7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Size

138KB
MD5

6061a886d7544e1b66ea0a5659e350ed
SHA1

f43401281b75ea4e99c6535dd96f3e73e02d9101
SHA256

7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6
SHA512

dd21f7fd055d5c7097007d97a5f473993d6f57ba89e4f14f5a11347d6ed10b1ecc24315c0ccca77a79925ec3a1d5b43d5c6f323d62e25d1ac1f58bc474cc37bd
SSDEEP

3072:si1CBSlVbg9/AkWGJwNwqnNLseNNpBNPN9hN9Zxe49NsJN7:icXbQ/A

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
1524	powershell.exe
1524	powershell.exe
1208	powershell.exe
1208	powershell.exe
5100	powershell.exe
5100	powershell.exe
4836	powershell.exe
4836	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeIncreaseQuotaPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSecurityPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeTakeOwnershipPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeLoadDriverPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemProfilePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemtimePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeProfSingleProcessPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeIncBasePriorityPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeCreatePagefilePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeBackupPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeRestorePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeShutdownPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeDebugPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemEnvironmentPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeRemoteShutdownPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeUndockPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeManageVolumePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 33	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 34	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 35	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 36	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeIncreaseQuotaPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSecurityPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeTakeOwnershipPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeLoadDriverPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemProfilePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemtimePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeProfSingleProcessPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeIncBasePriorityPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeCreatePagefilePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeBackupPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeRestorePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeShutdownPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeDebugPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemEnvironmentPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeRemoteShutdownPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeUndockPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeManageVolumePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 33	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 34	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 35	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: 36	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeIncreaseQuotaPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSecurityPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeTakeOwnershipPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeLoadDriverPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemProfilePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemtimePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeProfSingleProcessPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeIncBasePriorityPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeCreatePagefilePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeBackupPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeRestorePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeShutdownPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeDebugPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeSystemEnvironmentPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeRemoteShutdownPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeUndockPrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
Token: SeManageVolumePrivilege	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1524	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	79
PID 3300 wrote to memory of 1524	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	79
PID 3300 wrote to memory of 1208	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	80
PID 3300 wrote to memory of 1208	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	80
PID 3300 wrote to memory of 5100	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	81
PID 3300 wrote to memory of 5100	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	81
PID 3300 wrote to memory of 4836	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	82
PID 3300 wrote to memory of 4836	3300	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe	82

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe

C:\Users\Admin\AppData\Local\Temp\7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe
"C:\Users\Admin\AppData\Local\Temp\7bb489693143c527cda8063045ee9809447bab0315a049b1a7b70478eb79cda6.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\hh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Public
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3bc9ca267ea2969eb6201d77e58560c

SHA1
78f83a443aa1ca235edcab2da9e2fda6fecc1da4

SHA256
7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

SHA512
8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

Download Submit
memory/1208-143-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/1208-142-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/1208-138-0x0000000000000000-mapping.dmp

Download
memory/1524-137-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/1524-136-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/1524-135-0x0000000000000000-mapping.dmp

Download
memory/3300-134-0x0000000000CE0000-0x0000000000D02000-memory.dmp

Filesize
136KB

Download
memory/3300-141-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/3300-132-0x0000000000470000-0x0000000000498000-memory.dmp

Filesize
160KB

Download
memory/3300-133-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/3300-152-0x000000001F1D0000-0x000000001F1FA000-memory.dmp

Filesize
168KB

Download
memory/3300-153-0x000000001F1D0000-0x000000001F1F4000-memory.dmp

Filesize
144KB

Download
memory/3300-154-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/4836-148-0x0000000000000000-mapping.dmp

Download
memory/4836-150-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/4836-151-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/5100-144-0x0000000000000000-mapping.dmp

Download
memory/5100-145-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download
memory/5100-147-0x00007FF85E980000-0x00007FF85F441000-memory.dmp

Filesize
10.8MB

Download