Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 08:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f4dc5388fd0035a21e3ea45d8c6177b.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
5f4dc5388fd0035a21e3ea45d8c6177b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
5f4dc5388fd0035a21e3ea45d8c6177b.exe
-
Size
344KB
-
MD5
5f4dc5388fd0035a21e3ea45d8c6177b
-
SHA1
378829e231c21279b991936ef0fbcbac1717286e
-
SHA256
05ece3bd687b8afa7bf5520c1f4fc3596afac4f6e28ff4c543de43cfc0dd5491
-
SHA512
53a5ac5c3e5bacd64b171c5873025c6adb77beb72f3cf4de746fb10cfcbd6bc18e26d3aba7062677872c7e83f1b34bbdf31023d1d953c9647bc01c18414beafb
-
SSDEEP
6144:DkN64D98eXK6uAQ8E5L5j+2RqrXBzRMx6xFQJTH:DkN6if8iXBtMx6nG
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000A814AB4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000A814AB4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2416 043A6AEB00014973000A814AB4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2416 043A6AEB00014973000A814AB4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000A814AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000A814AB4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000A814AB4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\open\command 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\start\command 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\runas 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\runas\command 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\ = "Application" 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\ = "043A6" 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\%s\ = "043A6" 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\DefaultIcon 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\open 043A6AEB00014973000A814AB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6AEB00014973000A814AB4EB2331\\043A6AEB00014973000A814AB4EB2331.exe\" -s \"%1\" %*" 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\043A6\shell\start 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\%s 043A6AEB00014973000A814AB4EB2331.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL\CTLs 5f4dc5388fd0035a21e3ea45d8c6177b.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL\Certificates 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL\CRLs 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL\CTLs 043A6AEB00014973000A814AB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL 5f4dc5388fd0035a21e3ea45d8c6177b.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL\Certificates 5f4dc5388fd0035a21e3ea45d8c6177b.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\SystemCertificates\DSL\CRLs 5f4dc5388fd0035a21e3ea45d8c6177b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2416 043A6AEB00014973000A814AB4EB2331.exe 2416 043A6AEB00014973000A814AB4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2416 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe 28 PID 2160 wrote to memory of 2416 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe 28 PID 2160 wrote to memory of 2416 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe 28 PID 2160 wrote to memory of 2416 2160 5f4dc5388fd0035a21e3ea45d8c6177b.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000A814AB4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f4dc5388fd0035a21e3ea45d8c6177b.exe"C:\Users\Admin\AppData\Local\Temp\5f4dc5388fd0035a21e3ea45d8c6177b.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe"C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\5f4dc5388fd0035a21e3ea45d8c6177b.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD53d783d097e2204b6f42e941968c59d03
SHA1e8322654d786397860fca1e07bc7bb900ee15301
SHA256ba1fe581032433f3c62f498e3107a5826771f1b848945d79259968ac324feb0b
SHA512fe53a4cb932378c4cc6ce11241eeafc715b113d459d8218851cdaa13e6ed104024dc85d50e4097bd73ddb335ad52e8a11e184f52ec3e7a47ef34619523629f4e
-
Filesize
344KB
MD55f4dc5388fd0035a21e3ea45d8c6177b
SHA1378829e231c21279b991936ef0fbcbac1717286e
SHA25605ece3bd687b8afa7bf5520c1f4fc3596afac4f6e28ff4c543de43cfc0dd5491
SHA51253a5ac5c3e5bacd64b171c5873025c6adb77beb72f3cf4de746fb10cfcbd6bc18e26d3aba7062677872c7e83f1b34bbdf31023d1d953c9647bc01c18414beafb