Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 15:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe
-
Size
720KB
-
MD5
cbca8b6ae0f8353c73ee5dd8cbb907fe
-
SHA1
8e49f89c46c95dbc7690e28015d9369ebfc39953
-
SHA256
f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5
-
SHA512
5c3ec6ac35b83ffa77de61d82756fb673aa6c8c0211ec678afd8ad65f8cc2c88829bcbc28ee73a96b636f3dfa9d27f9c85da1a25a8ff96b194d59baee6005d0b
-
SSDEEP
6144:rCvboHsx8WG8JANsdrNGaCMwexm7I5DuoRKZ+pd2Lrf3vdqjNEYeWoTG:2vbp1Os9NGaCJexmE3pYfFWNEY6i
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2840 043A6A5B00014973000C902AB4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2840 043A6A5B00014973000C902AB4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C902AB4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C902AB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C902AB4EB2331.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\043A6A5B00014973000C902AB4EB2331 = "C:\\ProgramData\\043A6A5B00014973000C902AB4EB2331\\043A6A5B00014973000C902AB4EB2331.exe" 043A6A5B00014973000C902AB4EB2331.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 043A6A5B00014973000C902AB4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2840 043A6A5B00014973000C902AB4EB2331.exe 2840 043A6A5B00014973000C902AB4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2840 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 31 PID 2308 wrote to memory of 2840 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 31 PID 2308 wrote to memory of 2840 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 31 PID 2308 wrote to memory of 2840 2308 f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe"C:\Users\Admin\AppData\Local\Temp\f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe"1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\ProgramData\043A6A5B00014973000C902AB4EB2331\043A6A5B00014973000C902AB4EB2331.exe"C:\ProgramData\043A6A5B00014973000C902AB4EB2331\043A6A5B00014973000C902AB4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5.exe"2⤵
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
720KB
MD5cbca8b6ae0f8353c73ee5dd8cbb907fe
SHA18e49f89c46c95dbc7690e28015d9369ebfc39953
SHA256f61762b9fd51f8dbd09fd7bc96d7295ceaf49954ddb84b7c53aad2ff90fbb0c5
SHA5125c3ec6ac35b83ffa77de61d82756fb673aa6c8c0211ec678afd8ad65f8cc2c88829bcbc28ee73a96b636f3dfa9d27f9c85da1a25a8ff96b194d59baee6005d0b