703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff

Analysis

max time kernel
142s
max time network
135s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe
Size

1015KB
MD5

00090798b2bc093f092b2a7cf7ef7f39
SHA1

66b0c15bdd743e40f18ff72eff73813113c0e2b9
SHA256

703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff
SHA512

58c0bf7c756da6c99e957dec072d046d172bc5706acd9f53d753ffc8e9b22f9c79e24150bf7062514b77f1abf959407187597c3f8dbdeb2cc1053c9e7b093184
SSDEEP

12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaojw1u8sIgB6A:Jtb20pkaCqT5TBWgNQ7aUhB6A

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogin.exe"	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Flash = "C:\\Users\\Admin\\AppData\\Local\\Temp\\strn.exe"	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe

C:\Users\Admin\AppData\Local\Temp\703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe
"C:\Users\Admin\AppData\Local\Temp\703b4bf5601af6c51588c26036941ff6d37279b0ca18fc19820118d3425939ff.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:1908