Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 08:54
Behavioral task
behavioral1
Sample
7f22451fdb349cf64713c504551fa5d8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7f22451fdb349cf64713c504551fa5d8.exe
Resource
win10v2004-20231215-en
General
-
Target
7f22451fdb349cf64713c504551fa5d8.exe
-
Size
2.1MB
-
MD5
7f22451fdb349cf64713c504551fa5d8
-
SHA1
d554b2f29a8ab15a0b2a4b0803e9b913fb8562b0
-
SHA256
4eeeb09b82ac8340354fcb7b58f1845adff3d47e4f370e612cb1de7951362aef
-
SHA512
ee98e077777f9892bbf11cdf04cb9a782f3e00b30a56533ae009150d830175f8b1a090b661b01567d96e53088b7d195d452ff524c3be7211f834774434629e62
-
SSDEEP
49152:C4U5PfQMSJAwQF/UVic/Rg/EyMUO0zsxNhaO7hRN4vbz8Vapvtt:05PdqAwc/XYRg/ERUO0IPFRN4vXi4tt
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x0007000000023203-5.dat disable_win_def behavioral2/memory/4772-14-0x00000000005A0000-0x000000000081E000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s" 7f22451fdb349cf64713c504551fa5d8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7f22451fdb349cf64713c504551fa5d8.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 7f22451fdb349cf64713c504551fa5d8.exe -
Executes dropped EXE 1 IoCs
pid Process 4772 8XDrnIyHFF.exe -
resource yara_rule behavioral2/memory/3708-0-0x0000000000400000-0x00000000007C6000-memory.dmp upx behavioral2/memory/3708-25-0x0000000000400000-0x00000000007C6000-memory.dmp upx -
resource yara_rule behavioral2/files/0x0007000000023203-5.dat vmprotect behavioral2/memory/4772-14-0x00000000005A0000-0x000000000081E000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4772 8XDrnIyHFF.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3708 wrote to memory of 4772 3708 7f22451fdb349cf64713c504551fa5d8.exe 89 PID 3708 wrote to memory of 4772 3708 7f22451fdb349cf64713c504551fa5d8.exe 89 PID 3708 wrote to memory of 4772 3708 7f22451fdb349cf64713c504551fa5d8.exe 89 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7f22451fdb349cf64713c504551fa5d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f22451fdb349cf64713c504551fa5d8.exe"C:\Users\Admin\AppData\Local\Temp\7f22451fdb349cf64713c504551fa5d8.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\8XDrnIyHFF.exe"C:\Users\Admin\AppData\Local\Temp\8XDrnIyHFF.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD51a3b165f0b90ea336b0a60deda37a114
SHA1544433f1d7279d84252ae0caa007eea90651844d
SHA25656c2d26dfa12fc48b0c5005b228bc8b4956c05809d55f8e5b7b3749d9538346c
SHA5120329b7e5ed9140cdde87abb2c2f3fca4737c703cd19124c92137bbd397b2d1a068bdd6bb2b43b6536b84cdf19760af7d5d863188f3963d1901f0a65967aeca9d