Analysis
-
max time kernel
49s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:30
Static task
static1
Behavioral task
behavioral1
Sample
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe
Resource
win7-20220414-en
General
-
Target
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe
-
Size
388KB
-
MD5
96bf6cd67a17a9d1a9fbc7ff04dcfe72
-
SHA1
b593c9d0311c4ead374c97eaecad143b542b610a
-
SHA256
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34
-
SHA512
bf50f4dc42e1cc053e53516be4c3d7da69e6acc11e52cac7acb0fe8cc8c0050019f5381234a918d5eda7ac654f314eb124c331d1f82cb7c82a8175c3028e4f3e
Malware Config
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe disable_win_def C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe disable_win_def C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe disable_win_def behavioral1/memory/1712-65-0x0000000000D80000-0x0000000000DAE000-memory.dmp disable_win_def -
Executes dropped EXE 1 IoCs
Processes:
Disable-Windows-Defender.vmp.exepid process 1712 Disable-Windows-Defender.vmp.exe -
Processes:
resource yara_rule behavioral1/memory/1936-54-0x00000000009A0000-0x0000000000A1A000-memory.dmp vmprotect \Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe vmprotect C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe vmprotect C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe vmprotect behavioral1/memory/1712-65-0x0000000000D80000-0x0000000000DAE000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exepid process 1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Disable-Windows-Defender.vmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features Disable-Windows-Defender.vmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe" e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exepowershell.exedescription pid process Token: SeDebugPrivilege 1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe Token: SeDebugPrivilege 1592 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exeDisable-Windows-Defender.vmp.exedescription pid process target process PID 1936 wrote to memory of 1712 1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe Disable-Windows-Defender.vmp.exe PID 1936 wrote to memory of 1712 1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe Disable-Windows-Defender.vmp.exe PID 1936 wrote to memory of 1712 1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe Disable-Windows-Defender.vmp.exe PID 1936 wrote to memory of 1712 1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe Disable-Windows-Defender.vmp.exe PID 1712 wrote to memory of 1592 1712 Disable-Windows-Defender.vmp.exe powershell.exe PID 1712 wrote to memory of 1592 1712 Disable-Windows-Defender.vmp.exe powershell.exe PID 1712 wrote to memory of 1592 1712 Disable-Windows-Defender.vmp.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe"C:\Users\Admin\AppData\Local\Temp\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe"C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exeFilesize
143KB
MD5787f632e3502dc87a30e82543b89bfa9
SHA1f430ee7e9e6381877a2f05475c4911dfebf72290
SHA256358358793c2e152bbc2cc78a29fba9b52beb0d51b071ae680449808593fc76a3
SHA512e0f74f229917f4568fc13092e61c70aeb9bbcb2549796afa25f3fdf46dd0fd943e01b455bd50e35bc4f505e6f26dba5d1f0823005c2c64c0205a4f9c05bba2df
-
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exeFilesize
143KB
MD5787f632e3502dc87a30e82543b89bfa9
SHA1f430ee7e9e6381877a2f05475c4911dfebf72290
SHA256358358793c2e152bbc2cc78a29fba9b52beb0d51b071ae680449808593fc76a3
SHA512e0f74f229917f4568fc13092e61c70aeb9bbcb2549796afa25f3fdf46dd0fd943e01b455bd50e35bc4f505e6f26dba5d1f0823005c2c64c0205a4f9c05bba2df
-
\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exeFilesize
143KB
MD5787f632e3502dc87a30e82543b89bfa9
SHA1f430ee7e9e6381877a2f05475c4911dfebf72290
SHA256358358793c2e152bbc2cc78a29fba9b52beb0d51b071ae680449808593fc76a3
SHA512e0f74f229917f4568fc13092e61c70aeb9bbcb2549796afa25f3fdf46dd0fd943e01b455bd50e35bc4f505e6f26dba5d1f0823005c2c64c0205a4f9c05bba2df
-
memory/1592-68-0x000007FEEDFA0000-0x000007FEEE9C3000-memory.dmpFilesize
10.1MB
-
memory/1592-66-0x0000000000000000-mapping.dmp
-
memory/1592-67-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1592-69-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/1592-70-0x000007FEED440000-0x000007FEEDF9D000-memory.dmpFilesize
11.4MB
-
memory/1592-71-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB
-
memory/1712-62-0x0000000000000000-mapping.dmp
-
memory/1712-65-0x0000000000D80000-0x0000000000DAE000-memory.dmpFilesize
184KB
-
memory/1936-60-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB
-
memory/1936-59-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/1936-58-0x0000000000390000-0x000000000039A000-memory.dmpFilesize
40KB
-
memory/1936-57-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1936-54-0x00000000009A0000-0x0000000000A1A000-memory.dmpFilesize
488KB