00c212bb268aaba39fbc72ad2f3061ac95c7cf8c5e02b172fdc760edd4b2586c

General

Target

42ed7b17997cb858525501a9770badbc.exe
Size

395KB
MD5

42ed7b17997cb858525501a9770badbc
SHA1

6242cf373dea4388d41c045b7ce9de476ccb693f
SHA256

00c212bb268aaba39fbc72ad2f3061ac95c7cf8c5e02b172fdc760edd4b2586c
SHA512

cc642750824f3d3e7911c1e4404b15ea1bde4a1ce429d51d584a1d73dc5dd8b84442766eba1844cef183d72152df32b992da1cc0175f749d688d5db29e7cf4eb
SSDEEP

6144:L/RJG8KMBU+xo2e+5bYwCOMeruVipEMS1BWKak/wGY4mswgIxhX8784glfs:LJU+xa8bAe6V1RUKakIGEz8Tsfs

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6AEB00014973000CA85AB4EB2331.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2716	043A6AEB00014973000CA85AB4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	42ed7b17997cb858525501a9770badbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	42ed7b17997cb858525501a9770badbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	42ed7b17997cb858525501a9770badbc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6AEB00014973000CA85AB4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	043A6AEB00014973000CA85AB4EB2331.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6AEB00014973000CA85AB4EB2331 = "C:\\ProgramData\\043A6AEB00014973000CA85AB4EB2331\\043A6AEB00014973000CA85AB4EB2331.exe"	043A6AEB00014973000CA85AB4EB2331.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe
536	42ed7b17997cb858525501a9770badbc.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe
2716	043A6AEB00014973000CA85AB4EB2331.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2716	536	42ed7b17997cb858525501a9770badbc.exe	25
PID 536 wrote to memory of 2716	536	42ed7b17997cb858525501a9770badbc.exe	25
PID 536 wrote to memory of 2716	536	42ed7b17997cb858525501a9770badbc.exe	25
PID 536 wrote to memory of 2716	536	42ed7b17997cb858525501a9770badbc.exe	25

C:\Users\Admin\AppData\Local\Temp\42ed7b17997cb858525501a9770badbc.exe
"C:\Users\Admin\AppData\Local\Temp\42ed7b17997cb858525501a9770badbc.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536
- C:\ProgramData\043A6AEB00014973000CA85AB4EB2331\043A6AEB00014973000CA85AB4EB2331.exe
  "C:\ProgramData\043A6AEB00014973000CA85AB4EB2331\043A6AEB00014973000CA85AB4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\42ed7b17997cb858525501a9770badbc.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\043A6AEB00014973000CA85AB4EB2331\043A6AEB00014973000CA85AB4EB2331.exe

Filesize
107KB

MD5
2b21a1135ca88e7da2cc54d613b54cfa

SHA1
9cd120ac41e4b5c2a9250343c918796e30c8f39d

SHA256
f58b230859fb4f5f4e05f742617bfda67b7bf8b4f71e4f0388ce7dbe4c9c4abc

SHA512
41e7a0b97906b5dcda2439c0a2661d082568b7ffe5d078abf082480bc5e1cb01fa868483ac0b2a7e33e9e415091b527f53b2126382959776bdf8549839dcc830

Download Submit
C:\ProgramData\043A6AEB00014973000CA85AB4EB2331\043A6AEB00014973000CA85AB4EB2331.exe

Filesize
31KB

MD5
813c55d0fdbb1e5fdd9f7aceba04277a

SHA1
a37764b747e48ad405cfcf292e42cc46700acdbc

SHA256
36fa731580c3368f33fe0adca693a8819eed3c0591b91907c27b484d8d48cfeb

SHA512
b9227f6a9628a66f8a38f8335d6667da37ceb9b841b0c50b5365d3030eb075fb20e692432547a8250062b3e361339953794c36e5c86b15bbd5850f402fbb1472

Download Submit
C:\ProgramData\043A6AEB00014973000CA85AB4EB2331\043A6AEB00014973000CA85AB4EB2331.exe

Filesize
44KB

MD5
133d8066a7ffe88efac52d43e516a1eb

SHA1
a196341b6d7583c71a296895845cb627ff06c204

SHA256
72eca9ae45f03c35ca2098c185611fdbdf1a4325856646ee44b64bbe8bc28d19

SHA512
2c874566d27e79c6e7c49e1038956a7f2b1c6d9fa0bb9ae7007580e42b029304fc3b1a2f38a51333b69a4fc4d358d217ee214dc9465634d70b850b06c5e57fa5

Download Submit
\ProgramData\043A6AEB00014973000CA85AB4EB2331\043A6AEB00014973000CA85AB4EB2331.exe

Filesize
9KB

MD5
c9c635bfbe1a964de1531882b30fbb2d

SHA1
48168779c146a4d8cda46c092cc505c23f846740

SHA256
c1bcc17ce4095d935d33f6ef28c14ae838aeff125524329de5e538097e6d1003

SHA512
c14985b9e43e1e551eaaeafbca4b333dd85480f4eddda289b09484aa07cbb5f3fb25ba7a3d17ebe324cb9f68865344eee567f7411d08248ca069f07db9ff12ce

Download Submit
memory/536-5-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/536-0-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/536-1-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/536-4-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/536-6-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/536-35-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/536-27-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/536-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/536-25-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/536-2-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2716-19-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2716-15-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2716-20-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2716-26-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2716-28-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2716-21-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2716-38-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2716-39-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2716-44-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads