Analysis
-
max time kernel
256s -
max time network
290s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 18:20
Static task
static1
Behavioral task
behavioral1
Sample
e763a13c24696535fed0534dca644619.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e763a13c24696535fed0534dca644619.exe
Resource
win10v2004-20231215-en
General
-
Target
e763a13c24696535fed0534dca644619.exe
-
Size
387KB
-
MD5
e763a13c24696535fed0534dca644619
-
SHA1
f16c94802990e2c7c485a6834501d6c9b3b439b2
-
SHA256
4b95ea875189e95df49b9f177c67a6f82ca191fa626c6ad858660050b538717c
-
SHA512
03987f138cd2a90a9a8d6ebf10b5cfd9b22edf85d12887072f50304dc682af9fdf719af66aa0f6d40f248d3224d6544e3087add5866470904255b614000944c9
-
SSDEEP
12288:/8WrJlOoAq5YG/MKff9k4b4T2zFNUSOB:UWrJL3MKNP4UNx
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000B5F50B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1676 043A6AEB00014973000B5F50B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 1676 043A6AEB00014973000B5F50B4EB2331.exe -
Loads dropped DLL 1 IoCs
pid Process 2936 e763a13c24696535fed0534dca644619.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000B5F50B4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\DefaultIcon 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\open\command 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\runas 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\ = "Application" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\start\command 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\start 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.exe 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\%s 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\%s\ = "043A6" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\open 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6AEB00014973000B5F50B4EB2331\\043A6AEB00014973000B5F50B4EB2331.exe\" -s \"%1\" %*" 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.exe\ = "043A6" 043A6AEB00014973000B5F50B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\043A6\shell\runas\command 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2936 e763a13c24696535fed0534dca644619.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1676 043A6AEB00014973000B5F50B4EB2331.exe 1676 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2936 wrote to memory of 1676 2936 e763a13c24696535fed0534dca644619.exe 26 PID 2936 wrote to memory of 1676 2936 e763a13c24696535fed0534dca644619.exe 26 PID 2936 wrote to memory of 1676 2936 e763a13c24696535fed0534dca644619.exe 26 PID 2936 wrote to memory of 1676 2936 e763a13c24696535fed0534dca644619.exe 26 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000B5F50B4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e763a13c24696535fed0534dca644619.exe"C:\Users\Admin\AppData\Local\Temp\e763a13c24696535fed0534dca644619.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\ProgramData\043A6AEB00014973000B5F50B4EB2331\043A6AEB00014973000B5F50B4EB2331.exe"C:\ProgramData\043A6AEB00014973000B5F50B4EB2331\043A6AEB00014973000B5F50B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\e763a13c24696535fed0534dca644619.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD5e78b56d75673571214cf6a82ff3a566c
SHA1240735b0f251bb6c659ea295264d9fdcdd4c2ccb
SHA256a1d0617f0b0af29a7eff246da7a4e4077f7a45a91dc2c64d678d06e935187b57
SHA5123f79d344d12b4aa18cae1958de02f6fbb8a5ed7b49709a3922b782a4882299abb8494214a3978b85f8179070f8368f26aa0fe0953f3323becf2f4abb4eebfd1f
-
Filesize
387KB
MD5e763a13c24696535fed0534dca644619
SHA1f16c94802990e2c7c485a6834501d6c9b3b439b2
SHA2564b95ea875189e95df49b9f177c67a6f82ca191fa626c6ad858660050b538717c
SHA51203987f138cd2a90a9a8d6ebf10b5cfd9b22edf85d12887072f50304dc682af9fdf719af66aa0f6d40f248d3224d6544e3087add5866470904255b614000944c9