Analysis
-
max time kernel
103s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:10
General
-
Target
4809a98c25f0a7be709206691dd2a0ee.exe
-
Size
54KB
-
MD5
4809a98c25f0a7be709206691dd2a0ee
-
SHA1
83d5c6c56b101dbbff6c7e6a9abdc77270e460a1
-
SHA256
92d6bd28467aeb15829e676d32c09f5981baf3845ebaf7f69da9741c372b1cda
-
SHA512
85147c8b32df54d542f9e510226f8874f1aa5bc03e4bdc9a195a156fd92630a7ee10b15c18068244817ed5251a5bcbe5c8b52368753a389fcda7af1deacac75b
-
SSDEEP
1536:FOpwLVcvsG+yiZodvTlhJX3eye5IybOCoDGbfY:F4wLyvky6opTTt33MSN6rY
Malware Config
Signatures
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Modifies Security services 2 TTPs 1 IoCs
Modifies the startup behavior of a security service.
-
Drops file in Windows directory 1 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4809a98c25f0a7be709206691dd2a0ee.exe"C:\Users\Admin\AppData\Local\Temp\4809a98c25f0a7be709206691dd2a0ee.exe"1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies Security services
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\4809a98c25f0a7be709206691dd2a0ee.exe' -Force -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\4809a98c25f0a7be709206691dd2a0ee.exe' -Force -ErrorAction SilentlyContinue"2⤵
- Deletes itself
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
5Windows Service
5Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
5Windows Service
5Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
7Disable or Modify System Firewall
1Disable or Modify Tools
5Indicator Removal
1File Deletion
1Modify Registry
9Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD569820ea3c8e40491e92a3656ff30e4c6
SHA18a7e740802735521a5173b1e1c0a246d5fb7a23b
SHA25620e44ef4a9d6b5422281f4102efb0f1c00c3da9f34d14409a507d35a7da542e8
SHA5126b654ae234995197d00f096896732739f00503b33464c931a8f1697aa99708dd07a035b2a1eb33d55cb339fe61496fccedaec7b1062cb1be1ad9c87753762ae6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB