2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1

General

Target

44b42e92ffe33907c539d1135bb05239.exe
Size

554KB
MD5

44b42e92ffe33907c539d1135bb05239
SHA1

954f37a3ee58b57f408d09da74f13a5660562d07
SHA256

2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1
SHA512

95243c5be2733af4de3385fb6e04b3f017c1cc34260a45ca2e0675d584339fcce5bc0fd9a5c75b7fb3516807cc936ffd9e90b4d5744301e2787fd2975d6dfc54

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	44b42e92ffe33907c539d1135bb05239.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3892-116-0x0000000002A70000-0x0000000003AFE000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	44b42e92ffe33907c539d1135bb05239.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	44b42e92ffe33907c539d1135bb05239.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	44b42e92ffe33907c539d1135bb05239.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44b42e92ffe33907c539d1135bb05239.exe

Drops file in Windows directory 1 IoCs

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 44b42e92ffe33907c539d1135bb05239.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

44b42e92ffe33907c539d1135bb05239.exe

pid process

3892 44b42e92ffe33907c539d1135bb05239.exe
3892 44b42e92ffe33907c539d1135bb05239.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	44b42e92ffe33907c539d1135bb05239.exe

pid	process
3892	44b42e92ffe33907c539d1135bb05239.exe
3892	44b42e92ffe33907c539d1135bb05239.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description	pid	process
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe
Token: SeDebugPrivilege	3892	44b42e92ffe33907c539d1135bb05239.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

44b42e92ffe33907c539d1135bb05239.exe

pid process

3892 44b42e92ffe33907c539d1135bb05239.exe
3892 44b42e92ffe33907c539d1135bb05239.exe
3892 44b42e92ffe33907c539d1135bb05239.exe

pid	process
3892	44b42e92ffe33907c539d1135bb05239.exe
3892	44b42e92ffe33907c539d1135bb05239.exe
3892	44b42e92ffe33907c539d1135bb05239.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description	pid	process	target process
PID 3892 wrote to memory of 712	3892	44b42e92ffe33907c539d1135bb05239.exe	fontdrvhost.exe
PID 3892 wrote to memory of 716	3892	44b42e92ffe33907c539d1135bb05239.exe	fontdrvhost.exe
PID 3892 wrote to memory of 976	3892	44b42e92ffe33907c539d1135bb05239.exe	dwm.exe
PID 3892 wrote to memory of 2356	3892	44b42e92ffe33907c539d1135bb05239.exe	sihost.exe
PID 3892 wrote to memory of 2368	3892	44b42e92ffe33907c539d1135bb05239.exe	svchost.exe
PID 3892 wrote to memory of 2500	3892	44b42e92ffe33907c539d1135bb05239.exe	taskhostw.exe
PID 3892 wrote to memory of 3044	3892	44b42e92ffe33907c539d1135bb05239.exe	Explorer.EXE
PID 3892 wrote to memory of 3272	3892	44b42e92ffe33907c539d1135bb05239.exe	ShellExperienceHost.exe
PID 3892 wrote to memory of 3292	3892	44b42e92ffe33907c539d1135bb05239.exe	SearchUI.exe
PID 3892 wrote to memory of 3504	3892	44b42e92ffe33907c539d1135bb05239.exe	RuntimeBroker.exe
PID 3892 wrote to memory of 3780	3892	44b42e92ffe33907c539d1135bb05239.exe	DllHost.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

44b42e92ffe33907c539d1135bb05239.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44b42e92ffe33907c539d1135bb05239.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:712

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:716

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:976

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2368

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3504

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\44b42e92ffe33907c539d1135bb05239.exe
"C:\Users\Admin\AppData\Local\Temp\44b42e92ffe33907c539d1135bb05239.exe"
2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3892

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2500

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2356

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-117-0x0000000003BE0000-0x0000000003BE2000-memory.dmp

Filesize
8KB

Download
memory/3892-116-0x0000000002A70000-0x0000000003AFE000-memory.dmp

Filesize
16.6MB

Download
memory/3892-118-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads