Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe
Resource
win7-20220812-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe
-
Size
560KB
-
MD5
4d83dd0f75827ca352f12a302f7b49a6
-
SHA1
380bec86df75bff0522bc2653f338747f836b086
-
SHA256
a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569
-
SHA512
ef8efa584549bb3cd3a477210f7fb720e3b3808d3ba50549c9396100312c72cd397f4a0a5c75bbdaa2a06e595c3b271d5bb727caae3ae58bd133ad773eaa7bea
-
SSDEEP
12288:nHa68eXeJgw2r6s5eDl0X5vBfqJmA2QIVu:nHa68eXej2H5Q8JBEmA2Z
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
Disables taskbar notifications via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\9606AA6B3185CB69000096061469D01C = "C:\\ProgramData\\9606AA6B3185CB69000096061469D01C\\9606AA6B3185CB69000096061469D01C.exe" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe 1452 a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe"C:\Users\Admin\AppData\Local\Temp\a2f545b253f420507fb5303e10bc54e44d29223076197a4b8075c75765b7a569.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1452