dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

General

Target

9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Size

58KB
MD5

9d4458f6de6fb97b9b2a6ee9a69b62f4
SHA1

b7e91d625d95e6b6c8452c0beb4d9900da1931a2
SHA256

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
SHA512

a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe	Nirsoft

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe = "0"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe = "0"	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9d4458f6de6fb97b9b2a6ee9a69b62f4.exe

description	pid	process	target process
PID 3544 wrote to memory of 1288	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 1288	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 1288	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 3564	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 3564	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 3564	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 3792	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 3792	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe
PID 3544 wrote to memory of 3792	3544	9d4458f6de6fb97b9b2a6ee9a69b62f4.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe
"C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe"
1⤵
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe" /SpecialRun 4101d8 2472
3⤵
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9d4458f6de6fb97b9b2a6ee9a69b62f4.exe" -Force
2⤵
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e419cc4-e787-46ed-91a0-324e1b39e92c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/1288-138-0x0000000006832000-0x0000000006833000-memory.dmp

Filesize
4KB

Download
memory/1288-170-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1288-121-0x0000000000000000-mapping.dmp

Download
memory/1288-141-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/1288-194-0x000000007FCA0000-0x000000007FCA1000-memory.dmp

Filesize
4KB

Download
memory/1288-124-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1288-125-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1288-126-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/1288-137-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/1288-185-0x0000000008D10000-0x0000000008D43000-memory.dmp

Filesize
204KB

Download
memory/1288-131-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/1408-165-0x0000000000000000-mapping.dmp

Download
memory/2236-230-0x0000000000000000-mapping.dmp

Download
memory/2472-156-0x0000000000000000-mapping.dmp

Download
memory/3544-133-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3544-119-0x0000000004B90000-0x0000000004C04000-memory.dmp

Filesize
464KB

Download
memory/3544-115-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3544-152-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3544-120-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/3544-118-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/3544-117-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3564-128-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3564-140-0x0000000007182000-0x0000000007183000-memory.dmp

Filesize
4KB

Download
memory/3564-122-0x0000000000000000-mapping.dmp

Download
memory/3564-201-0x000000007F020000-0x000000007F021000-memory.dmp

Filesize
4KB

Download
memory/3564-174-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3564-127-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3564-158-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/3564-139-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/3792-143-0x0000000006F72000-0x0000000006F73000-memory.dmp

Filesize
4KB

Download
memory/3792-162-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/3792-147-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3792-167-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/3792-171-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3792-130-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3792-142-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/3792-129-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3792-123-0x0000000000000000-mapping.dmp

Download
memory/3792-197-0x000000007E880000-0x000000007E881000-memory.dmp

Filesize
4KB

Download
memory/3792-153-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/3792-145-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads