Analysis
-
max time kernel
18s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 11:48
Static task
static1
Behavioral task
behavioral1
Sample
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe
-
Size
702KB
-
MD5
3b50feaab7beaf0ab69164d14c3eda9e
-
SHA1
88e8b4e3252b76232d5b5d7bca0a4fbc505961e8
-
SHA256
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e
-
SHA512
17f54072c4a1770be1c45994682a48663d60777070bab20116855fc25cc7c2d1f08b85836080bd4968b73d0270ed0b039e1b513e49f3d7e498d47aee9b18f6e4
Malware Config
Signatures
-
Processes:
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exedescription pid process target process PID 4892 wrote to memory of 1380 4892 a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe powershell.exe PID 4892 wrote to memory of 1380 4892 a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe powershell.exe PID 4892 wrote to memory of 1380 4892 a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe"C:\Users\Admin\AppData\Local\Temp\a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e.exe"1⤵
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵PID:1380