Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 14:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76c6da251ff5517901c3543871c8502e.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
76c6da251ff5517901c3543871c8502e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
76c6da251ff5517901c3543871c8502e.exe
-
Size
396KB
-
MD5
76c6da251ff5517901c3543871c8502e
-
SHA1
5de99cf850716fad4072bfecd15a0de0f17deff1
-
SHA256
5579ebe855d9b02826592a82d4ec627b41af3e6d43caada442b240424c4c0804
-
SHA512
d63cf288a2e62cb726e7c7202d0d2e2262ff9440669a0421f43e100826e69c55bc758349e23f9ddaa0efeb3d9b7f4f7fff3ca490e2286d16832037221a57fc59
-
SSDEEP
6144:v4yp6NVyX7Mq28roVnDtdI1o3hwz9yD38HseQtR29Q/vCRJN:vG0rN28rohs1o3hy9sgZ
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C0C69B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2324 043A6A5B00014973000C0C69B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2324 043A6A5B00014973000C0C69B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 76c6da251ff5517901c3543871c8502e.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 76c6da251ff5517901c3543871c8502e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C0C69B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 76c6da251ff5517901c3543871c8502e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C0C69B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C0C69B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C0C69B4EB2331.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6A5B00014973000C0C69B4EB2331 = "C:\\ProgramData\\043A6A5B00014973000C0C69B4EB2331\\043A6A5B00014973000C0C69B4EB2331.exe" 043A6A5B00014973000C0C69B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2228 76c6da251ff5517901c3543871c8502e.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2324 043A6A5B00014973000C0C69B4EB2331.exe 2324 043A6A5B00014973000C0C69B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2324 2228 76c6da251ff5517901c3543871c8502e.exe 14 PID 2228 wrote to memory of 2324 2228 76c6da251ff5517901c3543871c8502e.exe 14 PID 2228 wrote to memory of 2324 2228 76c6da251ff5517901c3543871c8502e.exe 14 PID 2228 wrote to memory of 2324 2228 76c6da251ff5517901c3543871c8502e.exe 14
Processes
-
C:\ProgramData\043A6A5B00014973000C0C69B4EB2331\043A6A5B00014973000C0C69B4EB2331.exe"C:\ProgramData\043A6A5B00014973000C0C69B4EB2331\043A6A5B00014973000C0C69B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\76c6da251ff5517901c3543871c8502e.exe"1⤵
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2324
-
C:\Users\Admin\AppData\Local\Temp\76c6da251ff5517901c3543871c8502e.exe"C:\Users\Admin\AppData\Local\Temp\76c6da251ff5517901c3543871c8502e.exe"1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD578bf1a00e9bae3556be0dd5fb6371e62
SHA1d7b55f6637d68d7711d45ad859d8238a37638d84
SHA256d3a6f3632d00af6713bb01e93df798c7f786d77aec4e031811f787d8bbbc69c3
SHA512b05e1e7f8a1332f72ec322e23fa1b6d3bdfa8038e4b46fd67d82cb4db8d81d5e108c0e82b98459ca26b68f7a42db8685cfe5b8fd620298abb6be3613b0d2cd5a
-
Filesize
348KB
MD5e4ad5789ac15fb58841a90550f7d550a
SHA1a399b170d389b34329e575403c8e5397c03aeb3c
SHA25607d00c799ecf0fcdeecf682fd444f347b2fb2f34afec87d6ab38f65f347d881a
SHA51260e9498666c0122a3d938ee63deb7c6bab1b584eebaacf99591078fbd4a467b977a1f74e2a0ede71912cf12746c062405d2ce929938f9740e171a61b1c1fdc47
-
Filesize
396KB
MD576c6da251ff5517901c3543871c8502e
SHA15de99cf850716fad4072bfecd15a0de0f17deff1
SHA2565579ebe855d9b02826592a82d4ec627b41af3e6d43caada442b240424c4c0804
SHA512d63cf288a2e62cb726e7c7202d0d2e2262ff9440669a0421f43e100826e69c55bc758349e23f9ddaa0efeb3d9b7f4f7fff3ca490e2286d16832037221a57fc59