2ce4f81d27d7546777e15fbc9aa43fccfb11e7999c117da3c2473d38609db563

General

Target

1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Size

176KB
MD5

2a02442fd8f21c08686be998a7399412
SHA1

aa19bce0ae14dd95847421aaed4db0e50f134b28
SHA256

1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788
SHA512

713ab1b145ce6fa3a0313aa776bc50565c9a4ffaf2976023aefd99614a6b7e3e4c6b3abf89187c3377f4dea0efcde5402118b8e9b87dd0af61f2973bf073beb1
SSDEEP

3072:pDKW1LgppLRHMY0TBfJvjcTp5XZpa8nqeo7Qbeues6Y:pDKW1Lgbdl0TBBvjc/S81Sues

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
1560	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe

C:\Users\Admin\AppData\Local\Temp\1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe
"C:\Users\Admin\AppData\Local\Temp\1e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1560-54-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1560-55-0x00000000008B0000-0x00000000008C8000-memory.dmp

Filesize
96KB

Download
memory/1560-56-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-57-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-59-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-61-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-65-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-63-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-69-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-67-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-73-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-71-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-77-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-75-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-81-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-79-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-83-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1560-84-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1560-85-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads