f6efa6beb48f15626a65f0c40d8de9500a569d10f6955ed9f15afc9a604a3138

Analysis

max time kernel
164s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4154ab977f4ffdbc41047e20d3eff94f.exe
Size

375KB
MD5

4154ab977f4ffdbc41047e20d3eff94f
SHA1

81ed0997e7b2d598c4a86b26544d9fe6e3f11678
SHA256

f6efa6beb48f15626a65f0c40d8de9500a569d10f6955ed9f15afc9a604a3138
SHA512

986c447d30efd64e90b0ff63cec8ef855989410ec6b1c76a56ac1a674c894b1e1f215709587b88a1b754106abe23e11a700909293f1e8e9bc529538237d46680
SSDEEP

6144:dVXGYtc7MowT2eFdOywz7HUIAo92MG5uSa9kMFgjKZCyLgNwP91fCkUOxKrNLLAJ:1OAowRFd/wP08AMG5uPzFgjm9LgK9KVG

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6AEB00014973000A814AB4EB2331.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2644	043A6AEB00014973000A814AB4EB2331.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	043A6AEB00014973000A814AB4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6AEB00014973000A814AB4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6AEB00014973000A814AB4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	4154ab977f4ffdbc41047e20d3eff94f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	4154ab977f4ffdbc41047e20d3eff94f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6AEB00014973000A814AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6AEB00014973000A814AB4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	043A6AEB00014973000A814AB4EB2331.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6AEB00014973000A814AB4EB2331 = "C:\\ProgramData\\043A6AEB00014973000A814AB4EB2331\\043A6AEB00014973000A814AB4EB2331.exe"	043A6AEB00014973000A814AB4EB2331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
1744	4154ab977f4ffdbc41047e20d3eff94f.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2644	043A6AEB00014973000A814AB4EB2331.exe
2644	043A6AEB00014973000A814AB4EB2331.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2644	1744	4154ab977f4ffdbc41047e20d3eff94f.exe	28
PID 1744 wrote to memory of 2644	1744	4154ab977f4ffdbc41047e20d3eff94f.exe	28
PID 1744 wrote to memory of 2644	1744	4154ab977f4ffdbc41047e20d3eff94f.exe	28
PID 1744 wrote to memory of 2644	1744	4154ab977f4ffdbc41047e20d3eff94f.exe	28

C:\Users\Admin\AppData\Local\Temp\4154ab977f4ffdbc41047e20d3eff94f.exe
"C:\Users\Admin\AppData\Local\Temp\4154ab977f4ffdbc41047e20d3eff94f.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe
  "C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\4154ab977f4ffdbc41047e20d3eff94f.exe"
  2⤵
  - Windows security bypass
  - Deletes itself
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe

Filesize
31KB

MD5
8ff397f5b3da491c6db2c50a4a24f8ff

SHA1
f7719d19636368f55e72c1105e050c2831818ab3

SHA256
2ea1b052b44afb0b12cf596e8826467e91a6c51d2ff88030eeca64583032cdd1

SHA512
e661bbe1ee8d71909ea28e389b8d91e7519a55d157a8054e4200d2cf87d1b1433bed966a6ddd01d49260f2affb9b0e8ca8af4e2d09b4b31af11c4132cac5e357

Download Submit
C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe

Filesize
31KB

MD5
212e920b1b34e53dd0ff24dc17df3750

SHA1
2aa7434ff30edcdec4516468488be721796f08e7

SHA256
b257f0d0fef47d6c48e8272e2f2ed85fc007b6755394392ed887df56c4d6ebd5

SHA512
4b7c23d05417799e8879c583e9b8554fce606c6cef2e4bd9c90ada65a42a0b18a2850c5b9720fd8b9c7e1d756614f7de79f2e021f88e1cbaec8b0b48d6625cd7

Download Submit
C:\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe

Filesize
183KB

MD5
adfc3710360e060e3ea7e36f6dd93509

SHA1
599d74779b38e18afe2cc54616de0ca0f9a6c93f

SHA256
0542eb81d647710733a61f83a4f8b2eebe0ccb323b6f0efa328e20112ce0dfe8

SHA512
8354820ce10bf4f5eb74332efe963adaca622eb7b271db6ebf6273d3d11b27e439cc20369088b30ae1e72484bcaa19abe7ce7b7e39907dd76f7861aca0f8114f

Download Submit
\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe

Filesize
375KB

MD5
4154ab977f4ffdbc41047e20d3eff94f

SHA1
81ed0997e7b2d598c4a86b26544d9fe6e3f11678

SHA256
f6efa6beb48f15626a65f0c40d8de9500a569d10f6955ed9f15afc9a604a3138

SHA512
986c447d30efd64e90b0ff63cec8ef855989410ec6b1c76a56ac1a674c894b1e1f215709587b88a1b754106abe23e11a700909293f1e8e9bc529538237d46680

Download Submit
\ProgramData\043A6AEB00014973000A814AB4EB2331\043A6AEB00014973000A814AB4EB2331.exe

Filesize
67KB

MD5
6b3bd2d41939dfb5040bca7fdd66b2fb

SHA1
a7dfd374cc157bc631cc368af38e18a1ce2b82d8

SHA256
81ce850dd4e18efbffa4fe3b9feeae35cc86773945261c525d6fa64c978cabf7

SHA512
6dc0fba9b597840e7aaf5c918f7d69aac9e3ad77f4ed0399acab9cffd4a457419aca67ee191d2d411ef3c92293b61c042cd8869124d5ba8e32cb756c0029ae15

Download Submit
memory/1744-7-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1744-37-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1744-6-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1744-5-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1744-4-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1744-0-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1744-28-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1744-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1744-27-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1744-1-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-22-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-23-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2644-21-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-18-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-29-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2644-16-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2644-39-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-40-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-42-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-43-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2644-48-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download