1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe
Size

121KB
MD5

576d630fd98dd1a5dbf2836458601cd2
SHA1

8f89ef2bc33f1adcaa4f45c2ac2e618ed4be80db
SHA256

1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2
SHA512

598c704c773b1b0130cda6c8309087c4a86bc91a307afb0cbca73a0b5a11c6f99a269b7331d1a7ce9dc8278c8375e2a386dce8f9b40e8ff42b0d857442878cd8
SSDEEP

3072:I9QLdsON8xxwaTq29LlFZtGLfWvG8oyhuWVFrag1shbnrtvx:CQLvN8VTXZt+WVFmZhrrt

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4176 set thread context of 3272	4176	1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1804	4176	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3272	AppLaunch.exe
3272	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3272	4176	1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe	85
PID 4176 wrote to memory of 3272	4176	1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe	85
PID 4176 wrote to memory of 3272	4176	1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe	85
PID 4176 wrote to memory of 3272	4176	1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe	85
PID 4176 wrote to memory of 3272	4176	1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe	85

C:\Users\Admin\AppData\Local\Temp\1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe
"C:\Users\Admin\AppData\Local\Temp\1a49a3a597a3c3d237c278568049762a450594f9700f1305430ba603a814dca2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 492
  2⤵
  - Program crash
  PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4176 -ip 4176
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3272-133-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download