ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7v200430
submitted
07/07/2020, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd14b92bfd8976bc8528871c2e97050f.exe
Size

24KB
MD5

bd14b92bfd8976bc8528871c2e97050f
SHA1

9c06a197eb80eed6b1b86095e1e147c5090dfd44
SHA256

ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
SHA512

8338fec73010f0f8912a85fae80b57a6c0629b52d3cf66e6208fa076330cfb8ed4b330923833a13b0865bb36975316c315add8f087a3f814898923754c9c2051

Score

10^/10

persistence evasion trojan

Malware Config

Signatures

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\26300369911370\\svchost.exe"	1275030570.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\26300369911370\\svchost.exe"	1275030570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\56661597113189\\svchost.exe"	bd14b92bfd8976bc8528871c2e97050f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\56661597113189\\svchost.exe"	bd14b92bfd8976bc8528871c2e97050f.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
828	bd14b92bfd8976bc8528871c2e97050f.exe
488	svchost.exe
488	svchost.exe
488	svchost.exe
740	1275030570.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 488	828	bd14b92bfd8976bc8528871c2e97050f.exe	24
PID 828 wrote to memory of 488	828	bd14b92bfd8976bc8528871c2e97050f.exe	24
PID 828 wrote to memory of 488	828	bd14b92bfd8976bc8528871c2e97050f.exe	24
PID 828 wrote to memory of 488	828	bd14b92bfd8976bc8528871c2e97050f.exe	24
PID 488 wrote to memory of 740	488	svchost.exe	29
PID 488 wrote to memory of 740	488	svchost.exe	29
PID 488 wrote to memory of 740	488	svchost.exe	29
PID 488 wrote to memory of 740	488	svchost.exe	29
PID 488 wrote to memory of 560	488	svchost.exe	30
PID 488 wrote to memory of 560	488	svchost.exe	30
PID 488 wrote to memory of 560	488	svchost.exe	30
PID 488 wrote to memory of 560	488	svchost.exe	30
PID 488 wrote to memory of 572	488	svchost.exe	31
PID 488 wrote to memory of 572	488	svchost.exe	31
PID 488 wrote to memory of 572	488	svchost.exe	31
PID 488 wrote to memory of 572	488	svchost.exe	31
PID 740 wrote to memory of 1744	740	1275030570.exe	32
PID 740 wrote to memory of 1744	740	1275030570.exe	32
PID 740 wrote to memory of 1744	740	1275030570.exe	32
PID 740 wrote to memory of 1744	740	1275030570.exe	32
PID 1744 wrote to memory of 1932	1744	svchost.exe	33
PID 1744 wrote to memory of 1932	1744	svchost.exe	33
PID 1744 wrote to memory of 1932	1744	svchost.exe	33
PID 1744 wrote to memory of 1932	1744	svchost.exe	33
PID 1744 wrote to memory of 1952	1744	svchost.exe	35
PID 1744 wrote to memory of 1952	1744	svchost.exe	35
PID 1744 wrote to memory of 1952	1744	svchost.exe	35
PID 1744 wrote to memory of 1952	1744	svchost.exe	35
PID 1744 wrote to memory of 1940	1744	svchost.exe	36
PID 1744 wrote to memory of 1940	1744	svchost.exe	36
PID 1744 wrote to memory of 1940	1744	svchost.exe	36
PID 1744 wrote to memory of 1940	1744	svchost.exe	36

Executes dropped EXE 8 IoCs

pid	Process
488	svchost.exe
740	1275030570.exe
560	2527916194.exe
572	1691626585.exe
1744	svchost.exe
1932	1212420959.exe
1952	3085431200.exe
1940	2504211134.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\56661597113189	bd14b92bfd8976bc8528871c2e97050f.exe
File created	C:\Windows\26300369911370\svchost.exe	1275030570.exe
File opened for modification	C:\Windows\26300369911370\svchost.exe	1275030570.exe
File opened for modification	C:\Windows\26300369911370	1275030570.exe
File created	C:\Windows\56661597113189\svchost.exe	bd14b92bfd8976bc8528871c2e97050f.exe
File opened for modification	C:\Windows\56661597113189\svchost.exe	bd14b92bfd8976bc8528871c2e97050f.exe

C:\Users\Admin\AppData\Local\Temp\bd14b92bfd8976bc8528871c2e97050f.exe
"C:\Users\Admin\AppData\Local\Temp\bd14b92bfd8976bc8528871c2e97050f.exe"
1⤵
- Adds Run entry to start application
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
PID:828
- C:\Windows\56661597113189\svchost.exe
  C:\Windows\56661597113189\svchost.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Windows security modification
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\1275030570.exe
    C:\Users\Admin\AppData\Local\Temp\1275030570.exe
    3⤵
    - Adds Run entry to start application
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:740
  - - C:\Windows\26300369911370\svchost.exe
      C:\Windows\26300369911370\svchost.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Windows security bypass
      Windows security modification
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\1212420959.exe
        
        C:\Users\Admin\AppData\Local\Temp\1212420959.exe
        5⤵
        Executes dropped EXE
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\3085431200.exe
        
        C:\Users\Admin\AppData\Local\Temp\3085431200.exe
        5⤵
        Executes dropped EXE
        
        PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\2504211134.exe
        
        C:\Users\Admin\AppData\Local\Temp\2504211134.exe
        5⤵
        Executes dropped EXE
        
        PID:1940
- - C:\Users\Admin\AppData\Local\Temp\2527916194.exe
    C:\Users\Admin\AppData\Local\Temp\2527916194.exe
    3⤵
    - Executes dropped EXE
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\1691626585.exe
    C:\Users\Admin\AppData\Local\Temp\1691626585.exe
    3⤵
    - Executes dropped EXE
    PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads