Analysis
-
max time kernel
118s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 22:38
Static task
static1
Behavioral task
behavioral1
Sample
19603fe7829efa24905b5926cdc82c60N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
19603fe7829efa24905b5926cdc82c60N.exe
Resource
win10v2004-20240802-en
General
-
Target
19603fe7829efa24905b5926cdc82c60N.exe
-
Size
266KB
-
MD5
19603fe7829efa24905b5926cdc82c60
-
SHA1
d06f14588249f71ba6c2ffc91f6c936080c4d7e4
-
SHA256
7618ba68a3427461f3df54bfcbaf7d23b45827ee59bccf9c6ca7f3f4f6881079
-
SHA512
94f3d1e424d7e539e13b4ee12263b3d2a56a9221e9b6b81328585758d4581fcde995c6d7df07f409d8f627ee92c9eda343c5d95999f173fc5d2974d800f12e32
-
SSDEEP
3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/e:WFzDqa86hV6uRRqX1evPlwAm
Malware Config
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2464-34-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2464-35-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2464-31-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2464-29-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def behavioral1/memory/2464-36-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def -
Executes dropped EXE 1 IoCs
pid Process 2472 HiPatchService.exe -
Loads dropped DLL 1 IoCs
pid Process 1916 19603fe7829efa24905b5926cdc82c60N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe" 19603fe7829efa24905b5926cdc82c60N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2472 set thread context of 2464 2472 HiPatchService.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19603fe7829efa24905b5926cdc82c60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HiPatchService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe 2464 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2472 1916 19603fe7829efa24905b5926cdc82c60N.exe 31 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 1916 wrote to memory of 2860 1916 19603fe7829efa24905b5926cdc82c60N.exe 32 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34 PID 2472 wrote to memory of 2464 2472 HiPatchService.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\19603fe7829efa24905b5926cdc82c60N.exe"C:\Users\Admin\AppData\Local\Temp\19603fe7829efa24905b5926cdc82c60N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""2⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD50955cb4b691d44b37f8b6fad48a33b8e
SHA19dae759ae014cc124ab6eed7c8035788c124ae4a
SHA2569092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71
SHA51208b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235
-
Filesize
266KB
MD5105fd56a595e06da62cded9ba58af747
SHA12248dea53fee4b5f1fcb32a73095d0cd42d606a2
SHA2568e4018f22eacc5e5912f537230d7fac4df1c942936ffeb5bd5ff15b73e38e7df
SHA5123d8b95bc1d8585a94dec383fb5353f0439c393f33ef6a0d8943f6744a4ff7a83d4edd3c75be37e57284b05959652e877b7958a560b97066d98ac1027b546cd18