Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 04:47
Static task
static1
Behavioral task
behavioral1
Sample
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe
Resource
win10v2004-20220414-en
General
-
Target
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe
-
Size
385KB
-
MD5
87844ce0e37030e3575872ba6b4c8ebe
-
SHA1
747651876b3a6b2824b41932676da1dd3b932044
-
SHA256
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267
-
SHA512
7c8fa47208d8a1bcb342adfe1aa5e20559f2098bad90e2cd7d23b5120ea4437e5a75306d104de2932cc04ee22031cf1f9dd873c3cbb360872fa1cb3c7c77fde6
Malware Config
Signatures
-
Processes:
winutow.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" winutow.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" winutow.exe -
Processes:
winutow.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winutow.exe -
Executes dropped EXE 1 IoCs
Processes:
winutow.exepid process 3352 winutow.exe -
Processes:
winutow.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winutow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winutow.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\3734592810231913\\winutow.exe" 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\3734592810231913\\winutow.exe" 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe -
Drops file in Windows directory 3 IoCs
Processes:
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exedescription ioc process File created C:\Windows\3734592810231913\winutow.exe 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe File opened for modification C:\Windows\3734592810231913\winutow.exe 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe File opened for modification C:\Windows\3734592810231913 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exewinutow.exepid process 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe 3352 winutow.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exedescription pid process target process PID 2004 wrote to memory of 3352 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe winutow.exe PID 2004 wrote to memory of 3352 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe winutow.exe PID 2004 wrote to memory of 3352 2004 2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe winutow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe"C:\Users\Admin\AppData\Local\Temp\2aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\3734592810231913\winutow.exeC:\Windows\3734592810231913\winutow.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\3734592810231913\winutow.exeFilesize
385KB
MD587844ce0e37030e3575872ba6b4c8ebe
SHA1747651876b3a6b2824b41932676da1dd3b932044
SHA2562aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267
SHA5127c8fa47208d8a1bcb342adfe1aa5e20559f2098bad90e2cd7d23b5120ea4437e5a75306d104de2932cc04ee22031cf1f9dd873c3cbb360872fa1cb3c7c77fde6
-
C:\Windows\3734592810231913\winutow.exeFilesize
385KB
MD587844ce0e37030e3575872ba6b4c8ebe
SHA1747651876b3a6b2824b41932676da1dd3b932044
SHA2562aae2375a8cf31575ea9a80bdeddc9ec97586e156e4d0d466d42ffec800ec267
SHA5127c8fa47208d8a1bcb342adfe1aa5e20559f2098bad90e2cd7d23b5120ea4437e5a75306d104de2932cc04ee22031cf1f9dd873c3cbb360872fa1cb3c7c77fde6
-
memory/2004-130-0x0000000000987000-0x000000000098C000-memory.dmpFilesize
20KB
-
memory/2004-131-0x0000000000987000-0x000000000098C000-memory.dmpFilesize
20KB
-
memory/2004-132-0x0000000000400000-0x000000000093E000-memory.dmpFilesize
5.2MB
-
memory/2004-137-0x0000000000400000-0x000000000093E000-memory.dmpFilesize
5.2MB
-
memory/3352-133-0x0000000000000000-mapping.dmp
-
memory/3352-136-0x0000000000C47000-0x0000000000C4B000-memory.dmpFilesize
16KB
-
memory/3352-138-0x0000000000C47000-0x0000000000C4B000-memory.dmpFilesize
16KB
-
memory/3352-139-0x0000000000400000-0x000000000093E000-memory.dmpFilesize
5.2MB
-
memory/3352-140-0x0000000000400000-0x000000000093E000-memory.dmpFilesize
5.2MB