Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
ce5706f1a1dd859a8233397c2490680b.exe
Resource
win7-20240221-en
General
-
Target
ce5706f1a1dd859a8233397c2490680b.exe
-
Size
416KB
-
MD5
ce5706f1a1dd859a8233397c2490680b
-
SHA1
9a3775d1c673313a4814abe25049efb03a3e674e
-
SHA256
ad2c6c8d68058c316b1f3c343b59c0c14526f4a7c84ed771b2d90f590fc3c535
-
SHA512
35b6aec7f2821baf073cc05d0e18173961757db0d458f7ed44979abbfbd040b8ecc6418e97f6bb23006fadd368191c34be0f1f5877a87b46f3c292523be00b7a
-
SSDEEP
6144:P0XIE3wQQBHn8nd2r1XGUtZXdRloUfk+S+r2I1Fyjbl66A93LnYDttxU7Uu6wB8B:P6Yn8nd2r1XXtCXtvldA93LYzxOd6L
Malware Config
Extracted
arkei
141.95.23.6/kESK2FZqwB.php
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ce5706f1a1dd859a8233397c2490680b.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe = "0" ce5706f1a1dd859a8233397c2490680b.exe -
Nirsoft 1 IoCs
resource yara_rule behavioral1/files/0x000c000000015315-7.dat Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2516 AdvancedRun.exe 2512 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
pid Process 2204 ce5706f1a1dd859a8233397c2490680b.exe 2204 ce5706f1a1dd859a8233397c2490680b.exe 2516 AdvancedRun.exe 2516 AdvancedRun.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe = "0" ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ce5706f1a1dd859a8233397c2490680b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2204 set thread context of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2420 2432 WerFault.exe 32 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2516 AdvancedRun.exe 2516 AdvancedRun.exe 2512 AdvancedRun.exe 2512 AdvancedRun.exe 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2516 AdvancedRun.exe Token: SeImpersonatePrivilege 2516 AdvancedRun.exe Token: SeDebugPrivilege 2512 AdvancedRun.exe Token: SeImpersonatePrivilege 2512 AdvancedRun.exe Token: SeDebugPrivilege 2204 ce5706f1a1dd859a8233397c2490680b.exe Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2516 2204 ce5706f1a1dd859a8233397c2490680b.exe 28 PID 2204 wrote to memory of 2516 2204 ce5706f1a1dd859a8233397c2490680b.exe 28 PID 2204 wrote to memory of 2516 2204 ce5706f1a1dd859a8233397c2490680b.exe 28 PID 2204 wrote to memory of 2516 2204 ce5706f1a1dd859a8233397c2490680b.exe 28 PID 2516 wrote to memory of 2512 2516 AdvancedRun.exe 29 PID 2516 wrote to memory of 2512 2516 AdvancedRun.exe 29 PID 2516 wrote to memory of 2512 2516 AdvancedRun.exe 29 PID 2516 wrote to memory of 2512 2516 AdvancedRun.exe 29 PID 2204 wrote to memory of 2636 2204 ce5706f1a1dd859a8233397c2490680b.exe 30 PID 2204 wrote to memory of 2636 2204 ce5706f1a1dd859a8233397c2490680b.exe 30 PID 2204 wrote to memory of 2636 2204 ce5706f1a1dd859a8233397c2490680b.exe 30 PID 2204 wrote to memory of 2636 2204 ce5706f1a1dd859a8233397c2490680b.exe 30 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2204 wrote to memory of 2432 2204 ce5706f1a1dd859a8233397c2490680b.exe 32 PID 2432 wrote to memory of 2420 2432 ce5706f1a1dd859a8233397c2490680b.exe 33 PID 2432 wrote to memory of 2420 2432 ce5706f1a1dd859a8233397c2490680b.exe 33 PID 2432 wrote to memory of 2420 2432 ce5706f1a1dd859a8233397c2490680b.exe 33 PID 2432 wrote to memory of 2420 2432 ce5706f1a1dd859a8233397c2490680b.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\84870415-fc5c-41af-a856-d4ffa3dea4d9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\84870415-fc5c-41af-a856-d4ffa3dea4d9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\84870415-fc5c-41af-a856-d4ffa3dea4d9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\84870415-fc5c-41af-a856-d4ffa3dea4d9\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\84870415-fc5c-41af-a856-d4ffa3dea4d9\AdvancedRun.exe" /SpecialRun 4101d8 25163⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 443⤵
- Program crash
PID:2420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a