Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 08:54
Behavioral task
behavioral1
Sample
7f22451fdb349cf64713c504551fa5d8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7f22451fdb349cf64713c504551fa5d8.exe
Resource
win10v2004-20231215-en
General
-
Target
7f22451fdb349cf64713c504551fa5d8.exe
-
Size
2.1MB
-
MD5
7f22451fdb349cf64713c504551fa5d8
-
SHA1
d554b2f29a8ab15a0b2a4b0803e9b913fb8562b0
-
SHA256
4eeeb09b82ac8340354fcb7b58f1845adff3d47e4f370e612cb1de7951362aef
-
SHA512
ee98e077777f9892bbf11cdf04cb9a782f3e00b30a56533ae009150d830175f8b1a090b661b01567d96e53088b7d195d452ff524c3be7211f834774434629e62
-
SSDEEP
49152:C4U5PfQMSJAwQF/UVic/Rg/EyMUO0zsxNhaO7hRN4vbz8Vapvtt:05PdqAwc/XYRg/ERUO0IPFRN4vXi4tt
Malware Config
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x000c000000011fde-7.dat disable_win_def behavioral1/files/0x000c000000011fde-3.dat disable_win_def behavioral1/files/0x000c000000011fde-10.dat disable_win_def behavioral1/memory/856-11-0x0000000000D00000-0x0000000000F7E000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s" 7f22451fdb349cf64713c504551fa5d8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7f22451fdb349cf64713c504551fa5d8.exe -
Executes dropped EXE 1 IoCs
pid Process 856 BGtEXjsyJ0.exe -
Loads dropped DLL 1 IoCs
pid Process 2544 7f22451fdb349cf64713c504551fa5d8.exe -
resource yara_rule behavioral1/memory/2544-0-0x0000000000400000-0x00000000007C6000-memory.dmp upx behavioral1/memory/2544-18-0x0000000000400000-0x00000000007C6000-memory.dmp upx -
resource yara_rule behavioral1/files/0x000c000000011fde-7.dat vmprotect behavioral1/files/0x000c000000011fde-3.dat vmprotect behavioral1/files/0x000c000000011fde-10.dat vmprotect behavioral1/memory/856-11-0x0000000000D00000-0x0000000000F7E000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 856 BGtEXjsyJ0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2544 wrote to memory of 856 2544 7f22451fdb349cf64713c504551fa5d8.exe 25 PID 2544 wrote to memory of 856 2544 7f22451fdb349cf64713c504551fa5d8.exe 25 PID 2544 wrote to memory of 856 2544 7f22451fdb349cf64713c504551fa5d8.exe 25 PID 2544 wrote to memory of 856 2544 7f22451fdb349cf64713c504551fa5d8.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7f22451fdb349cf64713c504551fa5d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f22451fdb349cf64713c504551fa5d8.exe"C:\Users\Admin\AppData\Local\Temp\7f22451fdb349cf64713c504551fa5d8.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe"C:\Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD57065d6cee16f88c07edba65d0646c78e
SHA1bdf4a1b44bfa8cbd77a2817440a67a40dcf41b56
SHA2565817d61c0f6cf854c010f1db4a61683373605a8addc11f96d65bad891978855f
SHA51250cb8dfb85a5ab19e6596036df1cf367bad92ecc56e5fbea07f87b11a153c9a058d2ffef84a5e70c149de8b0d11078cfdb0244acc7c3a5ccd5c0224fd89794b6
-
Filesize
273KB
MD56878e18d54ad7599d01e56514c3452c5
SHA129e01d6cb27882f7c241fe853847280065a4d74e
SHA256e547c04028ff938664acaaab0569d6ffc13546a88d5070a58c0c11b656f213b2
SHA5121e9f1060373c869009f381430dca752147303e394df0318e9a5ccd66bd8ab94d9afd1d6dc3280cb01629476b9148f36d2e11e65ce54ee9433db103d3e83f07a8
-
Filesize
317KB
MD539de4b16741b8121cd4ab43867d41365
SHA1ab9bb8b961c7a2944857c18daeef3bc38929975f
SHA256955866bdf0f77778e5b1179dee9a0332c1989dc6c461b53ac90c23990b45efc7
SHA512517be18595081f4354e8fc77122af0acd264577ac3ec7c269ab62aa7952ff55565501d08873971cd9ee9baf56131152c6a17e5282931920dc26d928c21b6af5d