Analysis
-
max time kernel
2s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:18
Static task
static1
Behavioral task
behavioral1
Sample
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Resource
win7-20240419-en
General
-
Target
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
-
Size
11KB
-
MD5
ff5735fd2989c4a287ab1224205aa5f8
-
SHA1
dce12b73ab4ce77a8208f30962190defa6e7264c
-
SHA256
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5
-
SHA512
f6a3dddfffc0277be575131299dfd8f11b91e03d7e72899a99c60e98a7eed34767114b5b0b4c1bc788547657a2a5442705bb60bc828877de06e1a7d39d6d3f60
-
SSDEEP
192:BY6CytS3WGBZC3S+4TV+G99EalsDfxOCpJx3ptpJ+fl:BY6CytS3WGBg3cTE05lsDc65Q
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe -
Processes:
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Processes:
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2716 sc.exe 2668 sc.exe 2344 sc.exe 2724 sc.exe 2612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.execmd.execmd.exedescription pid process target process PID 1680 wrote to memory of 3036 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 3036 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 3036 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 3036 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 2120 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 2120 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 2120 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 1680 wrote to memory of 2120 1680 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe cmd.exe PID 3036 wrote to memory of 3028 3036 cmd.exe powershell.exe PID 3036 wrote to memory of 3028 3036 cmd.exe powershell.exe PID 3036 wrote to memory of 3028 3036 cmd.exe powershell.exe PID 3036 wrote to memory of 3028 3036 cmd.exe powershell.exe PID 2120 wrote to memory of 2724 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2724 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2724 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2724 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2612 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2612 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2612 2120 cmd.exe sc.exe PID 2120 wrote to memory of 2612 2120 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe"C:\Users\Admin\AppData\Local\Temp\41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe"1⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop BITS3⤵
- Launches sc.exe