67f0cd25528f378ab2c18b1397de0627f14ca17ae15439d99873d6cb79cc5727

General

Target

TT.exe
Size

24KB
MD5

31823aba37e4612f84e00a36615982d2
SHA1

9d3d1aac3aa20fcba8e62316c7202226325c7601
SHA256

abec75c995b6bac05ca3aa49002dedb12a4fc7194e93f814f3edbb996d9cfa7a
SHA512

06dfc45e33b2f90437711ede586412dba3838f2f9b79020d8846a11838879f418a9089d2d555cd8772895f9ff446f3a015d9c279ae5b5f0e28402373e229959f

Score

10^/10

evasion trojan

Malware Config

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

776 AdvancedRun.exe
1504 AdvancedRun.exe
3548 AdvancedRun.exe
3164 AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

TT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	TT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	TT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	TT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	TT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	TT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	TT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	TT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\TT.exe = "0"	TT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TT.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

TT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exe

pid	process
776	AdvancedRun.exe
776	AdvancedRun.exe
776	AdvancedRun.exe
776	AdvancedRun.exe
1504	AdvancedRun.exe
1504	AdvancedRun.exe
1504	AdvancedRun.exe
1504	AdvancedRun.exe
1124	powershell.exe
4064	powershell.exe
3548	AdvancedRun.exe
3548	AdvancedRun.exe
3548	AdvancedRun.exe
3548	AdvancedRun.exe
4064	powershell.exe
1124	powershell.exe
3164	AdvancedRun.exe
3164	AdvancedRun.exe
3164	AdvancedRun.exe
3164	AdvancedRun.exe
4064	powershell.exe
1124	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

TT.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	3884	TT.exe
Token: SeDebugPrivilege	776	AdvancedRun.exe
Token: SeImpersonatePrivilege	776	AdvancedRun.exe
Token: SeDebugPrivilege	1504	AdvancedRun.exe
Token: SeImpersonatePrivilege	1504	AdvancedRun.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3548	AdvancedRun.exe
Token: SeImpersonatePrivilege	3548	AdvancedRun.exe
Token: SeDebugPrivilege	3164	AdvancedRun.exe
Token: SeImpersonatePrivilege	3164	AdvancedRun.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

TT.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 3884 wrote to memory of 776	3884	TT.exe	AdvancedRun.exe
PID 3884 wrote to memory of 776	3884	TT.exe	AdvancedRun.exe
PID 3884 wrote to memory of 776	3884	TT.exe	AdvancedRun.exe
PID 776 wrote to memory of 1504	776	AdvancedRun.exe	AdvancedRun.exe
PID 776 wrote to memory of 1504	776	AdvancedRun.exe	AdvancedRun.exe
PID 776 wrote to memory of 1504	776	AdvancedRun.exe	AdvancedRun.exe
PID 3884 wrote to memory of 4064	3884	TT.exe	powershell.exe
PID 3884 wrote to memory of 4064	3884	TT.exe	powershell.exe
PID 3884 wrote to memory of 4064	3884	TT.exe	powershell.exe
PID 3884 wrote to memory of 1124	3884	TT.exe	powershell.exe
PID 3884 wrote to memory of 1124	3884	TT.exe	powershell.exe
PID 3884 wrote to memory of 1124	3884	TT.exe	powershell.exe
PID 3884 wrote to memory of 3548	3884	TT.exe	AdvancedRun.exe
PID 3884 wrote to memory of 3548	3884	TT.exe	AdvancedRun.exe
PID 3884 wrote to memory of 3548	3884	TT.exe	AdvancedRun.exe
PID 3548 wrote to memory of 3164	3548	AdvancedRun.exe	AdvancedRun.exe
PID 3548 wrote to memory of 3164	3548	AdvancedRun.exe	AdvancedRun.exe
PID 3548 wrote to memory of 3164	3548	AdvancedRun.exe	AdvancedRun.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

TT.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TT.exe

C:\Users\Admin\AppData\Local\Temp\TT.exe
"C:\Users\Admin\AppData\Local\Temp\TT.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3884

C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe" /SpecialRun 4101d8 776
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\TT.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe" /SpecialRun 4101d8 3548
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Disabling Security Tools

4

T1089

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
04d65b84358bfdfd84fa3b4de1ff12f4

SHA1
367d9c80807b4e2c7d8b23423097307b2086bde6

SHA256
138f3482585e3a2aef80564fcc98e0bc70607d60c53e25903079443fcdaa6f32

SHA512
41317e948c64b2602710efbf2d6e42dd0329e1716ac51739cb134bfab494e910d7a48c44a80bc97fc396b2e2e5411c5f4b8529c472960b814ad53450ee329333

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e746a8d-1cc5-40cc-b057-05eaf4750f30\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b65393e3-f01f-4787-9dde-33eed69914b7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/776-10-0x0000000000000000-mapping.dmp

Download
memory/1124-34-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/1124-49-0x0000000009310000-0x0000000009343000-memory.dmp

Filesize
204KB

Download
memory/1124-32-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/1124-77-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/1124-16-0x0000000000000000-mapping.dmp

Download
memory/1124-73-0x00000000095C0000-0x00000000095C1000-memory.dmp

Filesize
4KB

Download
memory/1124-71-0x0000000006D63000-0x0000000006D64000-memory.dmp

Filesize
4KB

Download
memory/1124-65-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/1124-54-0x000000007F470000-0x000000007F471000-memory.dmp

Filesize
4KB

Download
memory/1124-19-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/1124-30-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/1124-28-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/1124-26-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/1124-27-0x0000000006D62000-0x0000000006D63000-memory.dmp

Filesize
4KB

Download
memory/1504-13-0x0000000000000000-mapping.dmp

Download
memory/3164-39-0x0000000000000000-mapping.dmp

Download
memory/3548-36-0x0000000000000000-mapping.dmp

Download
memory/3884-5-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3884-7-0x0000000005C60000-0x0000000005D03000-memory.dmp

Filesize
652KB

Download
memory/3884-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3884-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3884-20-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/3884-8-0x0000000008650000-0x0000000008651000-memory.dmp

Filesize
4KB

Download
memory/3884-9-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/3884-6-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4064-41-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/4064-21-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/4064-51-0x000000007F6B0000-0x000000007F6B1000-memory.dmp

Filesize
4KB

Download
memory/4064-42-0x00000000089E0000-0x00000000089E1000-memory.dmp

Filesize
4KB

Download
memory/4064-18-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/4064-67-0x0000000009850000-0x0000000009851000-memory.dmp

Filesize
4KB

Download
memory/4064-69-0x0000000009C10000-0x0000000009C11000-memory.dmp

Filesize
4KB

Download
memory/4064-24-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/4064-72-0x0000000007323000-0x0000000007324000-memory.dmp

Filesize
4KB

Download
memory/4064-17-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/4064-15-0x0000000000000000-mapping.dmp

Download
memory/4064-45-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/4064-25-0x0000000007322000-0x0000000007323000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads