Analysis
-
max time kernel
9s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe
Resource
win10v2004-20240508-en
General
-
Target
becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe
-
Size
266KB
-
MD5
d65b5445fa5e3736626098ef689331c5
-
SHA1
b62313172586337872dd25b1ecb968c9c5a9010e
-
SHA256
becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9
-
SHA512
769adc82278c4dbce0a42769119d7ca7fca17712d4ae6a7669ae95d54060e0fa89d142479d080b7c569142d6471f25697324277c3619d0fb3ede78ce8a8e0337
-
SSDEEP
3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8w:WFzDqa86hV6uRRqX1evPlwAEJ
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp disable_win_def -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects file containing reversed ASEP Autorun registry keys 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe" becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3056 timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe"C:\Users\Admin\AppData\Local\Temp\becf832ddc730f55b034b135640ba2149334c29eca1291509d64c35bcf2a6ce9.exe"1⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1803⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.batFilesize
213B
MD50955cb4b691d44b37f8b6fad48a33b8e
SHA19dae759ae014cc124ab6eed7c8035788c124ae4a
SHA2569092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71
SHA51208b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235
-
C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exeFilesize
266KB
MD56ed457a82b15b029699a7a1c5ba22075
SHA10fa960ced0f1bf43626af0a498110a0e7e79cdd7
SHA256ccca07eff828a77609521ec7c02ab135d2657db4f3ae883d125b6c977d6bd5da
SHA51285cd1fab41494c66be4888376d215dd4c57ae206db12d1cfbff9b5ffe7a101a6645c38277c41bda0fe25f6cb93ed13ccf652b1a5e15ec0f50bb88d5b8e6208ac
-
memory/60-27-0x0000000075010000-0x00000000757C0000-memory.dmpFilesize
7.7MB
-
memory/60-30-0x0000000075010000-0x00000000757C0000-memory.dmpFilesize
7.7MB
-
memory/60-24-0x0000000075010000-0x00000000757C0000-memory.dmpFilesize
7.7MB
-
memory/1352-3-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/1352-4-0x0000000005300000-0x000000000530A000-memory.dmpFilesize
40KB
-
memory/1352-25-0x0000000075010000-0x00000000757C0000-memory.dmpFilesize
7.7MB
-
memory/1352-6-0x00000000052F0000-0x00000000052FA000-memory.dmpFilesize
40KB
-
memory/1352-5-0x0000000075010000-0x00000000757C0000-memory.dmpFilesize
7.7MB
-
memory/1352-0-0x000000007501E000-0x000000007501F000-memory.dmpFilesize
4KB
-
memory/1352-2-0x0000000005800000-0x0000000005DA4000-memory.dmpFilesize
5.6MB
-
memory/1352-1-0x0000000000800000-0x0000000000846000-memory.dmpFilesize
280KB
-
memory/2632-28-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB