ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4

General

Target

bd14b92bfd8976bc8528871c2e97050f.exe
Size

24KB
MD5

bd14b92bfd8976bc8528871c2e97050f
SHA1

9c06a197eb80eed6b1b86095e1e147c5090dfd44
SHA256

ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
SHA512

8338fec73010f0f8912a85fae80b57a6c0629b52d3cf66e6208fa076330cfb8ed4b330923833a13b0865bb36975316c315add8f087a3f814898923754c9c2051

Score

10^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\309422838211151	1064238325.exe
File created	C:\Windows\17342891224295\svchost.exe	bd14b92bfd8976bc8528871c2e97050f.exe
File opened for modification	C:\Windows\17342891224295\svchost.exe	bd14b92bfd8976bc8528871c2e97050f.exe
File opened for modification	C:\Windows\17342891224295	bd14b92bfd8976bc8528871c2e97050f.exe
File created	C:\Windows\309422838211151\svchost.exe	1064238325.exe
File opened for modification	C:\Windows\309422838211151\svchost.exe	1064238325.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\17342891224295\\svchost.exe"	bd14b92bfd8976bc8528871c2e97050f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\17342891224295\\svchost.exe"	bd14b92bfd8976bc8528871c2e97050f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\309422838211151\\svchost.exe"	1064238325.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\309422838211151\\svchost.exe"	1064238325.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 3936	3880	bd14b92bfd8976bc8528871c2e97050f.exe	67
PID 3880 wrote to memory of 3936	3880	bd14b92bfd8976bc8528871c2e97050f.exe	67
PID 3880 wrote to memory of 3936	3880	bd14b92bfd8976bc8528871c2e97050f.exe	67
PID 3936 wrote to memory of 2400	3936	svchost.exe	68
PID 3936 wrote to memory of 2400	3936	svchost.exe	68
PID 3936 wrote to memory of 2400	3936	svchost.exe	68
PID 3936 wrote to memory of 772	3936	svchost.exe	69
PID 3936 wrote to memory of 772	3936	svchost.exe	69
PID 3936 wrote to memory of 772	3936	svchost.exe	69
PID 3936 wrote to memory of 2832	3936	svchost.exe	70
PID 3936 wrote to memory of 2832	3936	svchost.exe	70
PID 3936 wrote to memory of 2832	3936	svchost.exe	70
PID 2400 wrote to memory of 740	2400	1064238325.exe	71
PID 2400 wrote to memory of 740	2400	1064238325.exe	71
PID 2400 wrote to memory of 740	2400	1064238325.exe	71
PID 740 wrote to memory of 540	740	svchost.exe	72
PID 740 wrote to memory of 540	740	svchost.exe	72
PID 740 wrote to memory of 540	740	svchost.exe	72
PID 740 wrote to memory of 640	740	svchost.exe	73
PID 740 wrote to memory of 640	740	svchost.exe	73
PID 740 wrote to memory of 640	740	svchost.exe	73
PID 740 wrote to memory of 852	740	svchost.exe	74
PID 740 wrote to memory of 852	740	svchost.exe	74
PID 740 wrote to memory of 852	740	svchost.exe	74

Executes dropped EXE 8 IoCs

pid	Process
3936	svchost.exe
2400	1064238325.exe
772	1214915354.exe
2832	3019026222.exe
740	svchost.exe
540	3816512527.exe
640	1229921608.exe
852	2746131558.exe

C:\Users\Admin\AppData\Local\Temp\bd14b92bfd8976bc8528871c2e97050f.exe
"C:\Users\Admin\AppData\Local\Temp\bd14b92bfd8976bc8528871c2e97050f.exe"
1⤵
- Drops file in Windows directory
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\17342891224295\svchost.exe
  C:\Windows\17342891224295\svchost.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Windows security modification
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\1064238325.exe
    C:\Users\Admin\AppData\Local\Temp\1064238325.exe
    3⤵
    - Drops file in Windows directory
    - Adds Run entry to start application
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    PID:2400
  - - C:\Windows\309422838211151\svchost.exe
      C:\Windows\309422838211151\svchost.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Windows security bypass
      Windows security modification
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\3816512527.exe
        
        C:\Users\Admin\AppData\Local\Temp\3816512527.exe
        5⤵
        Executes dropped EXE
        
        PID:540
    - - C:\Users\Admin\AppData\Local\Temp\1229921608.exe
        
        C:\Users\Admin\AppData\Local\Temp\1229921608.exe
        5⤵
        Executes dropped EXE
        
        PID:640
    - - C:\Users\Admin\AppData\Local\Temp\2746131558.exe
        
        C:\Users\Admin\AppData\Local\Temp\2746131558.exe
        5⤵
        Executes dropped EXE
        
        PID:852
- - C:\Users\Admin\AppData\Local\Temp\1214915354.exe
    C:\Users\Admin\AppData\Local\Temp\1214915354.exe
    3⤵
    - Executes dropped EXE
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\3019026222.exe
    C:\Users\Admin\AppData\Local\Temp\3019026222.exe
    3⤵
    - Executes dropped EXE
    PID:2832