aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Size

1.2MB
MD5

1ac7f905b952d6a74fe9d70dfaeb4a87
SHA1

0e6882d7f2bd2887489a91bfbe00963c5be9c766
SHA256

aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289
SHA512

0a5d76d36619ff75c402771d45026edf0b365b8765b8c4664c5e3a6c184afd6851102af87bd34f766fe37fb078df8d1b9cfd7bb1a0a2037d4c036a29969c0ff8
SSDEEP

12288:ab0ZipUUTrXv6bkNtXDUqwa0bO+iCeJPQvHOERQ5A925YEoRlBM24il+gspTbqqI:ab0ZippTrXSbkjwN4pPRdxojeilT5lZr

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1588	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
920	sc.exe
1944	sc.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E716575F-6955-3A8A-6955-3A8A69553A8A}\InProcServer32	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E716575F-6955-3A8A-6955-3A8A69553A8A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecsext.dll"	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E716575F-6955-3A8A-6955-3A8A69553A8A}\InProcServer32\ThreadingModel = "Both"	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E716575F-6955-3A8A-6955-3A8A69553A8A}	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E716575F-6955-3A8A-6955-3A8A69553A8A}\Containers	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Token: SeIncBasePriorityPrivilege	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1588	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	29
PID 1148 wrote to memory of 1588	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	29
PID 1148 wrote to memory of 1588	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	29
PID 1148 wrote to memory of 1588	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	29
PID 1148 wrote to memory of 812	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	30
PID 1148 wrote to memory of 812	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	30
PID 1148 wrote to memory of 812	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	30
PID 1148 wrote to memory of 812	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	30
PID 1148 wrote to memory of 1464	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	32
PID 1148 wrote to memory of 1464	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	32
PID 1148 wrote to memory of 1464	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	32
PID 1148 wrote to memory of 1464	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	32
PID 1148 wrote to memory of 288	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	33
PID 1148 wrote to memory of 288	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	33
PID 1148 wrote to memory of 288	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	33
PID 1148 wrote to memory of 288	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	33
PID 1148 wrote to memory of 920	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	37
PID 1148 wrote to memory of 920	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	37
PID 1148 wrote to memory of 920	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	37
PID 1148 wrote to memory of 920	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	37
PID 1148 wrote to memory of 1944	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	38
PID 1148 wrote to memory of 1944	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	38
PID 1148 wrote to memory of 1944	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	38
PID 1148 wrote to memory of 1944	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	38
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 1148 wrote to memory of 1200	1148	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe	40
PID 288 wrote to memory of 676	288	net.exe	43
PID 288 wrote to memory of 676	288	net.exe	43
PID 288 wrote to memory of 676	288	net.exe	43
PID 288 wrote to memory of 676	288	net.exe	43
PID 1464 wrote to memory of 1812	1464	net.exe	44
PID 1464 wrote to memory of 1812	1464	net.exe	44
PID 1464 wrote to memory of 1812	1464	net.exe	44
PID 1464 wrote to memory of 1812	1464	net.exe	44
PID 812 wrote to memory of 2008	812	net.exe	42
PID 812 wrote to memory of 2008	812	net.exe	42
PID 812 wrote to memory of 2008	812	net.exe	42
PID 812 wrote to memory of 2008	812	net.exe	42

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe

C:\Users\Admin\AppData\Local\Temp\aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
"C:\Users\Admin\AppData\Local\Temp\aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe"
1⤵
- UAC bypass
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1148
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:1588
- C:\Windows\SysWOW64\net.exe
  net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MpsSvc
    3⤵
    PID:2008
- C:\Windows\SysWOW64\net.exe
  net stop security center
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop security center
    3⤵
    PID:1812
- C:\Windows\SysWOW64\net.exe
  net stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:676
- C:\Windows\SysWOW64\sc.exe
  sc stop SharedAccess
  2⤵
  - Launches sc.exe
  PID:920
- C:\Windows\SysWOW64\sc.exe
  sc DELETE SharedAccess
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
  C:\Users\Admin\AppData\Local\Temp\aa0bed5e015059be0267bd6c3f4e361477de25b3cf5fa01bfbc11a95daf3a289.exe
  2⤵
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-72-0x0000000000000000-mapping.dmp

Download
memory/676-79-0x0000000000000000-mapping.dmp

Download
memory/812-70-0x0000000000000000-mapping.dmp

Download
memory/920-73-0x0000000000000000-mapping.dmp

Download
memory/1148-61-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-63-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-64-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-65-0x0000000000401000-0x00000000004A2000-memory.dmp

Filesize
644KB

Download
memory/1148-85-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-62-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-84-0x00000000043B0000-0x00000000045C8000-memory.dmp

Filesize
2.1MB

Download
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-59-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-83-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1148-55-0x0000000000230000-0x00000000002BD000-memory.dmp

Filesize
564KB

Download
memory/1200-76-0x000000000041D470-mapping.dmp

Download
memory/1200-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1200-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1464-71-0x0000000000000000-mapping.dmp

Download
memory/1588-69-0x0000000000000000-mapping.dmp

Download
memory/1812-80-0x0000000000000000-mapping.dmp

Download
memory/1944-74-0x0000000000000000-mapping.dmp

Download
memory/2008-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads