Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 18:57
Static task
static1
Behavioral task
behavioral1
Sample
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe
Resource
win7-20220414-en
General
-
Target
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe
-
Size
1008KB
-
MD5
e545f0dcbd848ce0e1594b9efe51b572
-
SHA1
7518a03d5a85c4a919dfb89a85af5f9e5fdf7713
-
SHA256
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b
-
SHA512
8cd58be448e211723a13027ff6fea7a1b28cc7b603627c973022277c36642639aaf3e8b0d865a292b09b6c071375d580e94ccaa29b8f545aca22e0a3568ee333
Malware Config
Signatures
-
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe -
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe = "0" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/280-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/280-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/280-65-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/280-66-0x000000000040DD5E-mapping.dmp asyncrat behavioral1/memory/280-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/280-70-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe = "0" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exepid process 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exedescription pid process target process PID 1800 set thread context of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 964 1800 WerFault.exe 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exe44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exepid process 1728 powershell.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exepowershell.exeregsvcs.exedescription pid process Token: SeDebugPrivilege 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 280 regsvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exedescription pid process target process PID 1800 wrote to memory of 1728 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe powershell.exe PID 1800 wrote to memory of 1728 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe powershell.exe PID 1800 wrote to memory of 1728 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe powershell.exe PID 1800 wrote to memory of 1728 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe powershell.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 280 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe regsvcs.exe PID 1800 wrote to memory of 964 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe WerFault.exe PID 1800 wrote to memory of 964 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe WerFault.exe PID 1800 wrote to memory of 964 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe WerFault.exe PID 1800 wrote to memory of 964 1800 44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe"C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 17722⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/280-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/280-66-0x000000000040DD5E-mapping.dmp
-
memory/280-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/280-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/280-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/280-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/280-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/280-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/964-71-0x0000000000000000-mapping.dmp
-
memory/1728-59-0x000000006F000000-0x000000006F5AB000-memory.dmpFilesize
5.7MB
-
memory/1728-57-0x0000000000000000-mapping.dmp
-
memory/1728-73-0x000000006F000000-0x000000006F5AB000-memory.dmpFilesize
5.7MB
-
memory/1800-55-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1800-54-0x00000000013B0000-0x00000000014B0000-memory.dmpFilesize
1024KB
-
memory/1800-56-0x0000000000330000-0x000000000035C000-memory.dmpFilesize
176KB