744861fe244e02e8578eca02e2feddbfb73c7fc038e5b66165c02e44bd2b08d5

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/06/2023, 11:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01951799.exe
Size

97KB
MD5

c3cd6ebe2cd170e37301ee3d052b2ef7
SHA1

e9f5d16972414c54738ca44fa036e6091e6151c3
SHA256

744861fe244e02e8578eca02e2feddbfb73c7fc038e5b66165c02e44bd2b08d5
SHA512

d92672ade7c2eed701651ccacc7df60ea82c5dc26cca6c2de46d54361fda9f0e002c52233afb85c1ddb9977d9de61413bbfce1bb34454e64bf245299a9c41220
SSDEEP

1536:VR1QOExy2cIHNW2mHNoIS9kCclYmiXUSu/7TPxw:SOCynSm49kCcCfUSu/fx

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	01951799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	01951799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	01951799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	01951799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	01951799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	01951799.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	01951799.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	01951799.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	01951799.exe
2008	01951799.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	01951799.exe

C:\Users\Admin\AppData\Local\Temp\01951799.exe
"C:\Users\Admin\AppData\Local\Temp\01951799.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-54-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download