cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5

General

Target

cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe
Size

987KB
MD5

1dfce6672c0842f5fcbec852f9c9f929
SHA1

def7e59a83f59456675eea71e253f634ca26057d
SHA256

cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5
SHA512

89ac826b168b030d3634f882b6c93401094035e5c41fbe439f696b142eb8566f7d742649f0f4994fd60c512d7dd827ccc2b5911de79d03c5f27e5bd14164b5ad
SSDEEP

24576:fyQEZIVcTW+TV0y5vbjDq4akbGh/gtKy+XNgfuu/v:qXICTnaeHD2k5tKyqNgfR/

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	knVN92SD09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	knVN92SD09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	knVN92SD09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	knVN92SD09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	knVN92SD09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	knVN92SD09.exe

Executes dropped EXE 4 IoCs

pid	Process
4748	zkxR3732lk.exe
2924	zkGE0089qJ.exe
2576	zkly9690zG.exe
3560	knVN92SD09.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	knVN92SD09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	knVN92SD09.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zkly9690zG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkxR3732lk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zkxR3732lk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkGE0089qJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zkGE0089qJ.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkly9690zG.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3560	knVN92SD09.exe
3560	knVN92SD09.exe
3560	knVN92SD09.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	knVN92SD09.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4748	4192	cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe	86
PID 4192 wrote to memory of 4748	4192	cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe	86
PID 4192 wrote to memory of 4748	4192	cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe	86
PID 4748 wrote to memory of 2924	4748	zkxR3732lk.exe	87
PID 4748 wrote to memory of 2924	4748	zkxR3732lk.exe	87
PID 4748 wrote to memory of 2924	4748	zkxR3732lk.exe	87
PID 2924 wrote to memory of 2576	2924	zkGE0089qJ.exe	88
PID 2924 wrote to memory of 2576	2924	zkGE0089qJ.exe	88
PID 2924 wrote to memory of 2576	2924	zkGE0089qJ.exe	88
PID 2576 wrote to memory of 3560	2576	zkly9690zG.exe	89
PID 2576 wrote to memory of 3560	2576	zkly9690zG.exe	89
PID 2576 wrote to memory of 3560	2576	zkly9690zG.exe	89

C:\Users\Admin\AppData\Local\Temp\cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe
"C:\Users\Admin\AppData\Local\Temp\cb78435a59bce4ce95b469d2647e3b9c4bc4e0cf4edc80919fcd0271640979f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkxR3732lk.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkxR3732lk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkGE0089qJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkGE0089qJ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkly9690zG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkly9690zG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knVN92SD09.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knVN92SD09.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkxR3732lk.exe

Filesize
842KB

MD5
7d8d024e0e40de4eb7218fd8e5181ae1

SHA1
ac2745bd025c1dd0ec40c8ff76b611b355ebf88b

SHA256
bbb3cb4c6bb006c843e118f399f7de559b378a19f0b1d32cb21317a5e836b7cd

SHA512
0f04f8566ac9be8fbb8f36bd9918cb0a6f08f2db34601373c248df536f690764dec0a178325047e5e6a91b99cc6506572a66eddd30aef87b426e367e36b646ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkxR3732lk.exe

Filesize
842KB

MD5
7d8d024e0e40de4eb7218fd8e5181ae1

SHA1
ac2745bd025c1dd0ec40c8ff76b611b355ebf88b

SHA256
bbb3cb4c6bb006c843e118f399f7de559b378a19f0b1d32cb21317a5e836b7cd

SHA512
0f04f8566ac9be8fbb8f36bd9918cb0a6f08f2db34601373c248df536f690764dec0a178325047e5e6a91b99cc6506572a66eddd30aef87b426e367e36b646ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkGE0089qJ.exe

Filesize
656KB

MD5
fe200be92fa00d33d66834003e8bd660

SHA1
795fa9c0c009dacf350d4342d8e97254223c7606

SHA256
1258f55eb7579395e6298bdb524c4bd59437d0f3690f619ea882c0e7d98c7c17

SHA512
9740ef2f92eda3ec2230920a6d5034fee62c1c0d4e5b85efe1c6c29e5e6098d6e2957b8541f950ba8507e72d6181d4d9a1c032dfcb37a8dee5c11b5dd65bef88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkGE0089qJ.exe

Filesize
656KB

MD5
fe200be92fa00d33d66834003e8bd660

SHA1
795fa9c0c009dacf350d4342d8e97254223c7606

SHA256
1258f55eb7579395e6298bdb524c4bd59437d0f3690f619ea882c0e7d98c7c17

SHA512
9740ef2f92eda3ec2230920a6d5034fee62c1c0d4e5b85efe1c6c29e5e6098d6e2957b8541f950ba8507e72d6181d4d9a1c032dfcb37a8dee5c11b5dd65bef88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkly9690zG.exe

Filesize
328KB

MD5
104086ee5dad675c192f92e5e2070f89

SHA1
bbc6b7ed8cbbab3e672757ca0f5a2d605f6b90ae

SHA256
085055b2001406909031a50bd352af995e6ba2441782fdace4044176cb29f858

SHA512
acbf0b9b7a448576810e182b205c0f4b6cdce091de12e1d852d3d997b981b4375ff6f45e05fadae45476f527f50f5e0e2a7583b5b2efeaa1acc30f09849e8e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkly9690zG.exe

Filesize
328KB

MD5
104086ee5dad675c192f92e5e2070f89

SHA1
bbc6b7ed8cbbab3e672757ca0f5a2d605f6b90ae

SHA256
085055b2001406909031a50bd352af995e6ba2441782fdace4044176cb29f858

SHA512
acbf0b9b7a448576810e182b205c0f4b6cdce091de12e1d852d3d997b981b4375ff6f45e05fadae45476f527f50f5e0e2a7583b5b2efeaa1acc30f09849e8e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knVN92SD09.exe

Filesize
232KB

MD5
2120c6c2708aefaf06e59fce16a9e5ec

SHA1
e953b0507cac25f46d483dd2a82c2770fbc2c5f4

SHA256
8f9056673376ae658ed532e38040ae0dddf07d8a11aacc7ee92efc7d93f4e18b

SHA512
8d3301488cd24d93bdcb808439d2c84b6e0d7e1a416e8058f812cae16c1d5c1ca40fb628ca3e91fd4020e79c0cff89b1ffe29f53890004f22154a90ffc3f9ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knVN92SD09.exe

Filesize
232KB

MD5
2120c6c2708aefaf06e59fce16a9e5ec

SHA1
e953b0507cac25f46d483dd2a82c2770fbc2c5f4

SHA256
8f9056673376ae658ed532e38040ae0dddf07d8a11aacc7ee92efc7d93f4e18b

SHA512
8d3301488cd24d93bdcb808439d2c84b6e0d7e1a416e8058f812cae16c1d5c1ca40fb628ca3e91fd4020e79c0cff89b1ffe29f53890004f22154a90ffc3f9ebe

Download Submit
memory/3560-162-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3560-163-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-164-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-165-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/3560-170-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3560-168-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-172-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-171-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3560-167-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3560-174-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-176-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-178-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-180-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-182-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-184-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-186-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-188-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-190-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-192-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-194-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3560-195-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3560-196-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3560-197-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3560-198-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads