e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc

Analysis

max time kernel
128s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe
Size

40KB
MD5

0e011238373522fe3b7f76b5a5cd27d4
SHA1

4f0671ec0cc8c5d23aa74d281e4160ba97504ae5
SHA256

e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc
SHA512

58f4d4bf802fb3bc83b0edb5d6b2f93733266d5eec61a4281179b09daef58718f44240daf0be6756f7c16b08d7fabfd77c946e98d76f070ae6a417f2aad7f62e
SSDEEP

768:yUzeOjc8slpz2MsIDp3xLJGRGXgiE9gWPjYD:rRjcJx1G8QtVsD

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2784	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4992	sc.exe
4912	sc.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2784	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	78
PID 2288 wrote to memory of 2784	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	78
PID 2288 wrote to memory of 2784	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	78
PID 2288 wrote to memory of 4332	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	80
PID 2288 wrote to memory of 4332	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	80
PID 2288 wrote to memory of 4332	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	80
PID 2288 wrote to memory of 932	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	81
PID 2288 wrote to memory of 932	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	81
PID 2288 wrote to memory of 932	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	81
PID 2288 wrote to memory of 4992	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	84
PID 2288 wrote to memory of 4992	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	84
PID 2288 wrote to memory of 4992	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	84
PID 2288 wrote to memory of 4912	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	86
PID 2288 wrote to memory of 4912	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	86
PID 2288 wrote to memory of 4912	2288	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe	86
PID 932 wrote to memory of 1636	932	net.exe	89
PID 932 wrote to memory of 1636	932	net.exe	89
PID 932 wrote to memory of 1636	932	net.exe	89
PID 4332 wrote to memory of 3532	4332	net.exe	88
PID 4332 wrote to memory of 3532	4332	net.exe	88
PID 4332 wrote to memory of 3532	4332	net.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe

C:\Users\Admin\AppData\Local\Temp\e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe
"C:\Users\Admin\AppData\Local\Temp\e7d33deff34583feed9eef84804aff0d7a5cc4c51a3f59f11f0edd9bf1190cbc.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:2784
- C:\Windows\SysWOW64\net.exe
  net stop security center
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop security center
    3⤵
    PID:3532
- C:\Windows\SysWOW64\net.exe
  net stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:1636
- C:\Windows\SysWOW64\sc.exe
  sc stop SharedAccess
  2⤵
  - Launches sc.exe
  PID:4992
- C:\Windows\SysWOW64\sc.exe
  sc DELETE SharedAccess
  2⤵
  - Launches sc.exe
  PID:4912