Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 06:34
Behavioral task
behavioral1
Sample
a31eb81d21c6dcc0a03de89b6b43fc68.exe
Resource
win7-20240220-en
16 signatures
150 seconds
General
-
Target
a31eb81d21c6dcc0a03de89b6b43fc68.exe
-
Size
339KB
-
MD5
a31eb81d21c6dcc0a03de89b6b43fc68
-
SHA1
60f928956ac652b151be85de46369f22bde0f506
-
SHA256
01a5dd39fb485319940f0ebdfd0209a560641a6da385a074bbc0337a6bc3d3a8
-
SHA512
b0e5d13b4acb3bf0e9d2c07e07cdcafc70e0596b735c89c08b140570be8e978371bfd9d8ff160748bf5a2b61dbb6349efc348a290b2eead7f89e4345b3ecf1c1
-
SSDEEP
6144:PCSlrcTxfNKm9mCfjEOZhpfLTuKAOm6esFE70HkWnpQZh9h:PZcV79mGjZhBjm/Ck0QZh9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" a31eb81d21c6dcc0a03de89b6b43fc68.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" a31eb81d21c6dcc0a03de89b6b43fc68.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
resource yara_rule behavioral1/memory/2208-0-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-6-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/2208-8-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-9-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-10-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-11-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-13-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-14-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-15-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral1/memory/1848-16-0x0000000013140000-0x000000001322E000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1848 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSecurityPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeTakeOwnershipPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeLoadDriverPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSystemProfilePrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSystemtimePrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeProfSingleProcessPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeIncBasePriorityPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeCreatePagefilePrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeBackupPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeRestorePrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeShutdownPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeDebugPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSystemEnvironmentPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeChangeNotifyPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeRemoteShutdownPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeUndockPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeManageVolumePrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeImpersonatePrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeCreateGlobalPrivilege 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 33 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 34 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 35 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeIncreaseQuotaPrivilege 1848 explorer.exe Token: SeSecurityPrivilege 1848 explorer.exe Token: SeTakeOwnershipPrivilege 1848 explorer.exe Token: SeLoadDriverPrivilege 1848 explorer.exe Token: SeSystemProfilePrivilege 1848 explorer.exe Token: SeSystemtimePrivilege 1848 explorer.exe Token: SeProfSingleProcessPrivilege 1848 explorer.exe Token: SeIncBasePriorityPrivilege 1848 explorer.exe Token: SeCreatePagefilePrivilege 1848 explorer.exe Token: SeBackupPrivilege 1848 explorer.exe Token: SeRestorePrivilege 1848 explorer.exe Token: SeShutdownPrivilege 1848 explorer.exe Token: SeDebugPrivilege 1848 explorer.exe Token: SeSystemEnvironmentPrivilege 1848 explorer.exe Token: SeChangeNotifyPrivilege 1848 explorer.exe Token: SeRemoteShutdownPrivilege 1848 explorer.exe Token: SeUndockPrivilege 1848 explorer.exe Token: SeManageVolumePrivilege 1848 explorer.exe Token: SeImpersonatePrivilege 1848 explorer.exe Token: SeCreateGlobalPrivilege 1848 explorer.exe Token: 33 1848 explorer.exe Token: 34 1848 explorer.exe Token: 35 1848 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 PID 2208 wrote to memory of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 PID 2208 wrote to memory of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 PID 2208 wrote to memory of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 PID 2208 wrote to memory of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 PID 2208 wrote to memory of 1848 2208 a31eb81d21c6dcc0a03de89b6b43fc68.exe 28 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion a31eb81d21c6dcc0a03de89b6b43fc68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern a31eb81d21c6dcc0a03de89b6b43fc68.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe"C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Windows security modification
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1848
-