8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 17:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Size

235KB
MD5

c2029dc778813262158edc1d45355023
SHA1

ef89cca7db326570c6342d665d57076da8686989
SHA256

8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51
SHA512

40c0dded4f1ea106522a41a1151d55543cf3b36c53f99dfb9d7da0b54697b982cf6c919526fbb60c574a0e1771f53a0fc63c858db346c3c8a11df70e2a3c9fe2
SSDEEP

3072:0oiGOaT/J7Btb5TrbHLXBpniAhPv/2nirbfCsudelNGV4fbRrP7C6:0lGHzdBtbVHLxhLhP2GCsAelg4TtG

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5076	1048	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
1048	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe

C:\Users\Admin\AppData\Local\Temp\8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe
"C:\Users\Admin\AppData\Local\Temp\8fefa215a64ff37c9a5ef602de472b12f7d7cbbe48edf3bed071f19d84e03f51.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 880
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1048 -ip 1048
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-132-0x0000000000898000-0x00000000008B8000-memory.dmp

Filesize
128KB

Download
memory/1048-133-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/1048-134-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/1048-135-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download
memory/1048-136-0x0000000000898000-0x00000000008B8000-memory.dmp

Filesize
128KB

Download
memory/1048-137-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download