Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 16:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ba5dac82373e08ca0a91d328cdd0a30.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ba5dac82373e08ca0a91d328cdd0a30.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
2ba5dac82373e08ca0a91d328cdd0a30.exe
-
Size
456KB
-
MD5
2ba5dac82373e08ca0a91d328cdd0a30
-
SHA1
9d294241f0ef398f454262d07037591e4fb871d9
-
SHA256
00727d631a6474c7051cf5ddc13a8c7c079a0d547c0af99c40e117bc4e277987
-
SHA512
816a0feac3649d8cef29814cfeb7663a7bed631cb2ffcdad4f0b86cde89d05d2e7e8650b9a95b0e288958c402e9e0755f1850c8abd4cb44ef2c5e0ad0d26c8c6
-
SSDEEP
12288:sst3P2j5+5ZeObQWgxeT0uaSa8QZ7p5y:Jt3PE5gZebWfYujE7p
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba5dac82373e08ca0a91d328cdd0a30.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Disables taskbar notifications via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 2ba5dac82373e08ca0a91d328cdd0a30.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\A2DBCF470045EF491525E26CF875EF60 = "C:\\ProgramData\\A2DBCF470045EF491525E26CF875EF60\\A2DBCF470045EF491525E26CF875EF60.exe" 2ba5dac82373e08ca0a91d328cdd0a30.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe 2096 2ba5dac82373e08ca0a91d328cdd0a30.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2ba5dac82373e08ca0a91d328cdd0a30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba5dac82373e08ca0a91d328cdd0a30.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ba5dac82373e08ca0a91d328cdd0a30.exe"C:\Users\Admin\AppData\Local\Temp\2ba5dac82373e08ca0a91d328cdd0a30.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2096
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1