f57b5ca5af9ee9af3126dc7da62143bf0bc280895e4db9cbcbc85676b9081dce

Analysis

max time kernel
2s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Size

11KB
MD5

ff5735fd2989c4a287ab1224205aa5f8
SHA1

dce12b73ab4ce77a8208f30962190defa6e7264c
SHA256

41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5
SHA512

f6a3dddfffc0277be575131299dfd8f11b91e03d7e72899a99c60e98a7eed34767114b5b0b4c1bc788547657a2a5442705bb60bc828877de06e1a7d39d6d3f60
SSDEEP

192:BY6CytS3WGBZC3S+4TV+G99EalsDfxOCpJx3ptpJ+fl:BY6CytS3WGBg3cTE05lsDc65Q

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" 41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3028 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
3028	powershell.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2716 sc.exe
2668 sc.exe
2344 sc.exe
2724 sc.exe
2612 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2716	sc.exe
2668	sc.exe
2344	sc.exe
2724	sc.exe
2612	sc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.execmd.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 3036	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 3036	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 3036	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 3036	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 2120	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 2120	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 2120	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 1680 wrote to memory of 2120	1680	41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe	cmd.exe
PID 3036 wrote to memory of 3028	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 3028	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 3028	3036	cmd.exe	powershell.exe
PID 3036 wrote to memory of 3028	3036	cmd.exe	powershell.exe
PID 2120 wrote to memory of 2724	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2724	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2724	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2724	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2612	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2612	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2612	2120	cmd.exe	sc.exe
PID 2120 wrote to memory of 2612	2120	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe
"C:\Users\Admin\AppData\Local\Temp\41d652145e82ff966b3a820b490f0fe7d3850c2916c5f4d3522536fec53017e5.exe"
1⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile
2⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
2⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2724

C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2612

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2344

C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
3⤵
- Launches sc.exe
PID:2668

C:\Windows\SysWOW64\sc.exe
sc stop BITS
3⤵
- Launches sc.exe
PID:2716

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads