876d5a0ef1d614da558feacb146d4418973925ede951f514538dd4ffd15cabce

Analysis

max time kernel
6s
max time network
9s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 16:59

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T16:59:50Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240221-en/instance_28-dirty.qcow2\"}"

Report Analysis Logs

General

Target

Internet Explorer 12.exe
Size

220KB
MD5

2002b30f06c2bbdf6a7905515f8d32dc
SHA1

60741e53d90b4f31f963ed81b4596c45e7d1b3af
SHA256

876d5a0ef1d614da558feacb146d4418973925ede951f514538dd4ffd15cabce
SHA512

c7859f59b3b3b51da67794afc064371fc9f60818d5b8363b61061cb5a1e64fb04b2e2e8050cd6a7d67a4bb396bc12fa2a278579b1814e696d990735da384fafe
SSDEEP

1536:N7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfVwgjSZkKvnoHfhb:Z7DhdC6kzWypvaQ0FxyNTBfV3j7b

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 2556 shutdown.exe
Token: SeRemoteShutdownPrivilege 2556 shutdown.exe

description	pid	process
Token: SeShutdownPrivilege	2556	shutdown.exe
Token: SeRemoteShutdownPrivilege	2556	shutdown.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Internet Explorer 12.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 3060	2036	Internet Explorer 12.exe	cmd.exe
PID 2036 wrote to memory of 3060	2036	Internet Explorer 12.exe	cmd.exe
PID 2036 wrote to memory of 3060	2036	Internet Explorer 12.exe	cmd.exe
PID 2036 wrote to memory of 3060	2036	Internet Explorer 12.exe	cmd.exe
PID 3060 wrote to memory of 2992	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 2992	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 2992	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 3024	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 3024	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 3024	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 2556	3060	cmd.exe	shutdown.exe
PID 3060 wrote to memory of 2556	3060	cmd.exe	shutdown.exe
PID 3060 wrote to memory of 2556	3060	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\Internet Explorer 12.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Explorer 12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\14D8.tmp\14D9.tmp\14DA.bat "C:\Users\Admin\AppData\Local\Temp\Internet Explorer 12.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
3⤵
PID:2992

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3024

C:\Windows\system32\shutdown.exe
shutdown /r /f /t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14D8.tmp\14D9.tmp\14DA.bat

Filesize
487B

MD5
54a5c8660d3fea6134e80c2a24588dbb

SHA1
348ab739f3ace57a0b2cc083827027d7d4980670

SHA256
bc9e2f77ec56979805d62d66692c8b6719fdf7c25dc891838d8c29e56303f667

SHA512
56223fbea25c6e16a715b9299966be4bc9a744910b9ae37c9b4dd17b230f51e1ab8a88711a66458d9663cc7a5c8f5e92eea25bc52d3b946f108949defaeb9b70

Download Submit
memory/2584-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2640-2-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads