Analysis
-
max time kernel
174s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
07-10-2023 08:33
General
-
Target
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
-
Size
3.9MB
-
MD5
2746cf67ced0c91f1cefd3d137bd6a5c
-
SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c
-
SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
-
SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
SSDEEP
98304:s7ZyplW12iRY7CWkdntsrBRAxQyvIYA+7THD:duLaCv0BeOyvIYA+Hj
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 3 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 10 IoCs
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "Services and Controller app" /sc MINUTE /mo 3 /tr "C:\Users\Admin\AppData\Local\11D7E630\services.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\11D7E630\services.exe"C:\Users\Admin\AppData\Local\11D7E630\services.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\11D7E630\tor\services.exe"C:\Users\Admin\AppData\Local\11D7E630\tor\services.exe" -f "C:\Users\Admin\AppData\Local\11D7E630\tor\torrc"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Modifies Windows Firewall
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & del /Q /S "C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD52746cf67ced0c91f1cefd3d137bd6a5c
SHA1c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA5122cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
Filesize
3.9MB
MD52746cf67ced0c91f1cefd3d137bd6a5c
SHA1c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA5122cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
Filesize
3.9MB
MD52746cf67ced0c91f1cefd3d137bd6a5c
SHA1c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA5122cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
Filesize
3.1MB
MD53c20802fa7f36c8839c4f942b8d86f0d
SHA1ab351fb48b1e3bded12836d8ccdb661a426ce8d8
SHA2568a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf
SHA5121cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661
-
Filesize
696KB
MD58ed681b5e737350b48b151968ce186ce
SHA116916adbd765b95676f5fdd98f39d24a9015f424
SHA2561bafbdf42dc31d3cc336bb39c47631dde9a5af5a6465cc45bb7ae2d0065526af
SHA5122493b5277890e34a903ac5eac064cdb500c6acbdf467429984d79ddc2ffe3f9b7cfb9daa349931749ad5103b9d5ed2f16466108def7ab492adf11af02bf40580
-
Filesize
700KB
MD5ae522c45a309dfa8f51513724a0e92ae
SHA1aa8091b4261b8a478d11e851679f42044146dee8
SHA2561bfc7a5ec4deccad431e611cd91f561e6db1937a1261f1ba47f657b79ae062ab
SHA512ae2fff4e287bca9ca42fe05807fccc2c3e357fc9420c4a5f380ccc9ba249ffdeea13a75373882d8ee393723242942c1cac814b92523bf995a7cc56b1bda861c2
-
Filesize
510KB
MD51c67fdd5b95084be91bf6f17229c01aa
SHA1966810b47480695146cb1095227538dc3c2b16b8
SHA256cc7293ab50e2b1d267d0dff676bbf8e54395ec199c76b03d6d14624cfb33004f
SHA5125806868778953222dbacd22800155d64619ed8ff0cf6eb24113e3d56eb658a2b5245ade71f53103b65ea1eca24fb3a84814c658967fac34b414ceb77577c2f71
-
Filesize
90KB
MD5762dd637e8cc3f5a36306ed48e88088a
SHA1feb85588dbafac9b455bab51ff319fc47e1543f9
SHA2568e09c794b8611e07a9a61b7d72d20947c42623e20838b02dce6edd8a0df85481
SHA5125abe8c729889bab9c9c925d7e7e1989ea72d461bdf6eae31d60b195c346c54a84339787c67be1e9411873db10cd7cee5a2382a1406842a72069a6e8fe81656d4
-
Filesize
3.5MB
MD5833cb6a4a90e7b3a1caaedfa6d26a04f
SHA141dc9078c6cf2c5e49f507f64876b414d7318348
SHA256fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891
SHA51260c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb
-
Filesize
3.5MB
MD5833cb6a4a90e7b3a1caaedfa6d26a04f
SHA141dc9078c6cf2c5e49f507f64876b414d7318348
SHA256fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891
SHA51260c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb
-
Filesize
97B
MD59517feb026f109b6c8f4c50e7eb5db54
SHA14faf2880c781715a38031d82ac6bc5ddb0851108
SHA256fe2b0871dd60ddabc3384bd1d8eac47f6887831d88aa290dadf020730b37a2f2
SHA512dba30df7a3dfa4062115b2d78cf509b0b0b612f617a9b3bd95126569fe092737a550992dcf611a594a918ac29c0e9ea3c6e1920c1947da11e30d2ef44ac7df83
-
Filesize
105KB
MD576615cf23161037c359407127b3ea95f
SHA1feb5945d87db52423bfa413fe2696c076c544ef0
SHA256daf91e9b6190b88c39fbc92d46cac32d05eba28d0a5d1fd38f2c66f1fce96be9
SHA5126586ceca60d661dbc4e983e6271a3d06ab9ad55a9fb24b234f1ebab22af5678f583b3b7b5d42e2808bdcfa341c472e71783e04e5ea3da26bb1738c2153e64469
-
Filesize
9.3MB
MD559cb912b91932788528773f040d96332
SHA150228105513e7f6fbc9b26c1830e0f8c4e9f0f0b
SHA256c7a76071db21f050ec7b497123b93651504c81483d9e925922c359cb9d62a698
SHA51253e5f2bbe417313b8b14b309a72c2f6309ae40ddc9b1a5d0482c22972b72263e7a331fdebaeb4f8f35f9abab62e6e67a1e25022e198de01112320faa5de81f8a
-
Filesize
3.9MB
MD52746cf67ced0c91f1cefd3d137bd6a5c
SHA1c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA5122cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
Filesize
3.9MB
MD52746cf67ced0c91f1cefd3d137bd6a5c
SHA1c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA5122cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
-
Filesize
3.1MB
MD53c20802fa7f36c8839c4f942b8d86f0d
SHA1ab351fb48b1e3bded12836d8ccdb661a426ce8d8
SHA2568a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf
SHA5121cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661
-
Filesize
700KB
MD5ae522c45a309dfa8f51513724a0e92ae
SHA1aa8091b4261b8a478d11e851679f42044146dee8
SHA2561bfc7a5ec4deccad431e611cd91f561e6db1937a1261f1ba47f657b79ae062ab
SHA512ae2fff4e287bca9ca42fe05807fccc2c3e357fc9420c4a5f380ccc9ba249ffdeea13a75373882d8ee393723242942c1cac814b92523bf995a7cc56b1bda861c2
-
Filesize
510KB
MD51c67fdd5b95084be91bf6f17229c01aa
SHA1966810b47480695146cb1095227538dc3c2b16b8
SHA256cc7293ab50e2b1d267d0dff676bbf8e54395ec199c76b03d6d14624cfb33004f
SHA5125806868778953222dbacd22800155d64619ed8ff0cf6eb24113e3d56eb658a2b5245ade71f53103b65ea1eca24fb3a84814c658967fac34b414ceb77577c2f71
-
Filesize
90KB
MD5762dd637e8cc3f5a36306ed48e88088a
SHA1feb85588dbafac9b455bab51ff319fc47e1543f9
SHA2568e09c794b8611e07a9a61b7d72d20947c42623e20838b02dce6edd8a0df85481
SHA5125abe8c729889bab9c9c925d7e7e1989ea72d461bdf6eae31d60b195c346c54a84339787c67be1e9411873db10cd7cee5a2382a1406842a72069a6e8fe81656d4
-
Filesize
3.5MB
MD5833cb6a4a90e7b3a1caaedfa6d26a04f
SHA141dc9078c6cf2c5e49f507f64876b414d7318348
SHA256fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891
SHA51260c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb
-
Filesize
3.5MB
MD5833cb6a4a90e7b3a1caaedfa6d26a04f
SHA141dc9078c6cf2c5e49f507f64876b414d7318348
SHA256fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891
SHA51260c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb
-
Filesize
696KB
MD58ed681b5e737350b48b151968ce186ce
SHA116916adbd765b95676f5fdd98f39d24a9015f424
SHA2561bafbdf42dc31d3cc336bb39c47631dde9a5af5a6465cc45bb7ae2d0065526af
SHA5122493b5277890e34a903ac5eac064cdb500c6acbdf467429984d79ddc2ffe3f9b7cfb9daa349931749ad5103b9d5ed2f16466108def7ab492adf11af02bf40580
-
Filesize
105KB
MD576615cf23161037c359407127b3ea95f
SHA1feb5945d87db52423bfa413fe2696c076c544ef0
SHA256daf91e9b6190b88c39fbc92d46cac32d05eba28d0a5d1fd38f2c66f1fce96be9
SHA5126586ceca60d661dbc4e983e6271a3d06ab9ad55a9fb24b234f1ebab22af5678f583b3b7b5d42e2808bdcfa341c472e71783e04e5ea3da26bb1738c2153e64469
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
9.1MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
3.9MB
-
Filesize
520KB
-
Filesize
112KB
-
Filesize
520KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
520KB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
520KB
-
Filesize
3.6MB
-
Filesize
520KB
-
Filesize
2.1MB
-
Filesize
520KB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
472KB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.6MB
-
Filesize
3.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB