f77744f36fab5f4abb3ae0cf2bfade543ec90472bcdef6508bddf38493fa6873

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mw3Chair.exe
Size

93.8MB
MD5

2dfdda495ef398f421af9821ec5bd6fb
SHA1

7bc7a0716e47064842c2616a2fe1a5a6c4ebaf24
SHA256

f77744f36fab5f4abb3ae0cf2bfade543ec90472bcdef6508bddf38493fa6873
SHA512

1c2af9e84ef2cbe0949e02e3e62cb0a178c53e05260ba0887888e7ff78adcc13d60f0ac4b444a1d3733ef462249b96be17c04d211c08e5dcbd6d42fd5673e508
SSDEEP

1572864:509tMO8gn6D68Uzusf2nhqQVGNgV2UIsVHBfgxXW5snXOyi4oLmm0GTjuME7:pTgOizfeR6gV2Vy4xXW5sXOPAxMjuMW

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2700	rr.exe
2732	CORTEX.exe
2880	rr.exe

Loads dropped DLL 6 IoCs

pid	Process
2700	rr.exe
2700	rr.exe
2172	Mw3Chair.exe
2700	rr.exe
2700	rr.exe
2880	rr.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2360	sc.exe
2028	sc.exe
2344	sc.exe
2844	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rr.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
2764	taskkill.exe
2804	taskkill.exe
108	taskkill.exe
2404	taskkill.exe
2640	taskkill.exe
2888	taskkill.exe
2728	taskkill.exe
1624	taskkill.exe
2772	taskkill.exe
484	taskkill.exe
2496	taskkill.exe
2168	taskkill.exe
1764	taskkill.exe
764	taskkill.exe
1692	taskkill.exe
2900	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	CORTEX.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2700	rr.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2700	2172	Mw3Chair.exe	31
PID 2172 wrote to memory of 2700	2172	Mw3Chair.exe	31
PID 2172 wrote to memory of 2700	2172	Mw3Chair.exe	31
PID 2172 wrote to memory of 2700	2172	Mw3Chair.exe	31
PID 2172 wrote to memory of 2732	2172	Mw3Chair.exe	32
PID 2172 wrote to memory of 2732	2172	Mw3Chair.exe	32
PID 2172 wrote to memory of 2732	2172	Mw3Chair.exe	32
PID 2732 wrote to memory of 2584	2732	CORTEX.exe	34
PID 2732 wrote to memory of 2584	2732	CORTEX.exe	34
PID 2732 wrote to memory of 2584	2732	CORTEX.exe	34
PID 2732 wrote to memory of 2620	2732	CORTEX.exe	35
PID 2732 wrote to memory of 2620	2732	CORTEX.exe	35
PID 2732 wrote to memory of 2620	2732	CORTEX.exe	35
PID 2732 wrote to memory of 2644	2732	CORTEX.exe	36
PID 2732 wrote to memory of 2644	2732	CORTEX.exe	36
PID 2732 wrote to memory of 2644	2732	CORTEX.exe	36
PID 2732 wrote to memory of 2692	2732	CORTEX.exe	37
PID 2732 wrote to memory of 2692	2732	CORTEX.exe	37
PID 2732 wrote to memory of 2692	2732	CORTEX.exe	37
PID 2732 wrote to memory of 1196	2732	CORTEX.exe	38
PID 2732 wrote to memory of 1196	2732	CORTEX.exe	38
PID 2732 wrote to memory of 1196	2732	CORTEX.exe	38
PID 2732 wrote to memory of 2132	2732	CORTEX.exe	39
PID 2732 wrote to memory of 2132	2732	CORTEX.exe	39
PID 2732 wrote to memory of 2132	2732	CORTEX.exe	39
PID 2732 wrote to memory of 1776	2732	CORTEX.exe	40
PID 2732 wrote to memory of 1776	2732	CORTEX.exe	40
PID 2732 wrote to memory of 1776	2732	CORTEX.exe	40
PID 2732 wrote to memory of 2616	2732	CORTEX.exe	41
PID 2732 wrote to memory of 2616	2732	CORTEX.exe	41
PID 2732 wrote to memory of 2616	2732	CORTEX.exe	41
PID 2644 wrote to memory of 2404	2644	cmd.exe	42
PID 2644 wrote to memory of 2404	2644	cmd.exe	42
PID 2644 wrote to memory of 2404	2644	cmd.exe	42
PID 1196 wrote to memory of 2360	1196	cmd.exe	43
PID 1196 wrote to memory of 2360	1196	cmd.exe	43
PID 1196 wrote to memory of 2360	1196	cmd.exe	43
PID 2620 wrote to memory of 1692	2620	cmd.exe	44
PID 2620 wrote to memory of 1692	2620	cmd.exe	44
PID 2620 wrote to memory of 1692	2620	cmd.exe	44
PID 2692 wrote to memory of 764	2692	cmd.exe	45
PID 2692 wrote to memory of 764	2692	cmd.exe	45
PID 2692 wrote to memory of 764	2692	cmd.exe	45
PID 2132 wrote to memory of 2640	2132	cmd.exe	46
PID 2132 wrote to memory of 2640	2132	cmd.exe	46
PID 2132 wrote to memory of 2640	2132	cmd.exe	46
PID 2616 wrote to memory of 2928	2616	cmd.exe	47
PID 2616 wrote to memory of 2928	2616	cmd.exe	47
PID 2616 wrote to memory of 2928	2616	cmd.exe	47
PID 2732 wrote to memory of 2760	2732	CORTEX.exe	49
PID 2732 wrote to memory of 2760	2732	CORTEX.exe	49
PID 2732 wrote to memory of 2760	2732	CORTEX.exe	49
PID 2732 wrote to memory of 2836	2732	CORTEX.exe	50
PID 2732 wrote to memory of 2836	2732	CORTEX.exe	50
PID 2732 wrote to memory of 2836	2732	CORTEX.exe	50
PID 2732 wrote to memory of 2752	2732	CORTEX.exe	51
PID 2732 wrote to memory of 2752	2732	CORTEX.exe	51
PID 2732 wrote to memory of 2752	2732	CORTEX.exe	51
PID 2732 wrote to memory of 2872	2732	CORTEX.exe	52
PID 2732 wrote to memory of 2872	2732	CORTEX.exe	52
PID 2732 wrote to memory of 2872	2732	CORTEX.exe	52
PID 2732 wrote to memory of 2948	2732	CORTEX.exe	53
PID 2732 wrote to memory of 2948	2732	CORTEX.exe	53
PID 2732 wrote to memory of 2948	2732	CORTEX.exe	53

C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe
"C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Roaming\rr.exe
  "C:\Users\Admin\AppData\Roaming\rr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
    C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2880
- C:\Users\Admin\AppData\Roaming\CORTEX.exe
  "C:\Users\Admin\AppData\Roaming\CORTEX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 4
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1692
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2404
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:764
- - C:\Windows\system32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:2360
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2640
- - C:\Windows\system32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD5
      4⤵
      PID:2928
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2760
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2888
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2836
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:484
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2752
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2900
- - C:\Windows\system32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:2872
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:2028
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:2948
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\Windows\system32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:2964
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:584
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:980
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:984
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\system32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:3052
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:2844
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:2248
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Windows\system32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:2476
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1008
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:108
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1576
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1764
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:560
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\system32\cmd.exe
    cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:1640
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:2344
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:2288
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\Windows\system32\cmd.exe
    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\ffmpeg.dll

Filesize
2.8MB

MD5
cc00135fe47c2e1e3c2afdae364e343e

SHA1
b6f2edebeae328004537147e4743523f1eba88fe

SHA256
5dad57ea08d8af1e78889e7b9191a0d4cb55e6124a447a8ab352064ca20a200d

SHA512
cbd7392ffb932241eaa3d67e4df7e2fa1163529e46ecf7ed17eb80fe5f36895ed00b39feccbb9966cfaebafba83b576a4f9a17593bb2bb61d8df70703d90b35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF7F7.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Roaming\CORTEX.exe

Filesize
16.1MB

MD5
66d8819bc195304bf89ff06d186f7806

SHA1
ff1295cba9c2cd3ea0c0fcd1d55d2b8170deddfc

SHA256
13e4c83b9fb05b82bb26dd299d7c3fa38ac829b4d99b33f257a1f680f965938f

SHA512
a5dbf7be3d4cf5c13abf846554147f0bf32c4732b7ed81e9a415b37fc5f5abef97a01f61e744ca24394105451a9addffbd62338283feb9ca83e359728063591b

Download Submit
\Users\Admin\AppData\Local\Temp\nseF7F7.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nseF7F7.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/2172-0-0x000007FEF65E3000-0x000007FEF65E4000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000000A90000-0x000000000685A000-memory.dmp

Filesize
93.8MB

Download
memory/2732-31-0x000000013FC90000-0x0000000141791000-memory.dmp

Filesize
27.0MB

Download
memory/2732-29-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/2732-27-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/2732-25-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download