6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2

Analysis

max time kernel
120s
max time network
115s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 06:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Size

260KB
MD5

58242207e2efafb7d64d7b223a0ca3e0
SHA1

fcfb258cd07ff53e14272065c2e59fda1a8e88a2
SHA256

6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2
SHA512

6fb34149f11a1fc620b10ec292d38c600c3f09e2bd01ea6aa25c93243ea687ff3625ac599a67727560c6fd87812fd59dd220d8c8dd031f73d3d3084fa026e982
SSDEEP

3072:Og9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgxbGE:UeC4EwZFoobUk8qp0qpgwE

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0f3zhhj.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0f3zhhj.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0f3zhhj.bat

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	q0f3zhhj.bat

Loads dropped DLL 1 IoCs

pid	Process
1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	q0f3zhhj.bat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1972	sc.exe
2392	sc.exe
2764	sc.exe
2708	sc.exe
2524	sc.exe
2648	sc.exe
2672	sc.exe
2428	sc.exe
2060	sc.exe
1760	sc.exe
2876	sc.exe
1512	sc.exe
3008	sc.exe
2980	sc.exe
1296	sc.exe
1704	sc.exe
1772	sc.exe
1852	sc.exe
1508	sc.exe
2432	sc.exe
848	sc.exe
1716	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2232	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
716	powershell.exe
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
792	powershell.exe
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat
2632	q0f3zhhj.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
Token: SeDebugPrivilege	2632	q0f3zhhj.bat
Token: SeSecurityPrivilege	1792	wevtutil.exe
Token: SeBackupPrivilege	1792	wevtutil.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2432	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	28
PID 1032 wrote to memory of 2432	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	28
PID 1032 wrote to memory of 2432	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	28
PID 1032 wrote to memory of 2428	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	29
PID 1032 wrote to memory of 2428	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	29
PID 1032 wrote to memory of 2428	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	29
PID 1032 wrote to memory of 2952	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	32
PID 1032 wrote to memory of 2952	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	32
PID 1032 wrote to memory of 2952	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	32
PID 1032 wrote to memory of 3008	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	34
PID 1032 wrote to memory of 3008	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	34
PID 1032 wrote to memory of 3008	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	34
PID 2952 wrote to memory of 2060	2952	cmd.exe	36
PID 2952 wrote to memory of 2060	2952	cmd.exe	36
PID 2952 wrote to memory of 2060	2952	cmd.exe	36
PID 1032 wrote to memory of 908	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	37
PID 1032 wrote to memory of 908	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	37
PID 1032 wrote to memory of 908	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	37
PID 1032 wrote to memory of 2980	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	39
PID 1032 wrote to memory of 2980	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	39
PID 1032 wrote to memory of 2980	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	39
PID 908 wrote to memory of 1760	908	cmd.exe	41
PID 908 wrote to memory of 1760	908	cmd.exe	41
PID 908 wrote to memory of 1760	908	cmd.exe	41
PID 1032 wrote to memory of 2624	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	42
PID 1032 wrote to memory of 2624	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	42
PID 1032 wrote to memory of 2624	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	42
PID 1032 wrote to memory of 2652	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	43
PID 1032 wrote to memory of 2652	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	43
PID 1032 wrote to memory of 2652	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	43
PID 1032 wrote to memory of 2648	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	46
PID 1032 wrote to memory of 2648	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	46
PID 1032 wrote to memory of 2648	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	46
PID 2624 wrote to memory of 2764	2624	cmd.exe	48
PID 2624 wrote to memory of 2764	2624	cmd.exe	48
PID 2624 wrote to memory of 2764	2624	cmd.exe	48
PID 2652 wrote to memory of 2708	2652	cmd.exe	49
PID 2652 wrote to memory of 2708	2652	cmd.exe	49
PID 2652 wrote to memory of 2708	2652	cmd.exe	49
PID 1032 wrote to memory of 2612	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	50
PID 1032 wrote to memory of 2612	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	50
PID 1032 wrote to memory of 2612	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	50
PID 2612 wrote to memory of 2524	2612	cmd.exe	52
PID 2612 wrote to memory of 2524	2612	cmd.exe	52
PID 2612 wrote to memory of 2524	2612	cmd.exe	52
PID 1032 wrote to memory of 2632	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	53
PID 1032 wrote to memory of 2632	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	53
PID 1032 wrote to memory of 2632	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	53
PID 1032 wrote to memory of 2508	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	54
PID 1032 wrote to memory of 2508	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	54
PID 1032 wrote to memory of 2508	1032	6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe	54
PID 2632 wrote to memory of 1296	2632	q0f3zhhj.bat	56
PID 2632 wrote to memory of 1296	2632	q0f3zhhj.bat	56
PID 2632 wrote to memory of 1296	2632	q0f3zhhj.bat	56
PID 2632 wrote to memory of 848	2632	q0f3zhhj.bat	57
PID 2632 wrote to memory of 848	2632	q0f3zhhj.bat	57
PID 2632 wrote to memory of 848	2632	q0f3zhhj.bat	57
PID 2508 wrote to memory of 2020	2508	cmd.exe	60
PID 2508 wrote to memory of 2020	2508	cmd.exe	60
PID 2508 wrote to memory of 2020	2508	cmd.exe	60
PID 2508 wrote to memory of 640	2508	cmd.exe	61
PID 2508 wrote to memory of 640	2508	cmd.exe	61
PID 2508 wrote to memory of 640	2508	cmd.exe	61
PID 2508 wrote to memory of 2232	2508	cmd.exe	62

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2020	attrib.exe
1812	attrib.exe
1092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe
"C:\Users\Admin\AppData\Local\Temp\6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:2432
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:2060
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:1760
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\sc.exe
    sc stop WdNisSvc
    3⤵
    - Launches sc.exe
    PID:2708
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\sc.exe
    sc stop XblGameSave
    3⤵
    - Launches sc.exe
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\q0f3zhhj.bat
  "C:\Users\Admin\AppData\Local\Temp\q0f3zhhj.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:1296
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:864
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:1704
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:1716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    PID:1952
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:1772
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:2484
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:1852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    PID:2824
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:2392
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:2876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    PID:2816
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:568
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:1508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:2144
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\545e9a3c-01d4-43a6-b718-bf7a3e182751.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe"
    3⤵
    - Views/modifies file attributes
    PID:2020
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:640
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2232
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\6ffb332800c279d3352ea0d6b2d3aef6d16fc0124c1a1ec011d365c378c0b0a2N.exe"
    3⤵
    - Views/modifies file attributes
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\545e9a3c-01d4-43a6-b718-bf7a3e182751.bat"
    3⤵
    - Views/modifies file attributes
    PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\545e9a3c-01d4-43a6-b718-bf7a3e182751.bat

Filesize
780B

MD5
591f5c3353df2f0bd6692ce6b5aca5a6

SHA1
d1e8a8a5b8c817726654416a6af87cf294c5dc63

SHA256
7466732fa5fc1f31425e78045b2fd62dd6e0093d1d90f2aff41b062bcd95ddd3

SHA512
cc1cd1dbf00c4ddc2afd4ecbbcead9184b41d8dd9dda2666887d1d5cc056d0c9b2d5259a98179382037196d958712a838a3569f2c41e573796296b1fcb475056

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70cfe1de1b2713916f54030507780833

SHA1
ed0e042913b8db35a537ec251aff3d1b999b49e5

SHA256
4a6229e74f887c4d0f4c87db9f539641313cfeb2ac8ef4e3796c5e111729a1f2

SHA512
876acb36aabf17d974a4ac343011d9f46d5208ab57a4c8f1110a4b4462c77a4a68b1515aae98f550228c00653d37569b327abfdd562c42992d6f8037d650d94d

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
263B

MD5
968ca639a12b2ec960fa209500e8069c

SHA1
52b722540c783f896c86a5713216c873f352757d

SHA256
db16f79ffff557685d4ab62724bd7ebbea4c85444973143103972964a7b249b2

SHA512
27914d19e5f3488b2c9e0bc023005f41a66f66da58bdb27a2498703e3f78e23e4acd9b1010a58b3be4dfb15bde3fb564b1f600f9afaa2791b58b7feeebadce4d

Download Submit
\Users\Admin\AppData\Local\Temp\q0f3zhhj.bat

Filesize
260KB

MD5
52f1943dfbe12e94daed3626063d2f0b

SHA1
810670f2b12935c1e88120d0c7f651439de50f55

SHA256
0af0d1a166cb836699e6122b848224092c1900a5a0a60396831883825a50a5ef

SHA512
6415e3ae4c221c292b153e76ed42a2a0b85fca33922dd4cc450bb82df671fb1e98296f96bc72f3a3ab8bc831b348de7a8ee7712ed6c96806f6067fa3deaf45a1

Download Submit
memory/716-29-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/716-28-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/792-35-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/792-36-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1032-17-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1032-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1032-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/1032-1-0x000000013F220000-0x000000013F25E000-memory.dmp

Filesize
248KB

Download
memory/2632-18-0x000000013EDB0000-0x000000013EDEE000-memory.dmp

Filesize
248KB

Download