4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3

Analysis

max time kernel
29s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
Size

360KB
MD5

3a9fbd43fea6701ab3111db334660d38
SHA1

98855962827d60522eb91f11be00d2969471f147
SHA256

4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3
SHA512

8f4e4ebff99f79358b43337eda9fa0e8f27daffa965691a738a4e421fcda382210df82939205f6e5218483e1ae04f93511df0136b5299c8bcd7e349ca54bef52
SSDEEP

6144:KSy+bnr+Fp0yN90QEdGayzdq9+slMoebwSdLdQsJM9i7yT48gAaXh:2Mrty90Gah98lt/Qs6zc5x

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	knTi12GV54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	knTi12GV54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	knTi12GV54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	knTi12GV54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	knTi12GV54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ljdH59li82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ljdH59li82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ljdH59li82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	knTi12GV54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ljdH59li82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ljdH59li82.exe

Executes dropped EXE 2 IoCs

pid	Process
928	knTi12GV54.exe
1744	ljdH59li82.exe

Loads dropped DLL 4 IoCs

pid	Process
748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
928	knTi12GV54.exe
748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	knTi12GV54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	ljdH59li82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ljdH59li82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	knTi12GV54.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
928	knTi12GV54.exe
928	knTi12GV54.exe
1744	ljdH59li82.exe
1744	ljdH59li82.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	knTi12GV54.exe
Token: SeDebugPrivilege	1744	ljdH59li82.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 928	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	26
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27
PID 748 wrote to memory of 1744	748	4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe	27

C:\Users\Admin\AppData\Local\Temp\4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
"C:\Users\Admin\AppData\Local\Temp\4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe

Filesize
362KB

MD5
5d81e061f10a4717c5280a205a96b146

SHA1
f576d4064f994a265b98a3b504a0e128699b0ee2

SHA256
4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

SHA512
a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe

Filesize
362KB

MD5
5d81e061f10a4717c5280a205a96b146

SHA1
f576d4064f994a265b98a3b504a0e128699b0ee2

SHA256
4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

SHA512
a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe

Filesize
362KB

MD5
5d81e061f10a4717c5280a205a96b146

SHA1
f576d4064f994a265b98a3b504a0e128699b0ee2

SHA256
4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

SHA512
a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe

Filesize
12KB

MD5
2ec4640232b1848ae68845f48a57f912

SHA1
f104382796c69ca74f3c3305774819a738fc672f

SHA256
a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

SHA512
db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe

Filesize
12KB

MD5
2ec4640232b1848ae68845f48a57f912

SHA1
f104382796c69ca74f3c3305774819a738fc672f

SHA256
a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

SHA512
db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe

Filesize
362KB

MD5
5d81e061f10a4717c5280a205a96b146

SHA1
f576d4064f994a265b98a3b504a0e128699b0ee2

SHA256
4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

SHA512
a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe

Filesize
362KB

MD5
5d81e061f10a4717c5280a205a96b146

SHA1
f576d4064f994a265b98a3b504a0e128699b0ee2

SHA256
4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

SHA512
a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe

Filesize
362KB

MD5
5d81e061f10a4717c5280a205a96b146

SHA1
f576d4064f994a265b98a3b504a0e128699b0ee2

SHA256
4f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e

SHA512
a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe

Filesize
12KB

MD5
2ec4640232b1848ae68845f48a57f912

SHA1
f104382796c69ca74f3c3305774819a738fc672f

SHA256
a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

SHA512
db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

Download Submit
memory/928-82-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-90-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-73-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-74-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-76-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-78-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-80-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-72-0x0000000007370000-0x00000000073B0000-memory.dmp

Filesize
256KB

Download
memory/928-84-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-86-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-88-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-71-0x0000000007370000-0x00000000073B0000-memory.dmp

Filesize
256KB

Download
memory/928-92-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-94-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-96-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-98-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-100-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/928-101-0x0000000000400000-0x0000000002BC8000-memory.dmp

Filesize
39.8MB

Download
memory/928-102-0x0000000000400000-0x0000000002BC8000-memory.dmp

Filesize
39.8MB

Download
memory/928-70-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/928-69-0x00000000048F0000-0x0000000004908000-memory.dmp

Filesize
96KB

Download
memory/928-68-0x0000000002CD0000-0x0000000002CEA000-memory.dmp

Filesize
104KB

Download
memory/1744-107-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download