Analysis
-
max time kernel
150s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe
Resource
win10v2004-20220812-en
General
-
Target
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe
-
Size
456KB
-
MD5
8608ec03852233aa7c82969f8c7a1ffc
-
SHA1
307acf93644282013225f813ea50e1716f5783b3
-
SHA256
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5
-
SHA512
2474555d97be5103d8e07826c6a566473a6bdef78531c68d6af4fbb2a9f14c4e5af0f82cc8e4ae745ea2aed3cdbb76b7d555b17430c9896765d3dc3a6596bf3d
-
SSDEEP
12288:9NZP/cxQxMU5yzZXUKREMS2yK3PE3FdJG4BEB5PNSIbhd+t:9N2Wp5y8MAEEntBiR98t
Malware Config
Signatures
-
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Disables taskbar notifications via registry modification
-
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1DCBE5360FC9F6A800001DCBC76EFB5B = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1DCBE5360FC9F6A800001DCBC76EFB5B = "C:\\ProgramData\\1DCBE5360FC9F6A800001DCBC76EFB5B\\1DCBE5360FC9F6A800001DCBC76EFB5B.exe" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exepid process 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exepid process 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exepid process 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exepid process 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe 1832 c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe"C:\Users\Admin\AppData\Local\Temp\c9e798bcb8dbf48b9579dac30b293e67f6aafd4a169a62bdfa0e623d3214fcd5.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1832-54-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1832-55-0x0000000000400000-0x0000000001413000-memory.dmpFilesize
16.1MB
-
memory/1832-56-0x0000000000220000-0x0000000000223000-memory.dmpFilesize
12KB
-
memory/1832-57-0x0000000000400000-0x0000000001413000-memory.dmpFilesize
16.1MB