af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e

General

Target

af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Size

456KB
MD5

38cb53967d7f774076d756a9c6f42e32
SHA1

7402279b692c1ee7ffcf110834f63a1925e785de
SHA256

af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e
SHA512

d293e62d0ff8e7ad9fb24a5f17ff0a6aa1cc6c2a018f1f9206677f105601b5b04eb25261a4acde1212fedb5bdbbd0416047b8faff6a768fd8b34792ff13f675e
SSDEEP

6144:qLQ0GPwMnqkeVoUl9pQMSGng8Ypq4ee38BcxRUm3fQS/KraKk1AvqyA:qLPiqHXl9/ng8YIW3CKRPC/ya

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe

C:\Users\Admin\AppData\Local\Temp\af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe
"C:\Users\Admin\AppData\Local\Temp\af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe"
1⤵
- Windows security bypass
- Windows security modification
PID:1452
- C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe
  "C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\af71c625eb3c8039c4d5fa2ce2d0e2caad836876b566a6488f1ab64672ce0e5e.exe"
  2⤵
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
49KB

MD5
bdad50bd0057f99ad716f5276535227f

SHA1
bda4cf80609576dc2c6a4ca3851eb96f7c408cd7

SHA256
86c58691bd31cc72ff3900ef40529e3b7a1553ee1618c808ba10263a8a5a7f4a

SHA512
840fe92dd50c9970d3a2284f4921c0c385857498ae175db50a2c97ad90b3a5b4d1521c2b29fdec3f6e2c397c6d1a008a5591fefcfce3221acf14ecbeb0ff5d90

Download Submit
C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
29KB

MD5
581efbb242fd8b1429157c74d8092790

SHA1
8dd263f1338b28e44e3f0d9f78c836a6a6ca8b37

SHA256
49fd8b3522e05ab9596771f7090dff848374de3daa47405cbd2964b81c3cdd0c

SHA512
f2fa1643415511e9aa6e5dc0a04aedde83bd2e743414b0308548e6da2e946c69c1b149d2d273b11abb95652db369324c87418854cfe842a3123dfb4c6ec13dbf

Download Submit
\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
38KB

MD5
0ccd12b4e7278e61ccdccdbfadea8b17

SHA1
114864ccd864d7b8ea00d25baaa12a64a49f91fb

SHA256
7c61c8693a9a44739c190e46d637be68b0258f97257bcd48cace6309913536be

SHA512
41f9f0b59306c5bc1bfd96124e39f0a60ff36c238f1374e8815950f1050f3c603f330073e27261eedcbfba883f6a6d8b355ea1fc92e6ed3f01698082293cc4e9

Download Submit
\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
19KB

MD5
8f51cbe70c4d7e59b1421f3b469fa9b6

SHA1
e5cbaa2badd5be2946723bd07c25df397571d4a2

SHA256
73ddec9fd85907f07e352a9eff4a1ec05ce20a01a92ee408e06800df1292b23b

SHA512
70684c6a4007251b130b9b45b9bb4c0b737b1e54a508b4f04a10ed2defa3cf97702d4662354a6e54e93f99fde81ea997f69c2e443c6455bfd8c056d5f8b66199

Download Submit
memory/1452-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1452-61-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1456-62-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads