Analysis
-
max time kernel
12s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19/07/2021, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
44b42e92ffe33907c539d1135bb05239.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
44b42e92ffe33907c539d1135bb05239.exe
-
Size
554KB
-
MD5
44b42e92ffe33907c539d1135bb05239
-
SHA1
954f37a3ee58b57f408d09da74f13a5660562d07
-
SHA256
2f06361e4a81ff059d074de638106e1b9aeba6885819b15391ef25997f537bf1
-
SHA512
95243c5be2733af4de3385fb6e04b3f017c1cc34260a45ca2e0675d584339fcce5bc0fd9a5c75b7fb3516807cc936ffd9e90b4d5744301e2787fd2975d6dfc54
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 44b42e92ffe33907c539d1135bb05239.exe -
resource yara_rule behavioral2/memory/3892-116-0x0000000002A70000-0x0000000003AFE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 44b42e92ffe33907c539d1135bb05239.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 44b42e92ffe33907c539d1135bb05239.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 44b42e92ffe33907c539d1135bb05239.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 44b42e92ffe33907c539d1135bb05239.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 44b42e92ffe33907c539d1135bb05239.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3892 44b42e92ffe33907c539d1135bb05239.exe 3892 44b42e92ffe33907c539d1135bb05239.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe Token: SeDebugPrivilege 3892 44b42e92ffe33907c539d1135bb05239.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3892 44b42e92ffe33907c539d1135bb05239.exe 3892 44b42e92ffe33907c539d1135bb05239.exe 3892 44b42e92ffe33907c539d1135bb05239.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3892 wrote to memory of 712 3892 44b42e92ffe33907c539d1135bb05239.exe 8 PID 3892 wrote to memory of 716 3892 44b42e92ffe33907c539d1135bb05239.exe 9 PID 3892 wrote to memory of 976 3892 44b42e92ffe33907c539d1135bb05239.exe 11 PID 3892 wrote to memory of 2356 3892 44b42e92ffe33907c539d1135bb05239.exe 48 PID 3892 wrote to memory of 2368 3892 44b42e92ffe33907c539d1135bb05239.exe 26 PID 3892 wrote to memory of 2500 3892 44b42e92ffe33907c539d1135bb05239.exe 45 PID 3892 wrote to memory of 3044 3892 44b42e92ffe33907c539d1135bb05239.exe 39 PID 3892 wrote to memory of 3272 3892 44b42e92ffe33907c539d1135bb05239.exe 29 PID 3892 wrote to memory of 3292 3892 44b42e92ffe33907c539d1135bb05239.exe 38 PID 3892 wrote to memory of 3504 3892 44b42e92ffe33907c539d1135bb05239.exe 37 PID 3892 wrote to memory of 3780 3892 44b42e92ffe33907c539d1135bb05239.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 44b42e92ffe33907c539d1135bb05239.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:712
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:716
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:976
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2368
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3272
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3504
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3292
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\44b42e92ffe33907c539d1135bb05239.exe"C:\Users\Admin\AppData\Local\Temp\44b42e92ffe33907c539d1135bb05239.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3892
-
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2500
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2356