Analysis
-
max time kernel
34s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 07:40
Behavioral task
behavioral1
Sample
d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
General
-
Target
d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe
-
Size
950KB
-
MD5
8c64a55968bf8f28d91a1a28a75eb9f2
-
SHA1
e6ea276d12676fa6050e837db2e4fea862868e5f
-
SHA256
d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95
-
SHA512
813c5a37ab55610c7acb964cac66f5c60de7ffe0092c80ee1c09810b6145c91b4f7a022ee6950195dbebc30657e977ffcdef802d8fffb99c59418ddd86a8a7ae
-
SSDEEP
24576:hWrGYkf0ca3RU/Gv9J/xq1dL6BHYRG+I5w:hgGYkm3RU/nu4RG+D
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesOverride = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
resource yara_rule behavioral1/memory/836-55-0x0000000000400000-0x000000000055F000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Atalho_.pif d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirstRunDisabled = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AutoUpdateDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\InternetSettingsDisableNotify = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesOverride = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Atalho_.pif\NoOpenWith d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications\Atalho_.pif d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Nicrosoft.exe\NoOpenWith d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Atalho_.pif d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications\Atalho_.pif\TaskbarGroupIcon = "C:\\Program Files\\AVG\\AVG10\\avguires.dll,-128" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-15044950-4219544130-4274662314-1000\Software\Classes\Applications\Beholder.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Beholder.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Beholder.exe\NoOpenWith d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications\Beholder.exe\TaskbarGroupIcon = "C:\\Program Files\\AVG\\AVG10\\avguires.dll,-128" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications\Nicrosoft.exe\TaskbarGroupIcon = "C:\\Program Files\\AVG\\AVG10\\avguires.dll,-128" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-15044950-4219544130-4274662314-1000\Software\Classes\Applications\Nicrosoft.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-15044950-4219544130-4274662314-1000_Classes\Applications\Beholder.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-15044950-4219544130-4274662314-1000_Classes\Applications\inicio.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-15044950-4219544130-4274662314-1000_Classes\Applications\Nicrosoft.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Nicrosoft.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications\Beholder.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Applications\Nicrosoft.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Key created \REGISTRY\USER\S-1-5-21-15044950-4219544130-4274662314-1000\Software\Classes\Applications\inicio.exe d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe"C:\Users\Admin\AppData\Local\Temp\d1821fb88669ca60b10c5438f287e2e576acf08367d297412a5177c215422c95.exe"1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Windows security bypass
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:836