Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 08:54

General

  • Target

    7f22451fdb349cf64713c504551fa5d8.exe

  • Size

    2.1MB

  • MD5

    7f22451fdb349cf64713c504551fa5d8

  • SHA1

    d554b2f29a8ab15a0b2a4b0803e9b913fb8562b0

  • SHA256

    4eeeb09b82ac8340354fcb7b58f1845adff3d47e4f370e612cb1de7951362aef

  • SHA512

    ee98e077777f9892bbf11cdf04cb9a782f3e00b30a56533ae009150d830175f8b1a090b661b01567d96e53088b7d195d452ff524c3be7211f834774434629e62

  • SSDEEP

    49152:C4U5PfQMSJAwQF/UVic/Rg/EyMUO0zsxNhaO7hRN4vbz8Vapvtt:05PdqAwc/XYRg/ERUO0IPFRN4vXi4tt

Malware Config

Signatures

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f22451fdb349cf64713c504551fa5d8.exe
    "C:\Users\Admin\AppData\Local\Temp\7f22451fdb349cf64713c504551fa5d8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe
      "C:\Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:856

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe

          Filesize

          276KB

          MD5

          7065d6cee16f88c07edba65d0646c78e

          SHA1

          bdf4a1b44bfa8cbd77a2817440a67a40dcf41b56

          SHA256

          5817d61c0f6cf854c010f1db4a61683373605a8addc11f96d65bad891978855f

          SHA512

          50cb8dfb85a5ab19e6596036df1cf367bad92ecc56e5fbea07f87b11a153c9a058d2ffef84a5e70c149de8b0d11078cfdb0244acc7c3a5ccd5c0224fd89794b6

        • C:\Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe

          Filesize

          273KB

          MD5

          6878e18d54ad7599d01e56514c3452c5

          SHA1

          29e01d6cb27882f7c241fe853847280065a4d74e

          SHA256

          e547c04028ff938664acaaab0569d6ffc13546a88d5070a58c0c11b656f213b2

          SHA512

          1e9f1060373c869009f381430dca752147303e394df0318e9a5ccd66bd8ab94d9afd1d6dc3280cb01629476b9148f36d2e11e65ce54ee9433db103d3e83f07a8

        • \Users\Admin\AppData\Local\Temp\BGtEXjsyJ0.exe

          Filesize

          317KB

          MD5

          39de4b16741b8121cd4ab43867d41365

          SHA1

          ab9bb8b961c7a2944857c18daeef3bc38929975f

          SHA256

          955866bdf0f77778e5b1179dee9a0332c1989dc6c461b53ac90c23990b45efc7

          SHA512

          517be18595081f4354e8fc77122af0acd264577ac3ec7c269ab62aa7952ff55565501d08873971cd9ee9baf56131152c6a17e5282931920dc26d928c21b6af5d

        • memory/856-13-0x0000000004A30000-0x0000000004A70000-memory.dmp

          Filesize

          256KB

        • memory/856-12-0x0000000073F40000-0x000000007462E000-memory.dmp

          Filesize

          6.9MB

        • memory/856-11-0x0000000000D00000-0x0000000000F7E000-memory.dmp

          Filesize

          2.5MB

        • memory/856-14-0x0000000000A80000-0x0000000000ADC000-memory.dmp

          Filesize

          368KB

        • memory/856-15-0x0000000004DB0000-0x0000000004E5A000-memory.dmp

          Filesize

          680KB

        • memory/856-16-0x0000000004A30000-0x0000000004A70000-memory.dmp

          Filesize

          256KB

        • memory/856-20-0x0000000073F40000-0x000000007462E000-memory.dmp

          Filesize

          6.9MB

        • memory/856-22-0x0000000004A30000-0x0000000004A70000-memory.dmp

          Filesize

          256KB

        • memory/856-23-0x0000000004A30000-0x0000000004A70000-memory.dmp

          Filesize

          256KB

        • memory/2544-5-0x0000000000900000-0x0000000000910000-memory.dmp

          Filesize

          64KB

        • memory/2544-0-0x0000000000400000-0x00000000007C6000-memory.dmp

          Filesize

          3.8MB

        • memory/2544-18-0x0000000000400000-0x00000000007C6000-memory.dmp

          Filesize

          3.8MB

        • memory/2544-19-0x0000000000900000-0x0000000000910000-memory.dmp

          Filesize

          64KB