Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 18:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7041a78561f46b06292ce1ed60838153.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
7041a78561f46b06292ce1ed60838153.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
7041a78561f46b06292ce1ed60838153.exe
-
Size
376KB
-
MD5
7041a78561f46b06292ce1ed60838153
-
SHA1
7795542b63807d30f63cfb34b9023562b05daf54
-
SHA256
37b833740b53bdad1c35353238f5d0679ceb34b91a2203afde74b824404fc6bd
-
SHA512
73c42a4d5b426d055764461deb00ba0e6fe613d3decef21dad7faac8c196e2782da2a9242163d073ec0a5c42275eb317c8b6b0a117f673c3af739d2dbd403f70
-
SSDEEP
6144:KWUhwnx2y02mA1L+qnKzk7Bh+NQIuCry+vPflr91DNJ4pp:KWesP0QRozqBh2uCry+p9tG
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2480 043A6AEB00014973000B5F50B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2480 043A6AEB00014973000B5F50B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7041a78561f46b06292ce1ed60838153.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 7041a78561f46b06292ce1ed60838153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000B5F50B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000B5F50B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7041a78561f46b06292ce1ed60838153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7041a78561f46b06292ce1ed60838153.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6AEB00014973000B5F50B4EB2331 = "C:\\ProgramData\\043A6AEB00014973000B5F50B4EB2331\\043A6AEB00014973000B5F50B4EB2331.exe" 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe 2548 7041a78561f46b06292ce1ed60838153.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2548 7041a78561f46b06292ce1ed60838153.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe 2480 043A6AEB00014973000B5F50B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2480 2548 7041a78561f46b06292ce1ed60838153.exe 28 PID 2548 wrote to memory of 2480 2548 7041a78561f46b06292ce1ed60838153.exe 28 PID 2548 wrote to memory of 2480 2548 7041a78561f46b06292ce1ed60838153.exe 28 PID 2548 wrote to memory of 2480 2548 7041a78561f46b06292ce1ed60838153.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7041a78561f46b06292ce1ed60838153.exe"C:\Users\Admin\AppData\Local\Temp\7041a78561f46b06292ce1ed60838153.exe"1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\ProgramData\043A6AEB00014973000B5F50B4EB2331\043A6AEB00014973000B5F50B4EB2331.exe"C:\ProgramData\043A6AEB00014973000B5F50B4EB2331\043A6AEB00014973000B5F50B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\7041a78561f46b06292ce1ed60838153.exe"2⤵
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376KB
MD57041a78561f46b06292ce1ed60838153
SHA17795542b63807d30f63cfb34b9023562b05daf54
SHA25637b833740b53bdad1c35353238f5d0679ceb34b91a2203afde74b824404fc6bd
SHA51273c42a4d5b426d055764461deb00ba0e6fe613d3decef21dad7faac8c196e2782da2a9242163d073ec0a5c42275eb317c8b6b0a117f673c3af739d2dbd403f70