fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7

Analysis

max time kernel
130s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 00:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe
Size

40KB
MD5

b5620b90cd328394f31a9d176ff7b08b
SHA1

6f330d97740f7e9101132ac4e9090e4af6a8ef2b
SHA256

fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7
SHA512

5c7d6ed84695d5c8197eef50b839f6e1009c34089e124135378b377ec6677a1836174fe69273d388efcf991e22fb823695c17f4a607f3e95ede7ae12ff95b99f
SSDEEP

384:KQfSZ93kWF1E/yqWLeRYqYzmSAnYxOUdIP7oX8rAAC82bpFNjVgVl3czDX0sVK9:KJZ1EKqRYqYza8jX8JCd9R4

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2576	reg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2484	fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe
2484	fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe
2484	fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2800	2484	fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe	81
PID 2484 wrote to memory of 2800	2484	fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe	81
PID 2484 wrote to memory of 2800	2484	fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe	81
PID 2800 wrote to memory of 2576	2800	cmd.exe	83
PID 2800 wrote to memory of 2576	2800	cmd.exe	83
PID 2800 wrote to memory of 2576	2800	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe
"C:\Users\Admin\AppData\Local\Temp\fb9fa099330ad18d15dd4fa8c732e7e63d3006b1fefcbacea42d98fae72f80c7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads