f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a

General

Target

f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Size

648KB
MD5

e270fb9c39ccd9cbb136a54a312da77d
SHA1

ef5b248f77f20e72100eadcb9e08a34380e1cb34
SHA256

f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a
SHA512

818fe61c16db049eb6babc1d527510beadce14362d4c363e25b04961ae28792bc1abeab061578e712cb99518687dec3ec1357066d7b683970b97500078a0fdca
SSDEEP

12288:Dyiuvqki8e+xwr04aA6XtlXyUIOr7He1/EyYJJp4coUGSz1AR+L:tutmawAA6XtqS7HecJWi9

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Tool Helper = "C:\\Windows\\system32\\windows\\system32\\wintool.exe"	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windows\system32\wintool.exe	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
File opened for modification	C:\Windows\SysWOW64\windows\system32\wintool.exe	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeSecurityPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeTakeOwnershipPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeLoadDriverPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeSystemProfilePrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeSystemtimePrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeProfSingleProcessPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeIncBasePriorityPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeCreatePagefilePrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeBackupPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeRestorePrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeShutdownPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeDebugPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeSystemEnvironmentPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeChangeNotifyPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeRemoteShutdownPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeUndockPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeManageVolumePrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeImpersonatePrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: SeCreateGlobalPrivilege	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: 33	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: 34	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: 35	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
Token: 36	5088	f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe

C:\Users\Admin\AppData\Local\Temp\f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe
"C:\Users\Admin\AppData\Local\Temp\f44e7ce4bb98c001c0edd3206944b6c6b0fcadd154c40209a3ac7ae143105a1a.exe"
1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads