Analysis
-
max time kernel
119s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 13:00
Static task
static1
Behavioral task
behavioral1
Sample
df122e354805f285fd22e12b164a4da0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
df122e354805f285fd22e12b164a4da0N.exe
Resource
win10v2004-20240709-en
General
-
Target
df122e354805f285fd22e12b164a4da0N.exe
-
Size
266KB
-
MD5
df122e354805f285fd22e12b164a4da0
-
SHA1
ee3d63367b20698b0aff5c51abacf67c9cc6b2f8
-
SHA256
8a3690702482665cca5b9dfe9ad57fb5809942007425cd1b1e0cd8edf977f225
-
SHA512
a403ef15dc400097373755738a8ed2d9f3971b5babfebadf0dd6c4055a3b943f1b769f0f2e7c324c42606b3236d3d668f0facc6f894ba888940310f1305d9b87
-
SSDEEP
3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/sr:WFzDqa86hV6uRRqX1evPlwAEr
Malware Config
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2688-36-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2688-34-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2688-29-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2688-35-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2688-31-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def -
Executes dropped EXE 1 IoCs
pid Process 2848 HiPatchService.exe -
Loads dropped DLL 1 IoCs
pid Process 2304 df122e354805f285fd22e12b164a4da0N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe" df122e354805f285fd22e12b164a4da0N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2848 set thread context of 2688 2848 HiPatchService.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe 2688 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 2848 2304 df122e354805f285fd22e12b164a4da0N.exe 29 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2304 wrote to memory of 3044 2304 df122e354805f285fd22e12b164a4da0N.exe 30 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32 PID 2848 wrote to memory of 2688 2848 HiPatchService.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\df122e354805f285fd22e12b164a4da0N.exe"C:\Users\Admin\AppData\Local\Temp\df122e354805f285fd22e12b164a4da0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""2⤵PID:3044
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD50955cb4b691d44b37f8b6fad48a33b8e
SHA19dae759ae014cc124ab6eed7c8035788c124ae4a
SHA2569092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71
SHA51208b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235
-
Filesize
266KB
MD5991bbcde78b1e356baccd0ab8f6a8996
SHA1050a8672d666c1fb942c95efd95c06dbaf25aa86
SHA256012caa3545c570ec9796315c025e95d2cfdf4c236fb12009ead88effce01f436
SHA512e5b78ee6568998d78abf52551f80d4d7d55dd8a6199c2cc5a7c8e2fbaf9af1fb011641ab28272300aee6f7b6b3672381da65b8387f59e5210d80d67811a36723