761814353b34311adb1a097533ebfa96c1e865dc0843dcf7fac0d8b4b67cdd8b

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78204685676d9376988e4facf7ce8cfa.exe
Size

392KB
MD5

78204685676d9376988e4facf7ce8cfa
SHA1

d632e8209cda6bae0867567a1f4a68550202ae06
SHA256

761814353b34311adb1a097533ebfa96c1e865dc0843dcf7fac0d8b4b67cdd8b
SHA512

005db8116a218600b024f8f5dfd5a5f989e361fe5b8f3bfc23f158abf465432012aa4041b11462725569e3161a235c748e83c6c295057e86aada3f44a4ad2121
SSDEEP

6144:3h1wG0fljKQIZhzc7HVHtf5vuyh+ajZCsuAMXMzFHCD/yr07oAH4DPq:x/ApUvsfRh+ajZCBAMXoUK0VHMq

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	78204685676d9376988e4facf7ce8cfa.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2264	043A6AEB00014973000A4136B4EB2331.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	043A6AEB00014973000A4136B4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6AEB00014973000A4136B4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	78204685676d9376988e4facf7ce8cfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6AEB00014973000A4136B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	78204685676d9376988e4facf7ce8cfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	78204685676d9376988e4facf7ce8cfa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6AEB00014973000A4136B4EB2331.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6AEB00014973000A4136B4EB2331 = "C:\\ProgramData\\043A6AEB00014973000A4136B4EB2331\\043A6AEB00014973000A4136B4EB2331.exe"	043A6AEB00014973000A4136B4EB2331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe
1220	78204685676d9376988e4facf7ce8cfa.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	043A6AEB00014973000A4136B4EB2331.exe
2264	043A6AEB00014973000A4136B4EB2331.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2264	1220	78204685676d9376988e4facf7ce8cfa.exe	28
PID 1220 wrote to memory of 2264	1220	78204685676d9376988e4facf7ce8cfa.exe	28
PID 1220 wrote to memory of 2264	1220	78204685676d9376988e4facf7ce8cfa.exe	28
PID 1220 wrote to memory of 2264	1220	78204685676d9376988e4facf7ce8cfa.exe	28

C:\Users\Admin\AppData\Local\Temp\78204685676d9376988e4facf7ce8cfa.exe
"C:\Users\Admin\AppData\Local\Temp\78204685676d9376988e4facf7ce8cfa.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220
- C:\ProgramData\043A6AEB00014973000A4136B4EB2331\043A6AEB00014973000A4136B4EB2331.exe
  "C:\ProgramData\043A6AEB00014973000A4136B4EB2331\043A6AEB00014973000A4136B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\78204685676d9376988e4facf7ce8cfa.exe"
  2⤵
  - Windows security bypass
  - Deletes itself
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\043A6AEB00014973000A4136B4EB2331\043A6AEB00014973000A4136B4EB2331.exe

Filesize
128KB

MD5
de67ed3f7d555f4fd01fd9d60ae05e4c

SHA1
9c4d4a88ab2ab9c5c8af00c19277e7c4ff1256d0

SHA256
d36f4878d76880e2f6c7f792a8df18f4598b3843d37e2d07cd68ca6cab1428a6

SHA512
0f722bf4ab7a1d583aee86bb56bbdc627744cc0708cf51af5d0edbaf02819dd2da5028ef31e697d593df4392c6dfb0b7e200f9286ee9ea9b8ccfb6d442a4a920

Download Submit
C:\ProgramData\043A6AEB00014973000A4136B4EB2331\043A6AEB00014973000A4136B4EB2331.exe

Filesize
64KB

MD5
90fbd17bb753130269b4ed62b3042bd7

SHA1
ef36aa7f4af5a3d9dc135b0083671a90d020ad7d

SHA256
5a9b3a655126f517f9bc116dd9c2ab6ced4f2893732544e47b6b741016629853

SHA512
4254e68db89a6ec6d7a03daf076b936737075bcc50ebd9eb1a01f30c27923b216b49ba80078ab0a19caedd303d678ee530e7c2cf920a55bca256735f81c94a58

Download Submit
\ProgramData\043A6AEB00014973000A4136B4EB2331\043A6AEB00014973000A4136B4EB2331.exe

Filesize
392KB

MD5
78204685676d9376988e4facf7ce8cfa

SHA1
d632e8209cda6bae0867567a1f4a68550202ae06

SHA256
761814353b34311adb1a097533ebfa96c1e865dc0843dcf7fac0d8b4b67cdd8b

SHA512
005db8116a218600b024f8f5dfd5a5f989e361fe5b8f3bfc23f158abf465432012aa4041b11462725569e3161a235c748e83c6c295057e86aada3f44a4ad2121

Download Submit
\ProgramData\043A6AEB00014973000A4136B4EB2331\043A6AEB00014973000A4136B4EB2331.exe

Filesize
192KB

MD5
d4d3cc23aaacf7287d55633eed05fb64

SHA1
759d13e21c66f3296876d8eb280709ab53ad0e8e

SHA256
76db3b364bcf977538fa84d6c87a8a0b82aa1b5750000bea1aa5d5742d224dbd

SHA512
4ce1a575fc309a41c8777418a71bd28f35873688b757a0ac1bc55ecd62337d8a00c60117c81b37602a3acfaee0ecc6544b799a5324c734ab088a6356b7cd6323

Download Submit
memory/1220-6-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1220-27-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1220-7-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1220-5-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1220-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1220-4-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1220-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1220-35-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/1220-29-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1220-1-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-21-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-23-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2264-22-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-28-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-18-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-17-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2264-38-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-39-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download
memory/2264-44-0x0000000000410000-0x00000000004D8000-memory.dmp

Filesize
800KB

Download