.exe 2752 sc.exe 2500 sc.exe 1904 sc.exe 2980 sc.exe 1848 sc.exe 2228 sc.exe 1284 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3024 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 2020 powershell.exe 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 976 powershell.exe 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat 3064 jzvkkezv.bat -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2268 db74b260d63cc46c4b63d0cb939dc770N.exe Token: SeDebugPrivilege 3064 jzvkkezv.bat Token: SeSecurityPrivilege 1324 wevtutil.exe Token: SeBackupPrivilege 1324 wevtutil.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 976 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2792 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 31 PID 2268 wrote to memory of 2792 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 31 PID 2268 wrote to memory of 2792 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 31 PID 2268 wrote to memory of 2752 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 32 PID 2268 wrote to memory of 2752 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 32 PID 2268 wrote to memory of 2752 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 32 PID 2268 wrote to memory of 3064 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 35 PID 2268 wrote to memory of 3064 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 35 PID 2268 wrote to memory of 3064 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 35 PID 2268 wrote to memory of 2772 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 36 PID 2268 wrote to memory of 2772 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 36 PID 2268 wrote to memory of 2772 2268 db74b260d63cc46c4b63d0cb939dc770N.exe 36 PID 3064 wrote to memory of 1384 3064 jzvkkezv.bat 38 PID 3064 wrote to memory of 1384 3064 jzvkkezv.bat 38 PID 3064 wrote to memory of 1384 3064 jzvkkezv.bat 38 PID 3064 wrote to memory of 2500 3064 jzvkkezv.bat 39 PID 3064 wrote to memory of 2500 3064 jzvkkezv.bat 39 PID 3064 wrote to memory of 2500 3064 jzvkkezv.bat 39 PID 2772 wrote to memory of 2892 2772 cmd.exe 42 PID 2772 wrote to memory of 2892 2772 cmd.exe 42 PID 2772 wrote to memory of 2892 2772 cmd.exe 42 PID 2772 wrote to memory of 2988 2772 cmd.exe 43 PID 2772 wrote to memory of 2988 2772 cmd.exe 43 PID 2772 wrote to memory of 2988 2772 cmd.exe 43 PID 2772 wrote to memory of 3024 2772 cmd.exe 44 PID 2772 wrote to memory of 3024 2772 cmd.exe 44 PID 2772 wrote to memory of 3024 2772 cmd.exe 44 PID 3064 wrote to memory of 1564 3064 jzvkkezv.bat 46 PID 3064 wrote to memory of 1564 3064 jzvkkezv.bat 46 PID 3064 wrote to memory of 1564 3064 jzvkkezv.bat 46 PID 1564 wrote to memory of 856 1564 cmd.exe 48 PID 1564 wrote to memory of 856 1564 cmd.exe 48 PID 1564 wrote to memory of 856 1564 cmd.exe 48 PID 3064 wrote to memory of 1904 3064 jzvkkezv.bat 49 PID 3064 wrote to memory of 1904 3064 jzvkkezv.bat 49 PID 3064 wrote to memory of 1904 3064 jzvkkezv.bat 49 PID 2772 wrote to memory of 1656 2772 cmd.exe 51 PID 2772 wrote to memory of 1656 2772 cmd.exe 51 PID 2772 wrote to memory of 1656 2772 cmd.exe 51 PID 2772 wrote to memory of 1324 2772 cmd.exe 52 PID 2772 wrote to memory of 1324 2772 cmd.exe 52 PID 2772 wrote to memory of 1324 2772 cmd.exe 52 PID 3064 wrote to memory of 276 3064 jzvkkezv.bat 53 PID 3064 wrote to memory of 276 3064 jzvkkezv.bat 53 PID 3064 wrote to memory of 276 3064 jzvkkezv.bat 53 PID 3064 wrote to memory of 2732 3064 jzvkkezv.bat 55 PID 3064 wrote to memory of 2732 3064 jzvkkezv.bat 55 PID 3064 wrote to memory of 2732 3064 jzvkkezv.bat 55 PID 276 wrote to memory of 2436 276 cmd.exe 57 PID 276 wrote to memory of 2436 276 cmd.exe 57 PID 276 wrote to memory of 2436 276 cmd.exe 57 PID 3064 wrote to memory of 536 3064 jzvkkezv.bat 58 PID 3064 wrote to memory of 536 3064 jzvkkezv.bat 58 PID 3064 wrote to memory of 536 3064 jzvkkezv.bat 58 PID 3064 wrote to memory of 1848 3064 jzvkkezv.bat 60 PID 3064 wrote to memory of 1848 3064 jzvkkezv.bat 60 PID 3064 wrote to memory of 1848 3064 jzvkkezv.bat 60 PID 536 wrote to memory of 2960 536 cmd.exe 62 PID 536 wrote to memory of 2960 536 cmd.exe 62 PID 536 wrote to memory of 2960 536 cmd.exe 62 PID 3064 wrote to memory of 2532 3064 jzvkkezv.bat 63 PID 3064 wrote to memory of 2532 3064 jzvkkezv.bat 63 PID 3064 wrote to memory of 2532 3064 jzvkkezv.bat 63 PID 2532 wrote to memory of 2148 2532 cmd.exe 65 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2892 attrib.exe 1656 attrib.exe 1560 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config wdfilter start=disabled2⤵
- Launches sc.exe
PID:2792
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config WerSvc start=disabled2⤵
- Launches sc.exe
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\jzvkkezv.bat"C:\Users\Admin\AppData\Local\Temp\jzvkkezv.bat" ok2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config wdfilter start=disabled3⤵
- Launches sc.exe
PID:1384
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config WerSvc start=disabled3⤵
- Launches sc.exe
PID:2500
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop wdfilter3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\sc.exesc stop wdfilter4⤵
- Launches sc.exe
PID:856
-
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config WinDefend start=disabled3⤵
- Launches sc.exe
PID:1904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop WerSvc3⤵
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\system32\sc.exesc stop WerSvc4⤵
- Launches sc.exe
PID:2436
-
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config WdNisSvc start=disabled3⤵
- Launches sc.exe
PID:2732
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc3⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\sc.exesc stop WdNisSvc4⤵
- Launches sc.exe
PID:2960
-
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config XblGameSave start=disabled3⤵
- Launches sc.exe
PID:1848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:2148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop XblGameSave3⤵PID:1992
-
C:\Windows\system32\sc.exesc stop XblGameSave4⤵
- Launches sc.exe
PID:2228
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 83⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 83⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop wdfilter3⤵PID:356
-
C:\Windows\system32\sc.exesc stop wdfilter4⤵
- Launches sc.exe
PID:1284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop faceit3⤵PID:1948
-
C:\Windows\system32\sc.exesc stop faceit4⤵
- Launches sc.exe
PID:2980
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61243324-94b6-4d5a-8862-d331c2b19942.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"3⤵
- Views/modifies file attributes
PID:2892
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f3⤵PID:2988
-
-
C:\Windows\system32\timeout.exetimeout /T 13⤵
- Delays execution with timeout.exe
PID:3024
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\db74b260d63cc46c4b63d0cb939dc770N.exe"3⤵
- Views/modifies file attributes
PID:1656
-
-
C:\Windows\system32\wevtutil.exewevtutil el3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\61243324-94b6-4d5a-8862-d331c2b19942.bat"3⤵
- Views/modifies file attributes
PID:1560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
652B
MD5d9f7116c8568714a7762320e9cfd813c
SHA1a2955f47772dc6b97034c3dd01d210c359ea6e67
SHA256d4c93b6768e80816c8e3a5487d2566d7dba3e6c0fe0958441719e3581e2c9f7c
SHA512a90ba59c968a4df9643751f3b55daaf1e72f068b826e1507d2b1b7869ea9458c2672a30b10b53646b3df7673a4a473f479bdcfc60c6e329a87a358061346e68b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53d0e83d81955328142abc1c1472bf7e7
SHA141dcf9560b8a9a894cc2a0c12c8fb6210c95651d
SHA25650544c06477b55eee30c905c96a51bce255a1c4f4d2611ffb4ab43c30f4ae6d2
SHA5121330313769fbd2ef437160b3666a20c0db4afdc3ecd8d970ea477c6ecd87e4453907b7841a8dbf729e95d4c3184b34e9e5e81b4954f8027f9abba7a645381baf
-
Filesize
190B
MD5cbee423360a1e4119dece52baf150fd5
SHA18a9ff309e532379cb96edcf8281f2e24f18835cd
SHA2560a2381a0242f7c4c7bac24f4b067e1cacfe2e74ca692e35b87f02b6511e6799a
SHA512b1cd02478890a00261213f418fc9daa8a5fbd6234c9c7db100694503d414e76c86673ddf1055e23982eea0403e36e580a5951be07bd7a0af6a35b4e0ef11f9e3
-
Filesize
248KB
MD5ef1cddbd63fe2c9ef4d58cfa2080a7ee
SHA1988a3c9c13fde44d9a5dab05802fbcc5a7a7c363
SHA256702f662eae282adbc73cb6d6d545fd902d799b243a3179c8e4e6cd7fa0ed034d
SHA5124224504464b72e197d83c6cd07e687ff39a5fbfa8c4f9ff6160db09e91fb4c5ebe7cdf54d7a9a154dc565b0f21396a09a932a77ca11e69ab16ef6feb1b54b5ee