a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e

Analysis

max time kernel
18s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
05-02-2022 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe
Size

702KB
MD5

3b50feaab7beaf0ab69164d14c3eda9e
SHA1

88e8b4e3252b76232d5b5d7bca0a4fbc505961e8
SHA256

a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e
SHA512

17f54072c4a1770be1c45994682a48663d60777070bab20116855fc25cc7c2d1f08b85836080bd4968b73d0270ed0b039e1b513e49f3d7e498d47aee9b18f6e4

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe

description	pid	process	target process
PID 4892 wrote to memory of 1380	4892	a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe	powershell.exe
PID 4892 wrote to memory of 1380	4892	a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe	powershell.exe
PID 4892 wrote to memory of 1380	4892	a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe
"C:\Users\Admin\AppData\Local\Temp\a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe"
1⤵
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4892-130-0x0000000000ED0000-0x0000000000F86000-memory.dmp

Filesize
728KB

Download
memory/4892-131-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/4892-132-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4892-133-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/4892-134-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4892-135-0x00000000091E0000-0x000000000927C000-memory.dmp

Filesize
624KB

Download