Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe
Resource
win7-20220901-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe
-
Size
344KB
-
MD5
48f9e4cb82eac70f509c1c357fc87b90
-
SHA1
3fb4289b186e5a490afa4e4dc0ba379b2c07895e
-
SHA256
31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0
-
SHA512
e48d327d6a1e847fd5b49082a889aef3148b58e89687323f9b205cd254dc27ad4aa25ae9d861b18feb3dd456036a8b49f9f5eb33cdf5e23235679aa6cb08b2fe
-
SSDEEP
6144:5GzmuWyUufA1BXT/Jmt1WvhdKgvmH0v8LwTjJZscy0/p20UVwMcitXZOERt4vOy:gNUuYz/JDUgvmm8Sscy0sVw/GZOEIvO
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" F4D55F6500014973000C7881B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1560 F4D55F6500014973000C7881B4EB2331.exe -
Deletes itself 1 IoCs
pid Process 1560 F4D55F6500014973000C7881B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000C7881B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" F4D55F6500014973000C7881B4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\open\command F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\open F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\start\command\ = "\"%1\" %*" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.exe F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\%s\ = "F4D55" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55 F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\Content Type = "application/x-msdownload" F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\DefaultIcon\ = "%1" F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\runas\command\ = "\"%1\" %*" F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\ = "Application" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\DefaultIcon F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\start F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\%s F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\open\command\IsolatedCommand = "\"%1\" %*" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\runas F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\runas\command\IsolatedCommand = "\"%1\" %*" F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.exe\ = "F4D55" F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\open\command\ = "\"C:\\ProgramData\\F4D55F6500014973000C7881B4EB2331\\F4D55F6500014973000C7881B4EB2331.exe\" -s \"%1\" %*" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\start\command F4D55F6500014973000C7881B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\start\command\IsolatedCommand = "\"%1\" %*" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\F4D55\shell\runas\command F4D55F6500014973000C7881B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1560 F4D55F6500014973000C7881B4EB2331.exe 1560 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1560 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe 27 PID 1288 wrote to memory of 1560 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe 27 PID 1288 wrote to memory of 1560 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe 27 PID 1288 wrote to memory of 1560 1288 31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe 27 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" F4D55F6500014973000C7881B4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe"C:\Users\Admin\AppData\Local\Temp\31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe"C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\31c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0.exe"2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1560
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD548f9e4cb82eac70f509c1c357fc87b90
SHA13fb4289b186e5a490afa4e4dc0ba379b2c07895e
SHA25631c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0
SHA512e48d327d6a1e847fd5b49082a889aef3148b58e89687323f9b205cd254dc27ad4aa25ae9d861b18feb3dd456036a8b49f9f5eb33cdf5e23235679aa6cb08b2fe
-
Filesize
344KB
MD548f9e4cb82eac70f509c1c357fc87b90
SHA13fb4289b186e5a490afa4e4dc0ba379b2c07895e
SHA25631c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0
SHA512e48d327d6a1e847fd5b49082a889aef3148b58e89687323f9b205cd254dc27ad4aa25ae9d861b18feb3dd456036a8b49f9f5eb33cdf5e23235679aa6cb08b2fe
-
Filesize
344KB
MD548f9e4cb82eac70f509c1c357fc87b90
SHA13fb4289b186e5a490afa4e4dc0ba379b2c07895e
SHA25631c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0
SHA512e48d327d6a1e847fd5b49082a889aef3148b58e89687323f9b205cd254dc27ad4aa25ae9d861b18feb3dd456036a8b49f9f5eb33cdf5e23235679aa6cb08b2fe
-
Filesize
344KB
MD548f9e4cb82eac70f509c1c357fc87b90
SHA13fb4289b186e5a490afa4e4dc0ba379b2c07895e
SHA25631c17d4b7fbfcf5a65d95668650986d14f21db14118efba09464c968601bb3c0
SHA512e48d327d6a1e847fd5b49082a889aef3148b58e89687323f9b205cd254dc27ad4aa25ae9d861b18feb3dd456036a8b49f9f5eb33cdf5e23235679aa6cb08b2fe