3502aa13d1f167aca89b85cdadc0f3ec10ce737f816ba9e6f3820c2893a8b4b0

Analysis

max time kernel
138s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2023, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

g8300636.exe
Size

166KB
MD5

a277d5a22872c23a3498b7a8c446d01f
SHA1

a4a2c487d0e4906a1542a7b3061f044606c15da6
SHA256

3502aa13d1f167aca89b85cdadc0f3ec10ce737f816ba9e6f3820c2893a8b4b0
SHA512

52b2e1888dec9ab9ae35834778d8663772d95253d2307b24c560083a195c5ec96a288babb45706a8e724825a9832f136b615180cf1b339f831ee0fcda7269eb9
SSDEEP

3072:700osigCy+8tkWZ2NHIyKUe7Xt85QIXO:YJyR+kkWs2UgXerX

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 4056	1804	g8300636.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	AppLaunch.exe
4056	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4056	1804	g8300636.exe	83
PID 1804 wrote to memory of 4056	1804	g8300636.exe	83
PID 1804 wrote to memory of 4056	1804	g8300636.exe	83
PID 1804 wrote to memory of 4056	1804	g8300636.exe	83
PID 1804 wrote to memory of 4056	1804	g8300636.exe	83

C:\Users\Admin\AppData\Local\Temp\g8300636.exe
"C:\Users\Admin\AppData\Local\Temp\g8300636.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4056-133-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download