20e147535055fd3352d9b132302af7fd0602f0a9ab101a980b40bd91fc167e8a

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

prueba.exe
Size

32KB
MD5

12405a80873fd3356816a2d119092b20
SHA1

1a197f7072ac437b045e5c09a0367f28fa057e03
SHA256

35cde2f922dbf21b04ecd279f03a7059fc5ad36271e7fd2d2d8c24b11c3b40c4
SHA512

561fab62d9ae72356e6ac141dc3469ff428e8e18b38003a6b041029fe96c8f0282d2ef279b191f25af084e61ddcef44863465fa52011eef81e4e41269500a6f6
SSDEEP

384:r74YGqTn5LmaXL9Pv+Z2F4za5bngoHkXLvuY+eVypYDJ0sNCn:RGMcaX75cDKYQpiLU

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2236	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	prueba.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2524	1984	prueba.exe	28
PID 1984 wrote to memory of 2524	1984	prueba.exe	28
PID 1984 wrote to memory of 2524	1984	prueba.exe	28
PID 1984 wrote to memory of 2524	1984	prueba.exe	28
PID 2524 wrote to memory of 2236	2524	cmd.exe	30
PID 2524 wrote to memory of 2236	2524	cmd.exe	30
PID 2524 wrote to memory of 2236	2524	cmd.exe	30
PID 2524 wrote to memory of 2236	2524	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\prueba.exe
"C:\Users\Admin\AppData\Local\Temp\prueba.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads