97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

Analysis

max time kernel
27s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/05/2023, 04:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

k8704938.exe
Size

184KB
MD5

58dba47f9c7d53ae734da0f314af09b1
SHA1

85146261b71e0bfdbb5854b77d72f4cd3b461d89
SHA256

97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4
SHA512

f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64
SSDEEP

3072:mDKW1LgppLRHMY0TBfJvjcTp5XNSolP1DF3HECsxU6f:mDKW1Lgbdl0TBBvjc/NS61DF3EJU

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8704938.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8704938.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k8704938.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
324	k8704938.exe
324	k8704938.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	k8704938.exe

C:\Users\Admin\AppData\Local\Temp\k8704938.exe
"C:\Users\Admin\AppData\Local\Temp\k8704938.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-54-0x0000000001F00000-0x0000000001F1E000-memory.dmp

Filesize
120KB

Download
memory/324-55-0x0000000001F70000-0x0000000001F8C000-memory.dmp

Filesize
112KB

Download
memory/324-56-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-57-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-59-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-61-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-63-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-65-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-67-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-71-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-69-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-77-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-75-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-73-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-81-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-79-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-83-0x0000000001F70000-0x0000000001F86000-memory.dmp

Filesize
88KB

Download
memory/324-84-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/324-85-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download