Analysis
-
max time kernel
51s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07-01-2023 08:59
Behavioral task
behavioral1
Sample
Resource.bin
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Run.vbs
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
WindowsService.exe
Resource
win10-20220901-en
Behavioral task
behavioral4
Sample
import.reg
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
md5.txt
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
updatebackend.log
Resource
win10-20220812-en
General
-
Target
import.reg
-
Size
4KB
-
MD5
cd403a43119b0ad8aca8ad920f7758f8
-
SHA1
7cbaaaff573326c20ee531e64ad66001b61fef78
-
SHA256
0c53460dc124db6c337e75ac0cbbcaffd1d59df593a8e23d44d3bf69f92f3064
-
SHA512
eccac6834009c6e91a72857e15688ed32944a9c34d21fb666bc2cde365b2347abc62b44c11d08ee230de9970d8687cf71fb9756bb02cdc903fd1b75e50c29020
-
SSDEEP
96:PrcwgHarrZtxg+BfiCjWZQl/vKj0hMXmNZ0/ZIZmZ5aYhwHShnwHV:P/NjrlVOU
Malware Config
Signatures
-
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = "1" regedit.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 4124 regedit.exe