Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 15:26
Static task
static1
Behavioral task
behavioral1
Sample
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Resource
win10v2004-20230220-en
General
-
Target
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
-
Size
86KB
-
MD5
ad9e6ee16b3abd3f757c8b5357de6042
-
SHA1
f324263dc0b46991bb0ed664577910c4f4de8009
-
SHA256
84298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4
-
SHA512
428453f17a3c7829e8d6719fb605439ac26368be25113c179af2fa03e2b064e523eae1043998d54dd5ce07626012c43ffede666dec431013183eef990e0d8235
-
SSDEEP
1536:zW27RutYPWEBQlIGOO1g4W6j6hMbv4UFZLrkjj1RZ:5g1g49jcMbvLFxrkjF
Malware Config
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1972-54-0x00000000000F0000-0x000000000010A000-memory.dmp disable_win_def behavioral1/files/0x000700000001268d-61.dat disable_win_def behavioral1/files/0x000700000001268d-62.dat disable_win_def behavioral1/memory/968-63-0x0000000000810000-0x000000000082A000-memory.dmp disable_win_def -
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe -
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid Process 968 WindowsUpdate.exe -
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\edd3d42a2f83b252a9c7c412bfbb2d3c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exeWindowsUpdate.exepowershell.exepid Process 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 968 WindowsUpdate.exe 1892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exeWindowsUpdate.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe Token: SeDebugPrivilege 968 WindowsUpdate.exe Token: SeDebugPrivilege 1892 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exeWindowsUpdate.exepid Process 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 968 WindowsUpdate.exe 968 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exedescription pid Process procid_target PID 1972 wrote to memory of 1892 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 29 PID 1972 wrote to memory of 1892 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 29 PID 1972 wrote to memory of 1892 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 29 PID 1972 wrote to memory of 968 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 31 PID 1972 wrote to memory of 968 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 31 PID 1972 wrote to memory of 968 1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe"C:\Users\Admin\AppData\Local\Temp\84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:968
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5ad9e6ee16b3abd3f757c8b5357de6042
SHA1f324263dc0b46991bb0ed664577910c4f4de8009
SHA25684298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4
SHA512428453f17a3c7829e8d6719fb605439ac26368be25113c179af2fa03e2b064e523eae1043998d54dd5ce07626012c43ffede666dec431013183eef990e0d8235
-
Filesize
86KB
MD5ad9e6ee16b3abd3f757c8b5357de6042
SHA1f324263dc0b46991bb0ed664577910c4f4de8009
SHA25684298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4
SHA512428453f17a3c7829e8d6719fb605439ac26368be25113c179af2fa03e2b064e523eae1043998d54dd5ce07626012c43ffede666dec431013183eef990e0d8235