Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 06:34
Behavioral task
behavioral1
Sample
a31eb81d21c6dcc0a03de89b6b43fc68.exe
Resource
win7-20240220-en
16 signatures
150 seconds
General
-
Target
a31eb81d21c6dcc0a03de89b6b43fc68.exe
-
Size
339KB
-
MD5
a31eb81d21c6dcc0a03de89b6b43fc68
-
SHA1
60f928956ac652b151be85de46369f22bde0f506
-
SHA256
01a5dd39fb485319940f0ebdfd0209a560641a6da385a074bbc0337a6bc3d3a8
-
SHA512
b0e5d13b4acb3bf0e9d2c07e07cdcafc70e0596b735c89c08b140570be8e978371bfd9d8ff160748bf5a2b61dbb6349efc348a290b2eead7f89e4345b3ecf1c1
-
SSDEEP
6144:PCSlrcTxfNKm9mCfjEOZhpfLTuKAOm6esFE70HkWnpQZh9h:PZcV79mGjZhBjm/Ck0QZh9
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (int) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
resource yara_rule behavioral2/memory/1040-0-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-2-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-4-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/1040-5-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-7-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-8-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-10-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-11-0x0000000013140000-0x000000001322E000-memory.dmp upx behavioral2/memory/232-12-0x0000000013140000-0x000000001322E000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1040 set thread context of 232 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe 86 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a31eb81d21c6dcc0a03de89b6b43fc68.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a31eb81d21c6dcc0a03de89b6b43fc68.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a31eb81d21c6dcc0a03de89b6b43fc68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 232 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSecurityPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeTakeOwnershipPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeLoadDriverPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSystemProfilePrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSystemtimePrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeProfSingleProcessPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeIncBasePriorityPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeCreatePagefilePrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeBackupPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeRestorePrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeShutdownPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeDebugPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeSystemEnvironmentPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeChangeNotifyPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeRemoteShutdownPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeUndockPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeManageVolumePrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeImpersonatePrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeCreateGlobalPrivilege 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 33 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 34 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 35 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: 36 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe Token: SeIncreaseQuotaPrivilege 232 explorer.exe Token: SeSecurityPrivilege 232 explorer.exe Token: SeTakeOwnershipPrivilege 232 explorer.exe Token: SeLoadDriverPrivilege 232 explorer.exe Token: SeSystemProfilePrivilege 232 explorer.exe Token: SeSystemtimePrivilege 232 explorer.exe Token: SeProfSingleProcessPrivilege 232 explorer.exe Token: SeIncBasePriorityPrivilege 232 explorer.exe Token: SeCreatePagefilePrivilege 232 explorer.exe Token: SeBackupPrivilege 232 explorer.exe Token: SeRestorePrivilege 232 explorer.exe Token: SeShutdownPrivilege 232 explorer.exe Token: SeDebugPrivilege 232 explorer.exe Token: SeSystemEnvironmentPrivilege 232 explorer.exe Token: SeChangeNotifyPrivilege 232 explorer.exe Token: SeRemoteShutdownPrivilege 232 explorer.exe Token: SeUndockPrivilege 232 explorer.exe Token: SeManageVolumePrivilege 232 explorer.exe Token: SeImpersonatePrivilege 232 explorer.exe Token: SeCreateGlobalPrivilege 232 explorer.exe Token: 33 232 explorer.exe Token: 34 232 explorer.exe Token: 35 232 explorer.exe Token: 36 232 explorer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1040 wrote to memory of 232 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe 86 PID 1040 wrote to memory of 232 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe 86 PID 1040 wrote to memory of 232 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe 86 PID 1040 wrote to memory of 232 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe 86 PID 1040 wrote to memory of 232 1040 a31eb81d21c6dcc0a03de89b6b43fc68.exe 86 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" a31eb81d21c6dcc0a03de89b6b43fc68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion a31eb81d21c6dcc0a03de89b6b43fc68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern a31eb81d21c6dcc0a03de89b6b43fc68.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe"C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Windows security modification
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1040 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:232
-