a7f49d965383c1d18343a3469f482820f41ea3d8a908d3e8cf43de0c20aa7442

General

Target

656a5cfc0f176a53f5da1635497c886e.exe
Size

1.9MB
MD5

656a5cfc0f176a53f5da1635497c886e
SHA1

1934b132e695562df0d36dd8df13dd2e47aadd35
SHA256

a7f49d965383c1d18343a3469f482820f41ea3d8a908d3e8cf43de0c20aa7442
SHA512

c21c16394350e3c0f1602ab128970af66b36a343f6644a60f3ded030f067003eb70f4dca12eb445ebd7131187b97d2ea97ecbab3d9df2978e0f07dc100d8d0bb

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

656a5cfc0f176a53f5da1635497c886e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	656a5cfc0f176a53f5da1635497c886e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	656a5cfc0f176a53f5da1635497c886e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe = "0"	656a5cfc0f176a53f5da1635497c886e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe = "0"	656a5cfc0f176a53f5da1635497c886e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

656a5cfc0f176a53f5da1635497c886e.exe

description pid process target process

PID 1912 set thread context of 4008 1912 656a5cfc0f176a53f5da1635497c886e.exe aspnet_regbrowsers.exe

description	pid	process	target process
PID 1912 set thread context of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe

Drops file in Windows directory 2 IoCs

Processes:

656a5cfc0f176a53f5da1635497c886e.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe	656a5cfc0f176a53f5da1635497c886e.exe
File opened for modification	C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe	656a5cfc0f176a53f5da1635497c886e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2576 4008 WerFault.exe aspnet_regbrowsers.exe

pid	pid_target	process	target process
2576	4008	WerFault.exe	aspnet_regbrowsers.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exe656a5cfc0f176a53f5da1635497c886e.exeWerFault.exe

pid	process
1372	powershell.exe
3412	powershell.exe
2424	powershell.exe
1372	powershell.exe
2424	powershell.exe
3412	powershell.exe
3412	powershell.exe
2424	powershell.exe
1372	powershell.exe
1912	656a5cfc0f176a53f5da1635497c886e.exe
1912	656a5cfc0f176a53f5da1635497c886e.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

656a5cfc0f176a53f5da1635497c886e.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1912	656a5cfc0f176a53f5da1635497c886e.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeRestorePrivilege	2576	WerFault.exe
Token: SeBackupPrivilege	2576	WerFault.exe
Token: SeDebugPrivilege	2576	WerFault.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

656a5cfc0f176a53f5da1635497c886e.exe

description	pid	process	target process
PID 1912 wrote to memory of 1372	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 1372	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 1372	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 3412	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 3412	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 3412	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 2424	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 2424	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 2424	1912	656a5cfc0f176a53f5da1635497c886e.exe	powershell.exe
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	DataSvcUtil.exe
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	DataSvcUtil.exe
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	DataSvcUtil.exe
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	DataSvcUtil.exe
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	DataSvcUtil.exe
PID 1912 wrote to memory of 2184	1912	656a5cfc0f176a53f5da1635497c886e.exe	DataSvcUtil.exe
PID 1912 wrote to memory of 1296	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_compiler.exe
PID 1912 wrote to memory of 1296	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_compiler.exe
PID 1912 wrote to memory of 1296	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_compiler.exe
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	dfsvc.exe
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	dfsvc.exe
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	dfsvc.exe
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	dfsvc.exe
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	dfsvc.exe
PID 1912 wrote to memory of 3808	1912	656a5cfc0f176a53f5da1635497c886e.exe	dfsvc.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe
PID 1912 wrote to memory of 4008	1912	656a5cfc0f176a53f5da1635497c886e.exe	aspnet_regbrowsers.exe

C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe
"C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\656a5cfc0f176a53f5da1635497c886e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\D7B4D56CF88F2C9AD204F39DF651A704\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
2⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
2⤵
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
2⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 468
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bfaac67901a4522460752e5e505f2c4b

SHA1
8158f70c043e91ea75f69296b3622cb8921b713e

SHA256
e5d40ea7590dfd7aff1968c06122d8c1518db4830b0cefd38a3ee4de7170c2d3

SHA512
c436f26c2662da5bf28b405a4b82ea861a1a9d985b6eff23677c99fd94a58b46add7640fe56163ded58da1ca7342e8168f9ef59b402072a9138d636e03b2ff02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bfaac67901a4522460752e5e505f2c4b

SHA1
8158f70c043e91ea75f69296b3622cb8921b713e

SHA256
e5d40ea7590dfd7aff1968c06122d8c1518db4830b0cefd38a3ee4de7170c2d3

SHA512
c436f26c2662da5bf28b405a4b82ea861a1a9d985b6eff23677c99fd94a58b46add7640fe56163ded58da1ca7342e8168f9ef59b402072a9138d636e03b2ff02

Download Submit
memory/1372-154-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/1372-129-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1372-122-0x0000000000000000-mapping.dmp

Download
memory/1372-232-0x0000000006783000-0x0000000006784000-memory.dmp

Filesize
4KB

Download
memory/1372-124-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1372-125-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1372-169-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1372-140-0x0000000006782000-0x0000000006783000-memory.dmp

Filesize
4KB

Download
memory/1372-137-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/1372-166-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/1372-219-0x000000007EB40000-0x000000007EB41000-memory.dmp

Filesize
4KB

Download
memory/1912-143-0x000000000A900000-0x000000000A901000-memory.dmp

Filesize
4KB

Download
memory/1912-121-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/1912-115-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1912-118-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/1912-117-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/1912-119-0x0000000007410000-0x00000000074B7000-memory.dmp

Filesize
668KB

Download
memory/1912-146-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/1912-120-0x0000000009D30000-0x0000000009D31000-memory.dmp

Filesize
4KB

Download
memory/2424-134-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2424-231-0x0000000006B83000-0x0000000006B84000-memory.dmp

Filesize
4KB

Download
memory/2424-142-0x0000000006B82000-0x0000000006B83000-memory.dmp

Filesize
4KB

Download
memory/2424-141-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/2424-131-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2424-226-0x000000007F570000-0x000000007F571000-memory.dmp

Filesize
4KB

Download
memory/2424-132-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2424-173-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2424-126-0x0000000000000000-mapping.dmp

Download
memory/3412-127-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3412-144-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3412-123-0x0000000000000000-mapping.dmp

Download
memory/3412-170-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3412-128-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3412-189-0x0000000008C40000-0x0000000008C73000-memory.dmp

Filesize
204KB

Download
memory/3412-159-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/3412-223-0x000000007E170000-0x000000007E171000-memory.dmp

Filesize
4KB

Download
memory/3412-139-0x0000000001192000-0x0000000001193000-memory.dmp

Filesize
4KB

Download
memory/3412-148-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/3412-162-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/3412-233-0x0000000001193000-0x0000000001194000-memory.dmp

Filesize
4KB

Download
memory/3412-138-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4008-157-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4008-158-0x0000000000400000-mapping.dmp

Download
memory/4008-165-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads