011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb

General

Target

011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe
Size

981KB
MD5

1b586fe9c664523feefcef9adca2187d
SHA1

8e91d77ee96acae62daf5bef3c5e34af1518507b
SHA256

011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb
SHA512

7f9ec1131a836d3f34807cf48a7bdc01f16ec297cfc2a40c626c374452b26aaee761897e7b518fc0611aea90c7db6aebc31e92891fb34848012b4f2614acdbf9
SSDEEP

24576:iyqZSnVwD/vW0xi02/hwPUB5Wnqc6+7dDjtrHPR:JtqLifw8B5Wnqc5NP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	knWP77mh99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	knWP77mh99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	knWP77mh99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	knWP77mh99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	knWP77mh99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	knWP77mh99.exe

Executes dropped EXE 4 IoCs

pid	Process
2760	zkCy6650EJ.exe
3024	zkQt0262aB.exe
1692	zkDQ7432Rx.exe
4816	knWP77mh99.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	knWP77mh99.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	knWP77mh99.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkDQ7432Rx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zkDQ7432Rx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkCy6650EJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zkCy6650EJ.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkQt0262aB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zkQt0262aB.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5032	4816	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4816	knWP77mh99.exe
4816	knWP77mh99.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	knWP77mh99.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2760	1272	011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe	87
PID 1272 wrote to memory of 2760	1272	011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe	87
PID 1272 wrote to memory of 2760	1272	011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe	87
PID 2760 wrote to memory of 3024	2760	zkCy6650EJ.exe	88
PID 2760 wrote to memory of 3024	2760	zkCy6650EJ.exe	88
PID 2760 wrote to memory of 3024	2760	zkCy6650EJ.exe	88
PID 3024 wrote to memory of 1692	3024	zkQt0262aB.exe	89
PID 3024 wrote to memory of 1692	3024	zkQt0262aB.exe	89
PID 3024 wrote to memory of 1692	3024	zkQt0262aB.exe	89
PID 1692 wrote to memory of 4816	1692	zkDQ7432Rx.exe	90
PID 1692 wrote to memory of 4816	1692	zkDQ7432Rx.exe	90
PID 1692 wrote to memory of 4816	1692	zkDQ7432Rx.exe	90

C:\Users\Admin\AppData\Local\Temp\011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe
"C:\Users\Admin\AppData\Local\Temp\011643b1c54acf6b5d5a36f169427e1370454739feb6ad6fb48a1396790bf1bb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkCy6650EJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkCy6650EJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkQt0262aB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkQt0262aB.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkDQ7432Rx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkDQ7432Rx.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knWP77mh99.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knWP77mh99.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1036
        6⤵
        Program crash
        
        PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4816 -ip 4816
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkCy6650EJ.exe

Filesize
840KB

MD5
aeb0de2d15cfc9311c492bf182189b81

SHA1
a1fce227e51ad532c0447455da6ec861d119d687

SHA256
de8631f9cbdddea1f78080d0e19b7e79d94f017111608083e4cdb93345ecc7a5

SHA512
1b369fba863766541f48bcd4fa9e203bbef9528b4e118236f1c19c0151de897b4ccf0a781611b9568d744381aa485dffc1a0bc73dbd4cf2c2d6e9ac7dacfa9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkCy6650EJ.exe

Filesize
840KB

MD5
aeb0de2d15cfc9311c492bf182189b81

SHA1
a1fce227e51ad532c0447455da6ec861d119d687

SHA256
de8631f9cbdddea1f78080d0e19b7e79d94f017111608083e4cdb93345ecc7a5

SHA512
1b369fba863766541f48bcd4fa9e203bbef9528b4e118236f1c19c0151de897b4ccf0a781611b9568d744381aa485dffc1a0bc73dbd4cf2c2d6e9ac7dacfa9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkQt0262aB.exe

Filesize
654KB

MD5
bfe33ee418aa19a1f77008c2d240dcfc

SHA1
630296529a2b16d66cdf9ca29cfa53f99288e07a

SHA256
1f4fa0a5aa71d7cd45f0d627d02f085358f15711fd44e3df4bde0c1e3fda5c45

SHA512
7683095055e6e084081e1f0160e8617fbe27c1f5bcb5a3b2d4f2d6e3051296c2629200a71b350ce869536ef1da7fb9c51e5a4621a1731a3334a1a88a62afcc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkQt0262aB.exe

Filesize
654KB

MD5
bfe33ee418aa19a1f77008c2d240dcfc

SHA1
630296529a2b16d66cdf9ca29cfa53f99288e07a

SHA256
1f4fa0a5aa71d7cd45f0d627d02f085358f15711fd44e3df4bde0c1e3fda5c45

SHA512
7683095055e6e084081e1f0160e8617fbe27c1f5bcb5a3b2d4f2d6e3051296c2629200a71b350ce869536ef1da7fb9c51e5a4621a1731a3334a1a88a62afcc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkDQ7432Rx.exe

Filesize
327KB

MD5
7afd17748af44b4fbbdbe85fa95da8d4

SHA1
020b5d4282d339ff196a26d437f53de3aba64daa

SHA256
b85cb113c9893f4d8a1eb7040a5102042d74e5cdd8f0b55d2944d1e332566b10

SHA512
d2763cc92a05805528c7c0e72f4dd52ca5b83d9f6a75c75afe7234c9351bd24c801f6d3623bafc951ba9a613b22da43bfb1ef58832c5dd6a5e84f5d392fea07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkDQ7432Rx.exe

Filesize
327KB

MD5
7afd17748af44b4fbbdbe85fa95da8d4

SHA1
020b5d4282d339ff196a26d437f53de3aba64daa

SHA256
b85cb113c9893f4d8a1eb7040a5102042d74e5cdd8f0b55d2944d1e332566b10

SHA512
d2763cc92a05805528c7c0e72f4dd52ca5b83d9f6a75c75afe7234c9351bd24c801f6d3623bafc951ba9a613b22da43bfb1ef58832c5dd6a5e84f5d392fea07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knWP77mh99.exe

Filesize
231KB

MD5
166ead72c26011f43539a3074ae0aa1a

SHA1
4ab138026346a528705dbff8b1fe0ba74c194cc4

SHA256
38301a81a7d93f34f95210494d2b244d8f9f769d7f19422a5dc98163a8c82a08

SHA512
3bfbf1dc10f8480fbf672ed0132739710d3428a9667bd7dd7a393360c47b1e2706859c5e61f74ca1d44f5db1007799cb8374b97784db1c0008e4ae6c05248915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knWP77mh99.exe

Filesize
231KB

MD5
166ead72c26011f43539a3074ae0aa1a

SHA1
4ab138026346a528705dbff8b1fe0ba74c194cc4

SHA256
38301a81a7d93f34f95210494d2b244d8f9f769d7f19422a5dc98163a8c82a08

SHA512
3bfbf1dc10f8480fbf672ed0132739710d3428a9667bd7dd7a393360c47b1e2706859c5e61f74ca1d44f5db1007799cb8374b97784db1c0008e4ae6c05248915

Download Submit
memory/4816-172-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-182-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-165-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4816-164-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4816-166-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4816-167-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-168-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-170-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-162-0x0000000004E10000-0x00000000053B4000-memory.dmp

Filesize
5.6MB

Download
memory/4816-174-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-176-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-178-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-180-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-163-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/4816-184-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-186-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-188-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-190-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-192-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-194-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/4816-195-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4816-198-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4816-199-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4816-200-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4816-204-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads