7d4625fb4967ad1cee8e77f6399e8d7e5d6aa59ab53eb4962e5d1c5e2146536c

General

Target

454499b625f272d351c7981f7dd5006e.exe
Size

365KB
MD5

454499b625f272d351c7981f7dd5006e
SHA1

26d0318265fbec929494abe069649b9c770a4738
SHA256

7d4625fb4967ad1cee8e77f6399e8d7e5d6aa59ab53eb4962e5d1c5e2146536c
SHA512

e9f766a537d8664acc6e4baed7efdeb05aca0d44ab260b2577085d2d4a408cba7cfae2744276a07d3c5186fb8d4b04cab127a04e74e69bf7b58de59b1580a495
SSDEEP

6144:Gnq+bIZrZL+TnqRTMdDVJJ8pnXunpWH3rF2dWVOfis9yMdnWFJ0htBuNhRI:x+IZQrqRAdD+pXunQ7F2djdIJ0ht6k

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	454499b625f272d351c7981f7dd5006e.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2312	043A6AEB00014973000C4779B4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	454499b625f272d351c7981f7dd5006e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	454499b625f272d351c7981f7dd5006e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	454499b625f272d351c7981f7dd5006e.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe
2644	454499b625f272d351c7981f7dd5006e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2312	2644	454499b625f272d351c7981f7dd5006e.exe	28
PID 2644 wrote to memory of 2312	2644	454499b625f272d351c7981f7dd5006e.exe	28
PID 2644 wrote to memory of 2312	2644	454499b625f272d351c7981f7dd5006e.exe	28
PID 2644 wrote to memory of 2312	2644	454499b625f272d351c7981f7dd5006e.exe	28

C:\Users\Admin\AppData\Local\Temp\454499b625f272d351c7981f7dd5006e.exe
"C:\Users\Admin\AppData\Local\Temp\454499b625f272d351c7981f7dd5006e.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
- C:\ProgramData\043A6AEB00014973000C4779B4EB2331\043A6AEB00014973000C4779B4EB2331.exe
  "C:\ProgramData\043A6AEB00014973000C4779B4EB2331\043A6AEB00014973000C4779B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\454499b625f272d351c7981f7dd5006e.exe"
  2⤵
  - Executes dropped EXE
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\043A6AEB00014973000C4779B4EB2331\043A6AEB00014973000C4779B4EB2331.exe

Filesize
365KB

MD5
454499b625f272d351c7981f7dd5006e

SHA1
26d0318265fbec929494abe069649b9c770a4738

SHA256
7d4625fb4967ad1cee8e77f6399e8d7e5d6aa59ab53eb4962e5d1c5e2146536c

SHA512
e9f766a537d8664acc6e4baed7efdeb05aca0d44ab260b2577085d2d4a408cba7cfae2744276a07d3c5186fb8d4b04cab127a04e74e69bf7b58de59b1580a495

Download Submit
memory/2312-23-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2312-18-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download
memory/2312-16-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2644-4-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-6-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-7-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/2644-5-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-0-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2644-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2644-21-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2644-22-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-1-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download
memory/2644-31-0x0000000000410000-0x000000000052D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads