519bcced29022f139097cc2c56c9e3489329bb63017f202dd15b5234c2d76d0f

Analysis

max time kernel
70s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AAservices.exe
Size

5.2MB
MD5

b6d4cf90524ad23f23b424d2fc026301
SHA1

4350535f3206ea439d2d320b06eaa0ab9141406e
SHA256

519bcced29022f139097cc2c56c9e3489329bb63017f202dd15b5234c2d76d0f
SHA512

6ccfd3376c47d1dc0615ce54adef257b69398b61c8cd9ec89044150d0c027eb6ee54e8955a34b953b849f935265f846583e30ca414e493f397cbb94446540910
SSDEEP

98304:5v6FYeZ3vFpkRmGWoTxi0wGGzBjryX82uypSb9ndo9JCmVq2q:QFYeZ3vFpkRRdwB3ys2uypSZ4JCEq2q

Score

8^/10

defense_evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe

Kills process with taskkill 8 IoCs

defense_evasion

pid	Process
4340	taskkill.exe
3600	taskkill.exe
1252	taskkill.exe
3320	taskkill.exe
4704	taskkill.exe
1484	taskkill.exe
3768	taskkill.exe
4156	taskkill.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	taskkill.exe
Token: 33	2136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2136	AUDIODG.EXE
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	4340	taskkill.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4928	4672	AAservices.exe	88
PID 4672 wrote to memory of 4928	4672	AAservices.exe	88
PID 4672 wrote to memory of 4128	4672	AAservices.exe	89
PID 4672 wrote to memory of 4128	4672	AAservices.exe	89
PID 4672 wrote to memory of 2800	4672	AAservices.exe	90
PID 4672 wrote to memory of 2800	4672	AAservices.exe	90
PID 4128 wrote to memory of 4124	4128	cmd.exe	91
PID 4128 wrote to memory of 4124	4128	cmd.exe	91
PID 4128 wrote to memory of 4184	4128	cmd.exe	92
PID 4128 wrote to memory of 4184	4128	cmd.exe	92
PID 4128 wrote to memory of 644	4128	cmd.exe	93
PID 4128 wrote to memory of 644	4128	cmd.exe	93
PID 2800 wrote to memory of 3600	2800	cmd.exe	94
PID 2800 wrote to memory of 3600	2800	cmd.exe	94
PID 4672 wrote to memory of 4648	4672	AAservices.exe	97
PID 4672 wrote to memory of 4648	4672	AAservices.exe	97
PID 4648 wrote to memory of 1252	4648	cmd.exe	98
PID 4648 wrote to memory of 1252	4648	cmd.exe	98
PID 4672 wrote to memory of 3176	4672	AAservices.exe	99
PID 4672 wrote to memory of 3176	4672	AAservices.exe	99
PID 3176 wrote to memory of 3320	3176	cmd.exe	100
PID 3176 wrote to memory of 3320	3176	cmd.exe	100
PID 4672 wrote to memory of 2112	4672	AAservices.exe	101
PID 4672 wrote to memory of 2112	4672	AAservices.exe	101
PID 2112 wrote to memory of 4704	2112	cmd.exe	102
PID 2112 wrote to memory of 4704	2112	cmd.exe	102
PID 4672 wrote to memory of 5060	4672	AAservices.exe	103
PID 4672 wrote to memory of 5060	4672	AAservices.exe	103
PID 5060 wrote to memory of 1484	5060	cmd.exe	104
PID 5060 wrote to memory of 1484	5060	cmd.exe	104
PID 4672 wrote to memory of 3300	4672	AAservices.exe	105
PID 4672 wrote to memory of 3300	4672	AAservices.exe	105
PID 3300 wrote to memory of 3768	3300	cmd.exe	106
PID 3300 wrote to memory of 3768	3300	cmd.exe	106
PID 4672 wrote to memory of 4876	4672	AAservices.exe	107
PID 4672 wrote to memory of 4876	4672	AAservices.exe	107
PID 4876 wrote to memory of 2716	4876	cmd.exe	108
PID 4876 wrote to memory of 2716	4876	cmd.exe	108
PID 4672 wrote to memory of 1396	4672	AAservices.exe	109
PID 4672 wrote to memory of 1396	4672	AAservices.exe	109
PID 1396 wrote to memory of 4156	1396	cmd.exe	110
PID 1396 wrote to memory of 4156	1396	cmd.exe	110
PID 4672 wrote to memory of 4292	4672	AAservices.exe	111
PID 4672 wrote to memory of 4292	4672	AAservices.exe	111
PID 4292 wrote to memory of 4340	4292	cmd.exe	112
PID 4292 wrote to memory of 4340	4292	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\AAservices.exe
"C:\Users\Admin\AppData\Local\Temp\AAservices.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color F0
  2⤵
  PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\AAservices.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\AAservices.exe" MD5
    3⤵
    PID:4124
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4184
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4340