e7274f4220f2cca3a7bcd45922399189562a53da67d7f7ee8cd651dd101627f7

Analysis

max time kernel
142s
max time network
175s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
30/06/2023, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

k4727021.exe
Size

134KB
MD5

d8b1999ebfa1dd1f9ee854380a2173c7
SHA1

0f41e50eaa96cfc1bfb3de09bb43f853328aff27
SHA256

e7274f4220f2cca3a7bcd45922399189562a53da67d7f7ee8cd651dd101627f7
SHA512

dc4506a9a6b30001ae9f9af59df81af4bc27ee4e0344898ecd34a0e5cfd0076af3d3daccfceddc0a30034eb66d0639783e357ebb9b8574222c6f1635d8c6ed54
SSDEEP

3072:ivxeGH7tJxmpnDtkL+euaMbPeEri/qBwcriVgGTEQJgH0nHaaHkP5oWRQx2WR3xj:ivxe/bPe1CWHgHg4PyQdQB

Score

10^/10

evasion trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2700-117-0x0000000000540000-0x000000000054A000-memory.dmp	healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4727021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4727021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4727021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4727021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4727021.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4727021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4727021.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	k4727021.exe
2700	k4727021.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	k4727021.exe

C:\Users\Admin\AppData\Local\Temp\k4727021.exe
"C:\Users\Admin\AppData\Local\Temp\k4727021.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-117-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download