f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3

General

Target

f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe
Size

62KB
MD5

b21ab710ce4e60b33dcd3bdb128c8818
SHA1

3b7ba2407fa8b0f6efe28b1f94862a19395433bf
SHA256

f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3
SHA512

694c5216fb5f590cd5544fcbba6c3374b97254ce68c51316ac2eebd32192228222be52018fb6b51c20d1c20dbf20e5bf65a92955436940e61de68ee1a45f5547
SSDEEP

768:iaG6Z0e6xt0HFeDTmAE1paSfU4Z+Klg51FlJK1VY3iIrJlKxVo4ttWLAZn:iaG6Ct0iER9+KiDJAY3iIF8ro47WLy

Score

10^/10

evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
2844	powershell.exe
2268	powershell.exe
2300	powershell.exe
2800	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2300	powershell.exe
2800	powershell.exe
2148	powershell.exe
2844	powershell.exe
2268	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2300	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	32
PID 2464 wrote to memory of 2300	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	32
PID 2464 wrote to memory of 2300	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	32
PID 2464 wrote to memory of 2800	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	34
PID 2464 wrote to memory of 2800	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	34
PID 2464 wrote to memory of 2800	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	34
PID 2464 wrote to memory of 2148	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	36
PID 2464 wrote to memory of 2148	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	36
PID 2464 wrote to memory of 2148	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	36
PID 2464 wrote to memory of 2844	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	38
PID 2464 wrote to memory of 2844	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	38
PID 2464 wrote to memory of 2844	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	38
PID 2464 wrote to memory of 2268	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	40
PID 2464 wrote to memory of 2268	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	40
PID 2464 wrote to memory of 2268	2464	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe	40

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe

C:\Users\Admin\AppData\Local\Temp\f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f147c417bbf4f8fd3bd5745710bbc3bebde61af81323443fe918673830389bc3.exe"
1⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionExtension ".tmp""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionProcess "svchost.exe""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "D:\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionProcess "RuntimeBroker.exe""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
763a4c483e90f2c8564a0415f77ecb4b

SHA1
d8a6784b51b358d305b3ca6172e7de8eab8312d6

SHA256
77fe24cfa698a4119aea60062a400fdb9e89243768b80539182899df2169d41f

SHA512
d3fd3898c36e5ee27abde787c088dc7273aba60b0cb3c28b56984d41d39dff4ac089e86c49b18f143dba4eab9b5c30555e57e50a4faa12135aa83a53cc9d0b1d

Download Submit
memory/2300-13-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2300-12-0x000007FEEE0B0000-0x000007FEEEA4D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-17-0x000007FEEE0B0000-0x000007FEEEA4D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-9-0x000007FEEE36E000-0x000007FEEE36F000-memory.dmp

Filesize
4KB

Download
memory/2300-11-0x000007FEEE0B0000-0x000007FEEEA4D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-10-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2300-14-0x000007FEEE0B0000-0x000007FEEEA4D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-15-0x000007FEEE0B0000-0x000007FEEEA4D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-16-0x000007FEEE0B0000-0x000007FEEEA4D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-3-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/2464-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2464-4-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-2-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/2464-1-0x000000013F240000-0x000000013F254000-memory.dmp

Filesize
80KB

Download
memory/2464-41-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-42-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2464-43-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-23-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2800-24-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads