Analysis
-
max time kernel
144s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 08:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
501b91f7b30ebfb7eca2b667782a9190.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
501b91f7b30ebfb7eca2b667782a9190.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
501b91f7b30ebfb7eca2b667782a9190.exe
-
Size
683KB
-
MD5
501b91f7b30ebfb7eca2b667782a9190
-
SHA1
f2375556030d6e25131649656987a2597bf2f46b
-
SHA256
aca843d8c6254ba5489ba287518c32aaa5e15fa09f6ed4743b9ff95a23cd89ca
-
SHA512
e9dc0e746776b03db33770faf8fc32c161b65bbcac0cb91b2cc50ac937b640146062b6070f582f938a334d0dce296895a0a34fc173603403d3f0c209deecc2bb
-
SSDEEP
12288:A7NFMjqZfMcER1rmuRW3yYW8SW0ZD3nOBi:ApFMjqXER1rmuRW31W8SWoO
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\Userinit.exe, C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 501b91f7b30ebfb7eca2b667782a9190.exe -
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "p2settings.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 501b91f7b30ebfb7eca2b667782a9190.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 501b91f7b30ebfb7eca2b667782a9190.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\death.exe" 501b91f7b30ebfb7eca2b667782a9190.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\501b91f7b30ebfb7eca2b667782a9190.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\501b91f7b30ebfb7eca2b667782a9190.exe" 501b91f7b30ebfb7eca2b667782a9190.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 501b91f7b30ebfb7eca2b667782a9190.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" 501b91f7b30ebfb7eca2b667782a9190.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" 501b91f7b30ebfb7eca2b667782a9190.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\666.bmp 501b91f7b30ebfb7eca2b667782a9190.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop 501b91f7b30ebfb7eca2b667782a9190.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\501b91f7b30ebfb7eca2b667782a9190.exe" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\501b91f7b30ebfb7eca2b667782a9190.exe" 501b91f7b30ebfb7eca2b667782a9190.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4040 501b91f7b30ebfb7eca2b667782a9190.exe -
System policy modification 1 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "~\x7f{‡‰ˆ" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper = "1" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "~\x7f{‡‰ˆ" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 501b91f7b30ebfb7eca2b667782a9190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon = "0" 501b91f7b30ebfb7eca2b667782a9190.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\AutoAdminLogon = "0" 501b91f7b30ebfb7eca2b667782a9190.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\501b91f7b30ebfb7eca2b667782a9190.exe"C:\Users\Admin\AppData\Local\Temp\501b91f7b30ebfb7eca2b667782a9190.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1