cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d

General

Target

cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
Size

3.2MB
MD5

6f2b9a4c2e69d96b0f275d22060fb904
SHA1

d79b1a0b9deec643eb821a38702c8a5d605e0b6d
SHA256

cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d
SHA512

4d7cf4153152856a08bfd73fdc5e964ee57383b9e7d58169c576ed216b3adca0d85c650235e6f955817f9c0de21bd61f232c2e2b019d4b84d726687e406771b9
SSDEEP

98304:5Y8WV9nEF+oi9oYGVo7SROk/BznpU6jcja4Q2B:5YRVu9i9oYGvOkV+wc

Score

10^/10

evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3564	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 4496	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	81
PID 1460 wrote to memory of 4496	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	81
PID 1460 wrote to memory of 4928	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	85
PID 1460 wrote to memory of 4928	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	85
PID 1460 wrote to memory of 4928	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	85
PID 1460 wrote to memory of 3564	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	86
PID 1460 wrote to memory of 3564	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	86
PID 1460 wrote to memory of 3564	1460	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe	86
PID 4928 wrote to memory of 4880	4928	net.exe	89
PID 4928 wrote to memory of 4880	4928	net.exe	89
PID 4928 wrote to memory of 4880	4928	net.exe	89

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe

C:\Users\Admin\AppData\Local\Temp\cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
"C:\Users\Admin\AppData\Local\Temp\cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1460
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4496
- C:\Windows\SysWOW64\net.exe
  net stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:4880
- C:\Windows\SysWOW64\sc.exe
  sc delete WinDefend
  2⤵
  - Launches sc.exe
  PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-0-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1460-1-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/1460-3-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1460-4-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/1460-5-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/1460-7-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads