5c7f39b3b3fc0498fea756be9de7877b76f70041b6dd66c0e3c569f47416fb18

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178ff7c97850f00c82c91bc31f6942da.exe
Size

444KB
MD5

178ff7c97850f00c82c91bc31f6942da
SHA1

332b9dd836a785b3693499c7a33de27c8f12325f
SHA256

5c7f39b3b3fc0498fea756be9de7877b76f70041b6dd66c0e3c569f47416fb18
SHA512

e339f5ddd16f62fe745961f82569848d917ee385c09c148fb946171e7f2fbb7a6d184a6b863cc1bd2293531685058300f545c52b8c4fe8ddc1d33b1de40a314a
SSDEEP

6144:n0i03+mnZ2+7lr9J+l19gxoEDV/G36iCaf770yKsah2mmyMsXsIKcrnFjxXC:nwOOjp+5g1DVI1/70yLoMKKSn7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	178ff7c97850f00c82c91bc31f6942da.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2360	043A6A5B00014973000C0C69B4EB2331.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	043A6A5B00014973000C0C69B4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	178ff7c97850f00c82c91bc31f6942da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6A5B00014973000C0C69B4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	043A6A5B00014973000C0C69B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	178ff7c97850f00c82c91bc31f6942da.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6A5B00014973000C0C69B4EB2331 = "C:\\ProgramData\\043A6A5B00014973000C0C69B4EB2331\\043A6A5B00014973000C0C69B4EB2331.exe"	043A6A5B00014973000C0C69B4EB2331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe
2204	178ff7c97850f00c82c91bc31f6942da.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2360	043A6A5B00014973000C0C69B4EB2331.exe
2360	043A6A5B00014973000C0C69B4EB2331.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2360	2204	178ff7c97850f00c82c91bc31f6942da.exe	28
PID 2204 wrote to memory of 2360	2204	178ff7c97850f00c82c91bc31f6942da.exe	28
PID 2204 wrote to memory of 2360	2204	178ff7c97850f00c82c91bc31f6942da.exe	28
PID 2204 wrote to memory of 2360	2204	178ff7c97850f00c82c91bc31f6942da.exe	28

C:\Users\Admin\AppData\Local\Temp\178ff7c97850f00c82c91bc31f6942da.exe
"C:\Users\Admin\AppData\Local\Temp\178ff7c97850f00c82c91bc31f6942da.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\ProgramData\043A6A5B00014973000C0C69B4EB2331\043A6A5B00014973000C0C69B4EB2331.exe
  "C:\ProgramData\043A6A5B00014973000C0C69B4EB2331\043A6A5B00014973000C0C69B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\178ff7c97850f00c82c91bc31f6942da.exe"
  2⤵
  - Windows security bypass
  - Deletes itself
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\043A6A5B00014973000C0C69B4EB2331\043A6A5B00014973000C0C69B4EB2331.exe

Filesize
381KB

MD5
0b3bed3e614e07082ed1096a673f6dc1

SHA1
c5df06811b53772a202932387f8df3ba7ab35abd

SHA256
4c5142c8711c9bc9c9c1e622ef6f9d2acf295ed3960fce6ab8c0e1e4f6f09a58

SHA512
df139aed4572499435b9ce55825ed83696499bdd02cf865c3f164c39ded00bb96b0e6fe622c3b3ba97abf05122c58086d8998bcb6ec0d9159ec0f7a2476913ca

Download Submit
\ProgramData\043A6A5B00014973000C0C69B4EB2331\043A6A5B00014973000C0C69B4EB2331.exe

Filesize
92KB

MD5
366c9974a776ff7f4140f330d9c5791d

SHA1
115f9b2e82136260a2465051e7952669c590792b

SHA256
be08bfd72e5dba4164c57ab30e08fd986b77624702097b278475f48ce84d9cae

SHA512
8133ada07a371fb8281994872813fd72c8f165353d4e32debb1d6dccc61cef53de38f9ea6629da378aaef7575fd561f1736a86e73cf782b0231a1acb9b57328b

Download Submit
memory/2204-17-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2204-2-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2204-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2204-25-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2204-1-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2360-12-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2360-18-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2360-11-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2360-28-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2360-29-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download
memory/2360-34-0x0000000000410000-0x0000000000501000-memory.dmp

Filesize
964KB

Download