99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30-04-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Size

84KB
MD5

36010b83bccfcd1032971df9fc5082a1
SHA1

9967b83065e3ad82cd6c0c3b02cf08ab707fde3e
SHA256

99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98
SHA512

c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def
SSDEEP

1536:gEKh/S0Fmav8242worjs0nGxMvrEl3/AEHK:bKlWOpsG8MviYEHK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	35939275.exe

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2267118592.exe

Executes dropped EXE 8 IoCs

pid	Process
1500	3255827022.exe
2820	2267118592.exe
2732	1221527581.exe
3432	3494219103.exe
1400	1947110164.exe
1252	35939275.exe
4120	2886016357.exe
3252	134527826.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2267118592.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	35939275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2267118592.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1856190483-1022094809-400023910-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winploravr.exe"	2267118592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1856190483-1022094809-400023910-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winploravr.exe"	2267118592.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winploravr.exe	2267118592.exe
File created	C:\Windows\sysvratrel.exe	35939275.exe
File created	C:\Windows\sysvratrel.exe	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
File opened for modification	C:\Windows\sysvratrel.exe	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
File created	C:\Windows\winploravr.exe	2267118592.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 1500	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	80
PID 4624 wrote to memory of 1500	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	80
PID 4624 wrote to memory of 1500	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	80
PID 4624 wrote to memory of 2820	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	81
PID 4624 wrote to memory of 2820	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	81
PID 4624 wrote to memory of 2820	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	81
PID 2820 wrote to memory of 2732	2820	2267118592.exe	82
PID 2820 wrote to memory of 2732	2820	2267118592.exe	82
PID 2820 wrote to memory of 2732	2820	2267118592.exe	82
PID 2820 wrote to memory of 3432	2820	2267118592.exe	83
PID 2820 wrote to memory of 3432	2820	2267118592.exe	83
PID 2820 wrote to memory of 3432	2820	2267118592.exe	83
PID 2820 wrote to memory of 1400	2820	2267118592.exe	84
PID 2820 wrote to memory of 1400	2820	2267118592.exe	84
PID 2820 wrote to memory of 1400	2820	2267118592.exe	84
PID 4624 wrote to memory of 1252	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	85
PID 4624 wrote to memory of 1252	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	85
PID 4624 wrote to memory of 1252	4624	99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe	85
PID 1252 wrote to memory of 4120	1252	35939275.exe	86
PID 1252 wrote to memory of 4120	1252	35939275.exe	86
PID 1252 wrote to memory of 4120	1252	35939275.exe	86
PID 1252 wrote to memory of 3252	1252	35939275.exe	87
PID 1252 wrote to memory of 3252	1252	35939275.exe	87
PID 1252 wrote to memory of 3252	1252	35939275.exe	87

C:\Users\Admin\AppData\Local\Temp\99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe
"C:\Users\Admin\AppData\Local\Temp\99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98.exe"
1⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\3255827022.exe
  C:\Users\Admin\AppData\Local\Temp\3255827022.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\2267118592.exe
  C:\Users\Admin\AppData\Local\Temp\2267118592.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\1221527581.exe
    C:\Users\Admin\AppData\Local\Temp\1221527581.exe
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\3494219103.exe
    C:\Users\Admin\AppData\Local\Temp\3494219103.exe
    3⤵
    - Executes dropped EXE
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\1947110164.exe
    C:\Users\Admin\AppData\Local\Temp\1947110164.exe
    3⤵
    - Executes dropped EXE
    PID:1400
- C:\Users\Admin\AppData\Local\Temp\35939275.exe
  C:\Users\Admin\AppData\Local\Temp\35939275.exe
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\2886016357.exe
    C:\Users\Admin\AppData\Local\Temp\2886016357.exe
    3⤵
    - Executes dropped EXE
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\134527826.exe
    C:\Users\Admin\AppData\Local\Temp\134527826.exe
    3⤵
    - Executes dropped EXE
    PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BL9RX89A\1[1]

Filesize
84KB

MD5
89c0c137e9eee59dc9291038eee50b4f

SHA1
7247e7c45b16eb1289857208de596b4854385077

SHA256
3c692532b72c68c1cd92374fc28b54afd0b27db1eabd7785c6a0e5b1e92b59c9

SHA512
58333e58f1e1f360fdb6d3e7dc96fa2b2fff705cf5d7f0c51a732f83904d39c09dca0b2eba94cf752bb8fad2b1750baca3554af6d022d6cc2b51ebca11e05af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1163731809.exe

Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\1221527581.exe

Filesize
84KB

MD5
36010b83bccfcd1032971df9fc5082a1

SHA1
9967b83065e3ad82cd6c0c3b02cf08ab707fde3e

SHA256
99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98

SHA512
c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def

Download Submit
C:\Users\Admin\AppData\Local\Temp\134527826.exe

Filesize
14KB

MD5
a3e6eeac83cb1fe25e107176b20cfac3

SHA1
944177d2faf1d8082b61d04aa9892d4390d4e515

SHA256
bda7446502602c2ad20d9f0ca1d1031b993c2adcb12773d0ad85611354ea8964

SHA512
d0777594941613f7a26708250d4bad6ae4e9335a8c159c6f1b629c6e29a6ae812cfc6fed014182b081961c0c8c59fc55a15d03a939c97cb7c4c1ecdf57555461

Download Submit
C:\Users\Admin\AppData\Local\Temp\2267118592.exe

Filesize
14KB

MD5
d085f41fe497a63dc2a4882b485a2caf

SHA1
9dc111412129833495f19d7b8a5500cf7284ad68

SHA256
fb11b4e2d26812e26ea7428f3b0b9bb8a16814188250fa60697c7aec40a49bd0

SHA512
ed4d8e297094248fb536154ed0427f4cc1832f339ce29d0f782971ede42fa2b9e5f953f73e71d0cfc026e5fd2ec0f7062410af359fd940a14f277adca37fc106

Download Submit
C:\Users\Admin\AppData\Local\Temp\3255827022.exe

Filesize
84KB

MD5
cd1d9c0ed8763e6bb3ee7efb133dc60e

SHA1
f6f3bea085ba7c13a2956fc0810c2034792f2ddf

SHA256
19ee79b7852c54de5883404f049f9e85cb0085bae8132ada3e46d6f75b24b100

SHA512
77b675fdbfc11bff45e2438cb1bd73b7fbfa03771c600e37171f684141c82f356e392ba2694285390aedbb3ecd3306a3c0f8687d0a1940d8d44cae3a7fc41591

Download Submit
C:\Users\Admin\AppData\Local\Temp\3494219103.exe

Filesize
7KB

MD5
2ab59125912f1b9c7372f91b731c8078

SHA1
9bc6425022f0a76c83a1d8209892dfbdaf8e8036

SHA256
f9683cc6906a3b454dd3f334a86fa9afadc49ce58d823c5374bee8f0cf00b1a8

SHA512
69c418aca3b75c5d79948188c93495557f57d41e424c701a7ae702e37f1f5f77f6c5880b52ea8292ee73b5693a9aaab3cd5a520af0d3ba1067c6fe81d54e0863

Download Submit
C:\Users\Admin\tbtcmds.dat

Filesize
287B

MD5
93a7c76792159d8a669e4c69d72a1128

SHA1
17d9aa3af86de27ee4885e9eb4199c15e2729d42

SHA256
b73c6373500c17b27b0fb0e52c81d44010bc00aecfcf39235d72a7ca3e035806

SHA512
45e18936e7118178bacf73008a81841034b2efe4b75185468f1c624d1f996a2477e2ea891d5aba39497b71b575e20c183787a00730995992c22bc208026fe6ab

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
f8b3d71af9f22e631e513d4b60c7c42c

SHA1
e608f3d1544448531b428c5c97f77f0e7c83946b

SHA256
b4fc027b8fbf1e94632339d64cbf1e19a13923187ebf2ddeb61e4cdf494560fc

SHA512
a5d296f41402ba7afc46890eb3132e2164b70e75cc86c331a462725b8f26ad1fca7763f23453bb3446436761ea739b39ce8a2b5e0c133fcf5b22dce56af1d9ab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads