Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
ce5706f1a1dd859a8233397c2490680b.exe
Resource
win7-20240221-en
General
-
Target
ce5706f1a1dd859a8233397c2490680b.exe
-
Size
416KB
-
MD5
ce5706f1a1dd859a8233397c2490680b
-
SHA1
9a3775d1c673313a4814abe25049efb03a3e674e
-
SHA256
ad2c6c8d68058c316b1f3c343b59c0c14526f4a7c84ed771b2d90f590fc3c535
-
SHA512
35b6aec7f2821baf073cc05d0e18173961757db0d458f7ed44979abbfbd040b8ecc6418e97f6bb23006fadd368191c34be0f1f5877a87b46f3c292523be00b7a
-
SSDEEP
6144:P0XIE3wQQBHn8nd2r1XGUtZXdRloUfk+S+r2I1Fyjbl66A93LnYDttxU7Uu6wB8B:P6Yn8nd2r1XXtCXtvldA93LYzxOd6L
Malware Config
Extracted
arkei
141.95.23.6/kESK2FZqwB.php
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ce5706f1a1dd859a8233397c2490680b.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe = "0" ce5706f1a1dd859a8233397c2490680b.exe -
Nirsoft 1 IoCs
resource yara_rule behavioral2/files/0x000200000002289b-15.dat Nirsoft -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation ce5706f1a1dd859a8233397c2490680b.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation AdvancedRun.exe -
Executes dropped EXE 2 IoCs
pid Process 1552 AdvancedRun.exe 1764 AdvancedRun.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe = "0" ce5706f1a1dd859a8233397c2490680b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ce5706f1a1dd859a8233397c2490680b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet ce5706f1a1dd859a8233397c2490680b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3768 set thread context of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1552 AdvancedRun.exe 1552 AdvancedRun.exe 1552 AdvancedRun.exe 1552 AdvancedRun.exe 1764 AdvancedRun.exe 1764 AdvancedRun.exe 1764 AdvancedRun.exe 1764 AdvancedRun.exe 1728 powershell.exe 1728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1552 AdvancedRun.exe Token: SeImpersonatePrivilege 1552 AdvancedRun.exe Token: SeDebugPrivilege 1764 AdvancedRun.exe Token: SeImpersonatePrivilege 1764 AdvancedRun.exe Token: SeDebugPrivilege 3768 ce5706f1a1dd859a8233397c2490680b.exe Token: SeDebugPrivilege 1728 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3768 wrote to memory of 1552 3768 ce5706f1a1dd859a8233397c2490680b.exe 91 PID 3768 wrote to memory of 1552 3768 ce5706f1a1dd859a8233397c2490680b.exe 91 PID 3768 wrote to memory of 1552 3768 ce5706f1a1dd859a8233397c2490680b.exe 91 PID 1552 wrote to memory of 1764 1552 AdvancedRun.exe 93 PID 1552 wrote to memory of 1764 1552 AdvancedRun.exe 93 PID 1552 wrote to memory of 1764 1552 AdvancedRun.exe 93 PID 3768 wrote to memory of 1728 3768 ce5706f1a1dd859a8233397c2490680b.exe 95 PID 3768 wrote to memory of 1728 3768 ce5706f1a1dd859a8233397c2490680b.exe 95 PID 3768 wrote to memory of 1728 3768 ce5706f1a1dd859a8233397c2490680b.exe 95 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97 PID 3768 wrote to memory of 2632 3768 ce5706f1a1dd859a8233397c2490680b.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\c9a7e1db-9850-44ae-b4b3-1d0bcd5ddfe3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\c9a7e1db-9850-44ae-b4b3-1d0bcd5ddfe3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c9a7e1db-9850-44ae-b4b3-1d0bcd5ddfe3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\c9a7e1db-9850-44ae-b4b3-1d0bcd5ddfe3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\c9a7e1db-9850-44ae-b4b3-1d0bcd5ddfe3\AdvancedRun.exe" /SpecialRun 4101d8 15523⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"C:\Users\Admin\AppData\Local\Temp\ce5706f1a1dd859a8233397c2490680b.exe"2⤵PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a