Analysis
-
max time kernel
148s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe
-
Size
617KB
-
MD5
5865bae19998e693f1817a6a9a5e0039
-
SHA1
42e15927d3e1d1fa417ac0e51267de23ec9b2d2e
-
SHA256
73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1
-
SHA512
242f973698e9d13b9e9b869a28373ea55646e7e624336450ca8c7c0c4d2e463db4a428aa5f7604e0125e785f119065850d34534c46b2c68c8ff0788f476083f5
-
SSDEEP
12288:KxGTvNd5+Y8O/ZTqcHXuHX8apI8cLb/J1NT1Yq:KxEd1Tm0XM8au5v7NT7
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4RTPZ-DCJ850E-F17DY-HPXJRL-JH8L58NS0} 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4RTPZ-DCJ850E-F17DY-HPXJRL-JH8L58NS0}\StubPath = "C:\\windows\\DarkBoy Restart" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IAm-DarkCoderSc = "C:\\windows\\DarkBoy" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\DarkBoy 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe File opened for modification C:\windows\DarkBoy 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeSecurityPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeTakeOwnershipPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeLoadDriverPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeSystemProfilePrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeSystemtimePrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeProfSingleProcessPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeIncBasePriorityPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeCreatePagefilePrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeBackupPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeRestorePrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeShutdownPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeDebugPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeSystemEnvironmentPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeChangeNotifyPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeRemoteShutdownPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeUndockPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeManageVolumePrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeImpersonatePrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: SeCreateGlobalPrivilege 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: 33 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: 34 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Token: 35 704 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" 73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe"C:\Users\Admin\AppData\Local\Temp\73b44ba03849209b0462da03264ebc712e685e42398975b0596cb70254a691f1.exe"1⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies Installed Components in the registry
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:704