Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 08:53
Static task
static1
Behavioral task
behavioral1
Sample
42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe
-
Size
432KB
-
MD5
93370652ce96fb46d3eb428d47370650
-
SHA1
979874b93ac55e3036d2b4439c31fbfa5855842a
-
SHA256
42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8
-
SHA512
f8319769dd283e7fcc00d385114797038b594c930acab4d21b11173781cdd0f8e8fc68f2b023e5a3da8fe63c789b01db834572729405835fc6a7c43983eec791
-
SSDEEP
6144:pyiMagk06qtnhKZ53rw9mN7bTlPPfewOZwMUQS1GTMNxsFTmekZaGezyLf97IlO3:pyiq6qRYv3rpQIQkGINxsQ5jSr
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1708 F4D55F6500014973000B4090B4EB2331.exe -
Deletes itself 1 IoCs
pid Process 1708 F4D55F6500014973000B4090B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000B4090B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000B4090B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000B4090B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000B4090B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\F4D55F6500014973000B4090B4EB2331 = "C:\\ProgramData\\F4D55F6500014973000B4090B4EB2331\\F4D55F6500014973000B4090B4EB2331.exe" F4D55F6500014973000B4090B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1708 F4D55F6500014973000B4090B4EB2331.exe 1708 F4D55F6500014973000B4090B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1708 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 28 PID 1908 wrote to memory of 1708 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 28 PID 1908 wrote to memory of 1708 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 28 PID 1908 wrote to memory of 1708 1908 42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe"C:\Users\Admin\AppData\Local\Temp\42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe"1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\ProgramData\F4D55F6500014973000B4090B4EB2331\F4D55F6500014973000B4090B4EB2331.exe"C:\ProgramData\F4D55F6500014973000B4090B4EB2331\F4D55F6500014973000B4090B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\42c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1708
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD593370652ce96fb46d3eb428d47370650
SHA1979874b93ac55e3036d2b4439c31fbfa5855842a
SHA25642c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8
SHA512f8319769dd283e7fcc00d385114797038b594c930acab4d21b11173781cdd0f8e8fc68f2b023e5a3da8fe63c789b01db834572729405835fc6a7c43983eec791
-
Filesize
432KB
MD593370652ce96fb46d3eb428d47370650
SHA1979874b93ac55e3036d2b4439c31fbfa5855842a
SHA25642c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8
SHA512f8319769dd283e7fcc00d385114797038b594c930acab4d21b11173781cdd0f8e8fc68f2b023e5a3da8fe63c789b01db834572729405835fc6a7c43983eec791
-
Filesize
432KB
MD593370652ce96fb46d3eb428d47370650
SHA1979874b93ac55e3036d2b4439c31fbfa5855842a
SHA25642c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8
SHA512f8319769dd283e7fcc00d385114797038b594c930acab4d21b11173781cdd0f8e8fc68f2b023e5a3da8fe63c789b01db834572729405835fc6a7c43983eec791
-
Filesize
432KB
MD593370652ce96fb46d3eb428d47370650
SHA1979874b93ac55e3036d2b4439c31fbfa5855842a
SHA25642c7b38069a1dc00328f97174f717a395e02754143c034dff1addb1af0d287c8
SHA512f8319769dd283e7fcc00d385114797038b594c930acab4d21b11173781cdd0f8e8fc68f2b023e5a3da8fe63c789b01db834572729405835fc6a7c43983eec791