84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f

Analysis

max time kernel
148s
max time network
53s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Size

392KB
MD5

2f4f2e95b2bd75a161549baa57da07b3
SHA1

cf76f2155d0c5910790c56c9cdd81d3992cb12cf
SHA256

84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f
SHA512

2fc59710f6114ebbfbd6c1307d23eb3e1c67fafdfbb96a3d3ff068539e8d0946fc568f5ffc2367c694a18359a500e9f14b290c911761c218f7864b18866e8328
SSDEEP

6144:r+FxAgek1C3EpduJFYRjTuaJfrv/0wEfYC9TbyrMiMDeEic2U9uKZESNqCDwX:CFe6CFkZZVryf9RlDLiPUwKPNqCDo

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	F4D55F6500014973000CA680B4EB2331.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1740	F4D55F6500014973000CA680B4EB2331.exe

Deletes itself 1 IoCs

pid	Process
1740	F4D55F6500014973000CA680B4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	F4D55F6500014973000CA680B4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	F4D55F6500014973000CA680B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	F4D55F6500014973000CA680B4EB2331.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\F4D55F6500014973000CA680B4EB2331 = "C:\\ProgramData\\F4D55F6500014973000CA680B4EB2331\\F4D55F6500014973000CA680B4EB2331.exe"	F4D55F6500014973000CA680B4EB2331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1740	F4D55F6500014973000CA680B4EB2331.exe
1740	F4D55F6500014973000CA680B4EB2331.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1740	2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe	28
PID 2012 wrote to memory of 1740	2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe	28
PID 2012 wrote to memory of 1740	2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe	28
PID 2012 wrote to memory of 1740	2012	84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe	28

C:\Users\Admin\AppData\Local\Temp\84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe
"C:\Users\Admin\AppData\Local\Temp\84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe
  "C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Deletes itself
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
392KB

MD5
2f4f2e95b2bd75a161549baa57da07b3

SHA1
cf76f2155d0c5910790c56c9cdd81d3992cb12cf

SHA256
84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f

SHA512
2fc59710f6114ebbfbd6c1307d23eb3e1c67fafdfbb96a3d3ff068539e8d0946fc568f5ffc2367c694a18359a500e9f14b290c911761c218f7864b18866e8328

Download Submit
C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
392KB

MD5
2f4f2e95b2bd75a161549baa57da07b3

SHA1
cf76f2155d0c5910790c56c9cdd81d3992cb12cf

SHA256
84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f

SHA512
2fc59710f6114ebbfbd6c1307d23eb3e1c67fafdfbb96a3d3ff068539e8d0946fc568f5ffc2367c694a18359a500e9f14b290c911761c218f7864b18866e8328

Download Submit
\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
392KB

MD5
2f4f2e95b2bd75a161549baa57da07b3

SHA1
cf76f2155d0c5910790c56c9cdd81d3992cb12cf

SHA256
84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f

SHA512
2fc59710f6114ebbfbd6c1307d23eb3e1c67fafdfbb96a3d3ff068539e8d0946fc568f5ffc2367c694a18359a500e9f14b290c911761c218f7864b18866e8328

Download Submit
\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe

Filesize
392KB

MD5
2f4f2e95b2bd75a161549baa57da07b3

SHA1
cf76f2155d0c5910790c56c9cdd81d3992cb12cf

SHA256
84a722052d2224f9637f45111690468b3cb8fa342c90af0ffbc72828c97d9f9f

SHA512
2fc59710f6114ebbfbd6c1307d23eb3e1c67fafdfbb96a3d3ff068539e8d0946fc568f5ffc2367c694a18359a500e9f14b290c911761c218f7864b18866e8328

Download Submit
memory/1740-65-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1740-69-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2012-59-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2012-58-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2012-54-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2012-57-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2012-70-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2012-71-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download