d03c843490124f40cf12e9cf9ceb3435d564b4b58ad6eecc04046476dc27d29a

Analysis

max time kernel
129s
max time network
121s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea785ebe3cb6409d9fed610f8c21f967.exe
Size

57KB
MD5

ea785ebe3cb6409d9fed610f8c21f967
SHA1

e76264063483ead9d65cfe31ba12282b7d95edba
SHA256

d03c843490124f40cf12e9cf9ceb3435d564b4b58ad6eecc04046476dc27d29a
SHA512

1adfd2246fd3f6749cce3348a12558594ab693c1d40e6cfbf1f3f42c855a89518bc2750958d28d8d43b4df28213d6f6e8ff34638a8f2e805b9e550ce86300daf

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

1556 AdvancedRun.exe
1164 AdvancedRun.exe
Loads dropped DLL 4 IoCs

Processes:

ea785ebe3cb6409d9fed610f8c21f967.exeAdvancedRun.exe

pid process

1716 ea785ebe3cb6409d9fed610f8c21f967.exe
1716 ea785ebe3cb6409d9fed610f8c21f967.exe
1556 AdvancedRun.exe
1556 AdvancedRun.exe

pid	process
1716	ea785ebe3cb6409d9fed610f8c21f967.exe
1716	ea785ebe3cb6409d9fed610f8c21f967.exe
1556	AdvancedRun.exe
1556	AdvancedRun.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ea785ebe3cb6409d9fed610f8c21f967.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	ea785ebe3cb6409d9fed610f8c21f967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ea785ebe3cb6409d9fed610f8c21f967.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	ea785ebe3cb6409d9fed610f8c21f967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ea785ebe3cb6409d9fed610f8c21f967.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ea785ebe3cb6409d9fed610f8c21f967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe = "0"	ea785ebe3cb6409d9fed610f8c21f967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe = "0"	ea785ebe3cb6409d9fed610f8c21f967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	ea785ebe3cb6409d9fed610f8c21f967.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ea785ebe3cb6409d9fed610f8c21f967.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ea785ebe3cb6409d9fed610f8c21f967.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\㎏㎒㍖㍹㎏㎎㎙㍖㍑㎏㎈㎔㍒㎆㎆ = "C:\\Users\\Public\\Documents\\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\\svchost.exe"	ea785ebe3cb6409d9fed610f8c21f967.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

944 1716 WerFault.exe ea785ebe3cb6409d9fed610f8c21f967.exe

pid	pid_target	process	target process
944	1716	WerFault.exe	ea785ebe3cb6409d9fed610f8c21f967.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
1556	AdvancedRun.exe
1556	AdvancedRun.exe
1164	AdvancedRun.exe
1164	AdvancedRun.exe
2016	powershell.exe
1380	powershell.exe
688	powershell.exe
1860	powershell.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

944 WerFault.exe

pid	process
944	WerFault.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

ea785ebe3cb6409d9fed610f8c21f967.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1716	ea785ebe3cb6409d9fed610f8c21f967.exe
Token: SeDebugPrivilege	1556	AdvancedRun.exe
Token: SeImpersonatePrivilege	1556	AdvancedRun.exe
Token: SeDebugPrivilege	1164	AdvancedRun.exe
Token: SeImpersonatePrivilege	1164	AdvancedRun.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	944	WerFault.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ea785ebe3cb6409d9fed610f8c21f967.exeAdvancedRun.exe

description	pid	process	target process
PID 1716 wrote to memory of 688	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 688	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 688	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 688	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1380	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1380	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1380	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1380	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1860	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1860	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1860	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1860	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 1556	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	AdvancedRun.exe
PID 1716 wrote to memory of 1556	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	AdvancedRun.exe
PID 1716 wrote to memory of 1556	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	AdvancedRun.exe
PID 1716 wrote to memory of 1556	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	AdvancedRun.exe
PID 1556 wrote to memory of 1164	1556	AdvancedRun.exe	AdvancedRun.exe
PID 1556 wrote to memory of 1164	1556	AdvancedRun.exe	AdvancedRun.exe
PID 1556 wrote to memory of 1164	1556	AdvancedRun.exe	AdvancedRun.exe
PID 1556 wrote to memory of 1164	1556	AdvancedRun.exe	AdvancedRun.exe
PID 1716 wrote to memory of 2016	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 2016	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 2016	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 2016	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	powershell.exe
PID 1716 wrote to memory of 984	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	ea785ebe3cb6409d9fed610f8c21f967.exe
PID 1716 wrote to memory of 984	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	ea785ebe3cb6409d9fed610f8c21f967.exe
PID 1716 wrote to memory of 984	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	ea785ebe3cb6409d9fed610f8c21f967.exe
PID 1716 wrote to memory of 984	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	ea785ebe3cb6409d9fed610f8c21f967.exe
PID 1716 wrote to memory of 944	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	WerFault.exe
PID 1716 wrote to memory of 944	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	WerFault.exe
PID 1716 wrote to memory of 944	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	WerFault.exe
PID 1716 wrote to memory of 944	1716	ea785ebe3cb6409d9fed610f8c21f967.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe
"C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\玁獹獎玃獍獨獎獽獇獈獻獎獍獛獼\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe" /SpecialRun 4101d8 1556
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe
C:\Users\Admin\AppData\Local\Temp\ea785ebe3cb6409d9fed610f8c21f967.exe
2⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1972
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
cb8ed860997574d12c1efa811d56999e

SHA1
84dabac3b1ef7949b15d07383e75661e5f852551

SHA256
4d69a25af4bcda73cd5c5b00b1b8b60ef5f54a144aceac45bdd476c9c5adc131

SHA512
22103405b58f480e5a2d1f7c937ac25c4c747cff95977abf6ecd5f196c2a732a00dc9bb3bad5065c853c9c3a9172414a8d76c0531c34db0203885ba079b8f6a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
cb8ed860997574d12c1efa811d56999e

SHA1
84dabac3b1ef7949b15d07383e75661e5f852551

SHA256
4d69a25af4bcda73cd5c5b00b1b8b60ef5f54a144aceac45bdd476c9c5adc131

SHA512
22103405b58f480e5a2d1f7c937ac25c4c747cff95977abf6ecd5f196c2a732a00dc9bb3bad5065c853c9c3a9172414a8d76c0531c34db0203885ba079b8f6a2

Download Submit
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\34c5be3d-7d91-444d-9de3-e90f066856ce\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/688-60-0x0000000000000000-mapping.dmp

Download
memory/688-78-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/944-89-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/944-88-0x0000000000000000-mapping.dmp

Download
memory/1164-75-0x0000000000000000-mapping.dmp

Download
memory/1380-79-0x0000000002380000-0x0000000002FCA000-memory.dmp

Filesize
12.3MB

Download
memory/1380-62-0x0000000000000000-mapping.dmp

Download
memory/1556-69-0x0000000000000000-mapping.dmp

Download
memory/1716-57-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1716-58-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1716-55-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1716-59-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/1860-80-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/1860-84-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/1860-63-0x0000000000000000-mapping.dmp

Download
memory/2016-81-0x0000000000000000-mapping.dmp

Download
memory/2016-85-0x0000000002351000-0x0000000002352000-memory.dmp

Filesize
4KB

Download
memory/2016-86-0x0000000002352000-0x0000000002354000-memory.dmp

Filesize
8KB

Download
memory/2016-87-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download