Analysis
-
max time kernel
145s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-01-2023 02:11
Static task
static1
Behavioral task
behavioral1
Sample
4b14dd75ca0e8f61493cb41737584aa324c715a0.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
4b14dd75ca0e8f61493cb41737584aa324c715a0.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
4b14dd75ca0e8f61493cb41737584aa324c715a0.exe
-
Size
420KB
-
MD5
78ffa2644ce5d737b0093156ab96b4bf
-
SHA1
4b14dd75ca0e8f61493cb41737584aa324c715a0
-
SHA256
627ed063fdd51691b6deaac025b91d271411e0412f56cb2fe4ba980a8825fe79
-
SHA512
187172a0392a8aa22c1d074a2e7d9ec6a60477c6a90c0a9b4ca13b98fa3ba91eccc6b3c298fe0db7f8daa96590abe0edd6aed338254e71daadf81b8c44a9c6c3
-
SSDEEP
12288:rJSSF/FxvZyT6zpVJ6yrX0kx0JcgU3UI1gI:BrZywEc0ygUEP
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000CA680B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 912 F4D55F6500014973000CA680B4EB2331.exe -
Deletes itself 1 IoCs
pid Process 912 F4D55F6500014973000CA680B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000CA680B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000CA680B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000CA680B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000CA680B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\F4D55F6500014973000CA680B4EB2331 = "C:\\ProgramData\\F4D55F6500014973000CA680B4EB2331\\F4D55F6500014973000CA680B4EB2331.exe" F4D55F6500014973000CA680B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 912 F4D55F6500014973000CA680B4EB2331.exe 912 F4D55F6500014973000CA680B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1832 wrote to memory of 912 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 27 PID 1832 wrote to memory of 912 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 27 PID 1832 wrote to memory of 912 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 27 PID 1832 wrote to memory of 912 1832 4b14dd75ca0e8f61493cb41737584aa324c715a0.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b14dd75ca0e8f61493cb41737584aa324c715a0.exe"C:\Users\Admin\AppData\Local\Temp\4b14dd75ca0e8f61493cb41737584aa324c715a0.exe"1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe"C:\ProgramData\F4D55F6500014973000CA680B4EB2331\F4D55F6500014973000CA680B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\4b14dd75ca0e8f61493cb41737584aa324c715a0.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD578ffa2644ce5d737b0093156ab96b4bf
SHA14b14dd75ca0e8f61493cb41737584aa324c715a0
SHA256627ed063fdd51691b6deaac025b91d271411e0412f56cb2fe4ba980a8825fe79
SHA512187172a0392a8aa22c1d074a2e7d9ec6a60477c6a90c0a9b4ca13b98fa3ba91eccc6b3c298fe0db7f8daa96590abe0edd6aed338254e71daadf81b8c44a9c6c3
-
Filesize
420KB
MD578ffa2644ce5d737b0093156ab96b4bf
SHA14b14dd75ca0e8f61493cb41737584aa324c715a0
SHA256627ed063fdd51691b6deaac025b91d271411e0412f56cb2fe4ba980a8825fe79
SHA512187172a0392a8aa22c1d074a2e7d9ec6a60477c6a90c0a9b4ca13b98fa3ba91eccc6b3c298fe0db7f8daa96590abe0edd6aed338254e71daadf81b8c44a9c6c3
-
Filesize
420KB
MD578ffa2644ce5d737b0093156ab96b4bf
SHA14b14dd75ca0e8f61493cb41737584aa324c715a0
SHA256627ed063fdd51691b6deaac025b91d271411e0412f56cb2fe4ba980a8825fe79
SHA512187172a0392a8aa22c1d074a2e7d9ec6a60477c6a90c0a9b4ca13b98fa3ba91eccc6b3c298fe0db7f8daa96590abe0edd6aed338254e71daadf81b8c44a9c6c3
-
Filesize
420KB
MD578ffa2644ce5d737b0093156ab96b4bf
SHA14b14dd75ca0e8f61493cb41737584aa324c715a0
SHA256627ed063fdd51691b6deaac025b91d271411e0412f56cb2fe4ba980a8825fe79
SHA512187172a0392a8aa22c1d074a2e7d9ec6a60477c6a90c0a9b4ca13b98fa3ba91eccc6b3c298fe0db7f8daa96590abe0edd6aed338254e71daadf81b8c44a9c6c3