Overview

overview

8

Static

static

3

3e7ca8ac23...68.exe

windows7-x64

5

3e7ca8ac23...68.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e7ca8ac2382993641497e1ef8befb23c318bc1295bad8ada496bcf80ba9c568.exe

  • Size

    27.7MB

  • MD5

    8070f6374c85c3ef486c86beaa0f0b5c

  • SHA1

    8e901b967e7fc7eee225da66e8ce87e75a9f9a99

  • SHA256

    3e7ca8ac2382993641497e1ef8befb23c318bc1295bad8ada496bcf80ba9c568

  • SHA512

    c01cd91cb5b8ca9b2b97f5778ea3923974734135306966ea07a2265b21fbcb1d858de58af5e13cfba2597340eb9ab7472545de53d063d58b4c7034515f531032

  • SSDEEP

    393216:JtbrFR5f5JWsPSl0l+DmVGauCZsoj3mT/tojNfIDpRfGgtcZq4:bt3WOSClSmVIdoj3w/tojyDDfrcZq

Score
8/10
evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 12 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e7ca8ac2382993641497e1ef8befb23c318bc1295bad8ada496bcf80ba9c568.exe
    "C:\Users\Admin\AppData\Local\Temp\3e7ca8ac2382993641497e1ef8befb23c318bc1295bad8ada496bcf80ba9c568.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:220
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:4752
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\system32\taskkill.exe
        taskkill /IM HTTPDebuggerSvc.exe /F
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
      2⤵
        PID:3660
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\AppData\Local\Temp\3e7ca8ac2382993641497e1ef8befb23c318bc1295bad8ada496bcf80ba9c568.exe MD5 >> C:\ProgramData\hash.txt
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\system32\certutil.exe
          certutil -hashfile C:\Users\Admin\AppData\Local\Temp\3e7ca8ac2382993641497e1ef8befb23c318bc1295bad8ada496bcf80ba9c568.exe MD5
          3⤵
            PID:2324
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3188
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3896
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:884
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\system32\sc.exe
            sc stop HTTPDebuggerPro
            3⤵
            • Launches sc.exe
            PID:4796
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4612
          • C:\Windows\system32\taskkill.exe
            taskkill /IM HTTPDebuggerSvc.exe /F
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4008
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
          2⤵
            PID:4592
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4816
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3332
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:740
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:5104
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3628
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4728
            • C:\Windows\system32\sc.exe
              sc stop HTTPDebuggerPro
              3⤵
              • Launches sc.exe
              PID:1572
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
            2⤵
              PID:796
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4028
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              2⤵
                PID:1528

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\hash.txt
              Filesize

              204B

              MD5

              7bbeb007675fe4e51c27199a023c270f

              SHA1

              7304b55851bbb0054e2d0466884c814c47beee85

              SHA256

              be8c908987686d250623fb122ea794477affe1efcdfc1440dee8609a8946412f

              SHA512

              84f05a42d758d2fcf66c4405810580f3f2f65add0dca75e63871f87606af0e023b96709a5d712e372f87fb8ce4d1057686c7eb43e948663687ce0669af679f13

              Download Submit

            • memory/4940-0-0x00007FF63F9F7000-0x00007FF640A4A000-memory.dmp

              Filesize

              16.3MB

              Download

            • memory/4940-2-0x00007FFA1DB80000-0x00007FFA1DB82000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4940-1-0x00007FFA1DB70000-0x00007FFA1DB72000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4940-7-0x00007FF63F8D0000-0x00007FF6425F7000-memory.dmp

              Filesize

              45.2MB

              Download

            • memory/4940-10-0x00007FF63F9F7000-0x00007FF640A4A000-memory.dmp

              Filesize

              16.3MB

              Download

            • memory/4940-11-0x00007FF63F8D0000-0x00007FF6425F7000-memory.dmp

              Filesize

              45.2MB

              Download