Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 03:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
01c7ca4ab70995792e43cb4f20d4ddf4.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
01c7ca4ab70995792e43cb4f20d4ddf4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
01c7ca4ab70995792e43cb4f20d4ddf4.exe
-
Size
548KB
-
MD5
01c7ca4ab70995792e43cb4f20d4ddf4
-
SHA1
89037d85f04758ebedb74359328d4c8a0ad5d2fa
-
SHA256
37ce29c2466a9917cab2ff19e73924f82f312fc384b5c30dc625962c05ef654b
-
SHA512
a12d3648730c0a0f10d10e2f5b410cb08b4d3f48f15de8d38e669f86c5cc0963f8322e730558e02b62c093789456cf226f633ffb159821ffa701e99d33ab679d
-
SSDEEP
12288:lR7y2rbrqKkrkfstjLBGoWvfoz17x3XkCn:f9W3ustBGo6foz17Rzn
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
Disables taskbar notifications via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 01c7ca4ab70995792e43cb4f20d4ddf4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\0114605E404E9D3F000001145F4EA200 = "C:\\ProgramData\\0114605E404E9D3F000001145F4EA200\\0114605E404E9D3F000001145F4EA200.exe" 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe 2188 01c7ca4ab70995792e43cb4f20d4ddf4.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 01c7ca4ab70995792e43cb4f20d4ddf4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 01c7ca4ab70995792e43cb4f20d4ddf4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01c7ca4ab70995792e43cb4f20d4ddf4.exe"C:\Users\Admin\AppData\Local\Temp\01c7ca4ab70995792e43cb4f20d4ddf4.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2188
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1