a7f49d965383c1d18343a3469f482820f41ea3d8a908d3e8cf43de0c20aa7442

Analysis

max time kernel
119s
max time network
130s
platform
windows10_x64
resource
win10-en-20211014
submitted
05-12-2021 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

656a5cfc0f176a53f5da1635497c886e.exe
Size

1.9MB
MD5

656a5cfc0f176a53f5da1635497c886e
SHA1

1934b132e695562df0d36dd8df13dd2e47aadd35
SHA256

a7f49d965383c1d18343a3469f482820f41ea3d8a908d3e8cf43de0c20aa7442
SHA512

c21c16394350e3c0f1602ab128970af66b36a343f6644a60f3ded030f067003eb70f4dca12eb445ebd7131187b97d2ea97ecbab3d9df2978e0f07dc100d8d0bb

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	656a5cfc0f176a53f5da1635497c886e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	656a5cfc0f176a53f5da1635497c886e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe = "0"	656a5cfc0f176a53f5da1635497c886e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe = "0"	656a5cfc0f176a53f5da1635497c886e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe	656a5cfc0f176a53f5da1635497c886e.exe
File opened for modification	C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe	656a5cfc0f176a53f5da1635497c886e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	4008	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1372	powershell.exe
3412	powershell.exe
2424	powershell.exe
1372	powershell.exe
2424	powershell.exe
3412	powershell.exe
3412	powershell.exe
2424	powershell.exe
1372	powershell.exe
1912	656a5cfc0f176a53f5da1635497c886e.exe
1912	656a5cfc0f176a53f5da1635497c886e.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	656a5cfc0f176a53f5da1635497c886e.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeRestorePrivilege	2576	WerFault.exe
Token: SeBackupPrivilege	2576	WerFault.exe
Token: SeDebugPrivilege	2576	WerFault.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1372	1912	656a5cfc0f176a53f5da1635497c886e.exe	68
PID 1912 wrote to memory of 1372	1912	656a5cfc0f176a53f5da1635497c886e.exe	68
PID 1912 wrote to memory of 1372	1912	656a5cfc0f176a53f5da1635497c886e.exe	68
PID 1912 wrote to memory of 3412	1912	656a5cfc0f176a53f5da1635497c886e.exe	70
PID 1912 wrote to memory of 3412	1912	656a5cfc0f176a53f5da1635497c886e.exe	70
PID 1912 wrote to memory of 3412	1912	656a5cfc0f176a53f5da1635497c886e.exe	70
PID 1912 wrote to memory of 2424	1912	656a5cfc0f176a53f5da1635497c886e.exe	72
PID 1912 wrote to memory of 2424	1912	656a5cfc0f176a53f5da1635497c886e.exe	72
PID 1912 wrote to memory of 2424	1912	656a5cfc0f176a53f5da1635497c886e.exe	72
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	74
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	74
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	74
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	74
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	74
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	74
PID 1912 wrote to memory of 1296	1912	656a5cfc0f176a53f5da1635497c886e.exe	75
PID 1912 wrote to memory of 1296	1912	656a5cfc0f176a53f5da1635497c886e.exe	75
PID 1912 wrote to memory of 1296	1912	656a5cfc0f176a53f5da1635497c886e.exe	75
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	76
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	76
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	76
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	76
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	76
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	76
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	77

C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe
"C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
  2⤵
  PID:3808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 468
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-154-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/1372-129-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1372-232-0x0000000006783000-0x0000000006784000-memory.dmp

Filesize
4KB

Download
memory/1372-124-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1372-125-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1372-169-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1372-140-0x0000000006782000-0x0000000006783000-memory.dmp

Filesize
4KB

Download
memory/1372-137-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/1372-166-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/1372-219-0x000000007EB40000-0x000000007EB41000-memory.dmp

Filesize
4KB

Download
memory/1912-143-0x000000000A900000-0x000000000A901000-memory.dmp

Filesize
4KB

Download
memory/1912-121-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/1912-115-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1912-118-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/1912-117-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/1912-119-0x0000000007410000-0x00000000074B7000-memory.dmp

Filesize
668KB

Download
memory/1912-146-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/1912-120-0x0000000009D30000-0x0000000009D31000-memory.dmp

Filesize
4KB

Download
memory/2424-134-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2424-231-0x0000000006B83000-0x0000000006B84000-memory.dmp

Filesize
4KB

Download
memory/2424-142-0x0000000006B82000-0x0000000006B83000-memory.dmp

Filesize
4KB

Download
memory/2424-141-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/2424-131-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2424-226-0x000000007F570000-0x000000007F571000-memory.dmp

Filesize
4KB

Download
memory/2424-132-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2424-173-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3412-127-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3412-144-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3412-170-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3412-128-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3412-189-0x0000000008C40000-0x0000000008C73000-memory.dmp

Filesize
204KB

Download
memory/3412-159-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/3412-223-0x000000007E170000-0x000000007E171000-memory.dmp

Filesize
4KB

Download
memory/3412-139-0x0000000001192000-0x0000000001193000-memory.dmp

Filesize
4KB

Download
memory/3412-148-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/3412-162-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/3412-233-0x0000000001193000-0x0000000001194000-memory.dmp

Filesize
4KB

Download
memory/3412-138-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4008-157-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4008-165-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download