e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce

Analysis

max time kernel
104s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe
Size

147KB
MD5

cfbf3f73fb0ce4af1914f1c8f8478475
SHA1

097ab1e8e97a7877c95a7ebc8133844e1c55b194
SHA256

e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce
SHA512

336d20b441ab25b6c77a7bd9217e3de8a5e5f943634318ab5d8039fd7b4c9c819c5804d84f91454dabb8e53627875039a4241648402c2ed39b8ba6b3a4a8b98c
SSDEEP

3072:NJJIe5KvcG7P6gnuG+WHgP8lru/BAyhuWVFrag1btJPsx6:NJie8ZP9nw3diWVFmKtJP1

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 560	4364	e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	4364	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
560	AppLaunch.exe
560	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 560	4364	e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe	87
PID 4364 wrote to memory of 560	4364	e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe	87
PID 4364 wrote to memory of 560	4364	e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe	87
PID 4364 wrote to memory of 560	4364	e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe	87
PID 4364 wrote to memory of 560	4364	e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe	87

C:\Users\Admin\AppData\Local\Temp\e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe
"C:\Users\Admin\AppData\Local\Temp\e8ab06fa0861d51b6a7c58708955a9c776f1f047916bf73328122cd41a48bdce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 496
  2⤵
  - Program crash
  PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4364 -ip 4364
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-133-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download