01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb

Analysis

max time kernel
308s
max time network
345s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 23:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe
Size

1.2MB
MD5

dae68c45d503cc2828b3387d5f9fcb84
SHA1

59f2b17be215230d8c3624b7fddb71627c95299d
SHA256

01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb
SHA512

1b0494ebe911a3ed2f406430f723b17c52193c4c2376ce12150b3ce4c336ce5ec7b1a59aaf8f223478b85e6419a179780bdd4088199f78d96bc258bfd64ebdf6
SSDEEP

24576:xyvkEBMgF4sRJAP9Je5pjDtqRKvhkIUYKCQcrhTUALPrQm1HTt:kv/BMc49LgpHtguhkIUYKCQsL/H

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bubH88WW38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bubH88WW38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bubH88WW38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bubH88WW38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bubH88WW38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bubH88WW38.exe

Executes dropped EXE 6 IoCs

pid	Process
4912	plGw82Aw34.exe
3364	plCm61nL98.exe
2732	pliU62pk73.exe
4972	plan58mh19.exe
1964	bubH88WW38.exe
3796	caOw14Sd37.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bubH88WW38.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	plCm61nL98.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pliU62pk73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pliU62pk73.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	plGw82Aw34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plGw82Aw34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plCm61nL98.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	plan58mh19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plan58mh19.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	bubH88WW38.exe
1964	bubH88WW38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	bubH88WW38.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4912	2308	01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe	83
PID 2308 wrote to memory of 4912	2308	01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe	83
PID 2308 wrote to memory of 4912	2308	01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe	83
PID 4912 wrote to memory of 3364	4912	plGw82Aw34.exe	84
PID 4912 wrote to memory of 3364	4912	plGw82Aw34.exe	84
PID 4912 wrote to memory of 3364	4912	plGw82Aw34.exe	84
PID 3364 wrote to memory of 2732	3364	plCm61nL98.exe	85
PID 3364 wrote to memory of 2732	3364	plCm61nL98.exe	85
PID 3364 wrote to memory of 2732	3364	plCm61nL98.exe	85
PID 2732 wrote to memory of 4972	2732	pliU62pk73.exe	86
PID 2732 wrote to memory of 4972	2732	pliU62pk73.exe	86
PID 2732 wrote to memory of 4972	2732	pliU62pk73.exe	86
PID 4972 wrote to memory of 1964	4972	plan58mh19.exe	87
PID 4972 wrote to memory of 1964	4972	plan58mh19.exe	87
PID 4972 wrote to memory of 3796	4972	plan58mh19.exe	90
PID 4972 wrote to memory of 3796	4972	plan58mh19.exe	90
PID 4972 wrote to memory of 3796	4972	plan58mh19.exe	90

C:\Users\Admin\AppData\Local\Temp\01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe
"C:\Users\Admin\AppData\Local\Temp\01573e87970134c76f65bf70be728070d9d6ef75dd66d7a448ff5d6a2e7b87eb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGw82Aw34.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGw82Aw34.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCm61nL98.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCm61nL98.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pliU62pk73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pliU62pk73.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plan58mh19.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plan58mh19.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bubH88WW38.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bubH88WW38.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caOw14Sd37.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caOw14Sd37.exe
        6⤵
        Executes dropped EXE
        
        PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGw82Aw34.exe

Filesize
1.0MB

MD5
6f93091543c9fffd14aa821ba2bc0923

SHA1
735aa1e024d553feb76954bf84a1d32b85e6fc24

SHA256
2f7713aedf7083ab729a33467b3f78e931fcfec9a4576671c7a572f9750006ed

SHA512
e10316240a3dbd624ed9ef3e0a39b7c4aedfa2b04609a013eb72afe930d24f6a4781da5ad5d9d39142e780f5805406628533092d07b0b2f85d76d110bf2a4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGw82Aw34.exe

Filesize
1.0MB

MD5
6f93091543c9fffd14aa821ba2bc0923

SHA1
735aa1e024d553feb76954bf84a1d32b85e6fc24

SHA256
2f7713aedf7083ab729a33467b3f78e931fcfec9a4576671c7a572f9750006ed

SHA512
e10316240a3dbd624ed9ef3e0a39b7c4aedfa2b04609a013eb72afe930d24f6a4781da5ad5d9d39142e780f5805406628533092d07b0b2f85d76d110bf2a4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCm61nL98.exe

Filesize
936KB

MD5
fab823b72b0be717265079a1e47b8089

SHA1
fd4ec4c240797a59eb9ccec745980956ebeadd4f

SHA256
7f7b787e354bf1e33bdb60e1cddad66ce0878ce5ef860abe952f3019fa8b9d06

SHA512
4875f04945977ee9dda09441088a6ed64c864b79b54fbec12e4ccc3b60982daf5b3607f4dd0a3f19d27c0f33b54fd7a3dfd0e332f28b45b3b3e0023778e13b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plCm61nL98.exe

Filesize
936KB

MD5
fab823b72b0be717265079a1e47b8089

SHA1
fd4ec4c240797a59eb9ccec745980956ebeadd4f

SHA256
7f7b787e354bf1e33bdb60e1cddad66ce0878ce5ef860abe952f3019fa8b9d06

SHA512
4875f04945977ee9dda09441088a6ed64c864b79b54fbec12e4ccc3b60982daf5b3607f4dd0a3f19d27c0f33b54fd7a3dfd0e332f28b45b3b3e0023778e13b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pliU62pk73.exe

Filesize
666KB

MD5
7bf9ae100ed9477a5babf2f1bf3e6cd8

SHA1
c7f2ae78a450daa21b0fc34085a77242a8626842

SHA256
71f810a56bfb949bdc3875a8e777b4345a64ad1eb8646b6f489fff00555759ea

SHA512
8b38eef7da919a5372ea268f202db98bd958d57c662fddd3ff2d782914e04973b40525d600d89ab2b0fe1419aa646fff3553fd5d28b0ae5f67f7cf5283416f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pliU62pk73.exe

Filesize
666KB

MD5
7bf9ae100ed9477a5babf2f1bf3e6cd8

SHA1
c7f2ae78a450daa21b0fc34085a77242a8626842

SHA256
71f810a56bfb949bdc3875a8e777b4345a64ad1eb8646b6f489fff00555759ea

SHA512
8b38eef7da919a5372ea268f202db98bd958d57c662fddd3ff2d782914e04973b40525d600d89ab2b0fe1419aa646fff3553fd5d28b0ae5f67f7cf5283416f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plan58mh19.exe

Filesize
391KB

MD5
188b1bf0eac3babf035ef0169ce5d678

SHA1
8b037f571782a2e09e65e2105c0ef12e8c730332

SHA256
640fdf48f3dc4d48a4229bb0d5ab80efd1c112dce84a5e6a8dfb9e5fb07a4218

SHA512
33ab680284ef44fd061fbeebfbc5cf1bc7844d71b6c9fd6f080989a08a597eaec764954138e96f2c9e14c732ea9224dd02ec068f4d7905601f8f422534fa9434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plan58mh19.exe

Filesize
391KB

MD5
188b1bf0eac3babf035ef0169ce5d678

SHA1
8b037f571782a2e09e65e2105c0ef12e8c730332

SHA256
640fdf48f3dc4d48a4229bb0d5ab80efd1c112dce84a5e6a8dfb9e5fb07a4218

SHA512
33ab680284ef44fd061fbeebfbc5cf1bc7844d71b6c9fd6f080989a08a597eaec764954138e96f2c9e14c732ea9224dd02ec068f4d7905601f8f422534fa9434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bubH88WW38.exe

Filesize
16KB

MD5
3cd6f1d04b817baad039db6bbe38e96c

SHA1
6b6bb9ce3f792f34c235a1f6490acf86dc3262ca

SHA256
f0973f5beb0e728a6dd7cfa487dc086f902d33fec96b417dceb8de0713936b42

SHA512
e97c83feddacf967052f73805af221f555a8fc9d65be7aea7347f02201b5cb7d0dc4a5995c35fb55e9a771baf3781b4081de54eff4674ee48e998337422c58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bubH88WW38.exe

Filesize
16KB

MD5
3cd6f1d04b817baad039db6bbe38e96c

SHA1
6b6bb9ce3f792f34c235a1f6490acf86dc3262ca

SHA256
f0973f5beb0e728a6dd7cfa487dc086f902d33fec96b417dceb8de0713936b42

SHA512
e97c83feddacf967052f73805af221f555a8fc9d65be7aea7347f02201b5cb7d0dc4a5995c35fb55e9a771baf3781b4081de54eff4674ee48e998337422c58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bubH88WW38.exe

Filesize
16KB

MD5
3cd6f1d04b817baad039db6bbe38e96c

SHA1
6b6bb9ce3f792f34c235a1f6490acf86dc3262ca

SHA256
f0973f5beb0e728a6dd7cfa487dc086f902d33fec96b417dceb8de0713936b42

SHA512
e97c83feddacf967052f73805af221f555a8fc9d65be7aea7347f02201b5cb7d0dc4a5995c35fb55e9a771baf3781b4081de54eff4674ee48e998337422c58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caOw14Sd37.exe

Filesize
302KB

MD5
5b4052ee747278a02dac44898f59aaee

SHA1
6b59810f74916a6921ea2276b57b6f5f61c79654

SHA256
baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80

SHA512
9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caOw14Sd37.exe

Filesize
302KB

MD5
5b4052ee747278a02dac44898f59aaee

SHA1
6b59810f74916a6921ea2276b57b6f5f61c79654

SHA256
baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80

SHA512
9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caOw14Sd37.exe

Filesize
302KB

MD5
5b4052ee747278a02dac44898f59aaee

SHA1
6b59810f74916a6921ea2276b57b6f5f61c79654

SHA256
baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80

SHA512
9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23

Download Submit
memory/1964-168-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/3796-174-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3796-175-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/3796-176-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3796-177-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/3796-178-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3796-179-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3796-181-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3796-182-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3796-183-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download