bcfe6ac0557eb21352e8355d8ec1126249b46a112df39e5c4eaaa8c3ca69aa4c

Analysis

max time kernel
147s
max time network
106s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
10-01-2023 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Size

408KB
MD5

b31ae713fab9b8b9fef577054ec2d971
SHA1

acb8aa1fd120962af8ab3845ce88f356d2493658
SHA256

bcfe6ac0557eb21352e8355d8ec1126249b46a112df39e5c4eaaa8c3ca69aa4c
SHA512

230cf86ed693060ef06987d58b7a4beacfddc46e0da572ed284eb1f1442ed7693191f3b1f2389e1b103ef4626829db5e63c615509b0700a9c3644edfd93c923c
SSDEEP

12288:8qyuF2dxmh6ZfYqAlSnshDJDJIxFunmcqOOi:PsmhmdshJ90umq3

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	F4D55F6500014973000C7881B4EB2331.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1252	F4D55F6500014973000C7881B4EB2331.exe

Deletes itself 1 IoCs

pid	Process
1252	F4D55F6500014973000C7881B4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	F4D55F6500014973000C7881B4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	F4D55F6500014973000C7881B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	F4D55F6500014973000C7881B4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	F4D55F6500014973000C7881B4EB2331.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\F4D55F6500014973000C7881B4EB2331 = "C:\\ProgramData\\F4D55F6500014973000C7881B4EB2331\\F4D55F6500014973000C7881B4EB2331.exe"	F4D55F6500014973000C7881B4EB2331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1252	F4D55F6500014973000C7881B4EB2331.exe
1252	F4D55F6500014973000C7881B4EB2331.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1252	1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe	27
PID 1732 wrote to memory of 1252	1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe	27
PID 1732 wrote to memory of 1252	1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe	27
PID 1732 wrote to memory of 1252	1732	acb8aa1fd120962af8ab3845ce88f356d2493658.exe	27

C:\Users\Admin\AppData\Local\Temp\acb8aa1fd120962af8ab3845ce88f356d2493658.exe
"C:\Users\Admin\AppData\Local\Temp\acb8aa1fd120962af8ab3845ce88f356d2493658.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe
  "C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\acb8aa1fd120962af8ab3845ce88f356d2493658.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Deletes itself
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe

Filesize
408KB

MD5
b31ae713fab9b8b9fef577054ec2d971

SHA1
acb8aa1fd120962af8ab3845ce88f356d2493658

SHA256
bcfe6ac0557eb21352e8355d8ec1126249b46a112df39e5c4eaaa8c3ca69aa4c

SHA512
230cf86ed693060ef06987d58b7a4beacfddc46e0da572ed284eb1f1442ed7693191f3b1f2389e1b103ef4626829db5e63c615509b0700a9c3644edfd93c923c

Download Submit
C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe

Filesize
408KB

MD5
b31ae713fab9b8b9fef577054ec2d971

SHA1
acb8aa1fd120962af8ab3845ce88f356d2493658

SHA256
bcfe6ac0557eb21352e8355d8ec1126249b46a112df39e5c4eaaa8c3ca69aa4c

SHA512
230cf86ed693060ef06987d58b7a4beacfddc46e0da572ed284eb1f1442ed7693191f3b1f2389e1b103ef4626829db5e63c615509b0700a9c3644edfd93c923c

Download Submit
\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe

Filesize
408KB

MD5
b31ae713fab9b8b9fef577054ec2d971

SHA1
acb8aa1fd120962af8ab3845ce88f356d2493658

SHA256
bcfe6ac0557eb21352e8355d8ec1126249b46a112df39e5c4eaaa8c3ca69aa4c

SHA512
230cf86ed693060ef06987d58b7a4beacfddc46e0da572ed284eb1f1442ed7693191f3b1f2389e1b103ef4626829db5e63c615509b0700a9c3644edfd93c923c

Download Submit
\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe

Filesize
408KB

MD5
b31ae713fab9b8b9fef577054ec2d971

SHA1
acb8aa1fd120962af8ab3845ce88f356d2493658

SHA256
bcfe6ac0557eb21352e8355d8ec1126249b46a112df39e5c4eaaa8c3ca69aa4c

SHA512
230cf86ed693060ef06987d58b7a4beacfddc46e0da572ed284eb1f1442ed7693191f3b1f2389e1b103ef4626829db5e63c615509b0700a9c3644edfd93c923c

Download Submit
memory/1252-62-0x0000000000410000-0x0000000000502000-memory.dmp

Filesize
968KB

Download
memory/1732-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1732-59-0x0000000000410000-0x0000000000502000-memory.dmp

Filesize
968KB

Download
memory/1732-63-0x0000000000410000-0x0000000000502000-memory.dmp

Filesize
968KB

Download