7088f7009cb64b9a282b722e44bd227a191c8baf619e65175282b0c70da10a9b

Analysis

max time kernel
24s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

586bdc06c16af999dfa745c1eedb132e
SHA1

dfbecccc20ba647ff1a050a289ee0b001f4be9fb
SHA256

7088f7009cb64b9a282b722e44bd227a191c8baf619e65175282b0c70da10a9b
SHA512

e301d5abf5e49f285715ae0f8fe2b09166c2615b82b4bedd6e95b02a3ea6285efac792989164c973ece3dcb9564d03fc6409823423b155c8794101d80509e7ea
SSDEEP

24576:nyYcdOBZ6Z8+dskIFXp1nxJJTIZWCC2px/12MiUmkcBIiYUUEuJ61J1fvUK2xume:yYovdskcp3DQzhpxInekIiNBuJ6b1fMR

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	bu329507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu329507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu329507.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az777052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az777052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az777052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az777052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az777052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az777052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu329507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu329507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu329507.exe

Executes dropped EXE 6 IoCs

pid	Process
956	ki164814.exe
1488	ki832080.exe
1408	ki497859.exe
4416	ki265594.exe
3352	az777052.exe
4320	bu329507.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az777052.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	bu329507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu329507.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki164814.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki497859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ki497859.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki164814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki832080.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki265594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ki265594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ki832080.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3352	az777052.exe
3352	az777052.exe
4320	bu329507.exe
4320	bu329507.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	az777052.exe
Token: SeDebugPrivilege	4320	bu329507.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 956	4896	file.exe	85
PID 4896 wrote to memory of 956	4896	file.exe	85
PID 4896 wrote to memory of 956	4896	file.exe	85
PID 956 wrote to memory of 1488	956	ki164814.exe	86
PID 956 wrote to memory of 1488	956	ki164814.exe	86
PID 956 wrote to memory of 1488	956	ki164814.exe	86
PID 1488 wrote to memory of 1408	1488	ki832080.exe	87
PID 1488 wrote to memory of 1408	1488	ki832080.exe	87
PID 1488 wrote to memory of 1408	1488	ki832080.exe	87
PID 1408 wrote to memory of 4416	1408	ki497859.exe	88
PID 1408 wrote to memory of 4416	1408	ki497859.exe	88
PID 1408 wrote to memory of 4416	1408	ki497859.exe	88
PID 4416 wrote to memory of 3352	4416	ki265594.exe	89
PID 4416 wrote to memory of 3352	4416	ki265594.exe	89
PID 4416 wrote to memory of 4320	4416	ki265594.exe	93
PID 4416 wrote to memory of 4320	4416	ki265594.exe	93
PID 4416 wrote to memory of 4320	4416	ki265594.exe	93

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki164814.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki164814.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki832080.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki832080.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki497859.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki497859.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki265594.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki265594.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az777052.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az777052.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu329507.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu329507.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki164814.exe

Filesize
1.1MB

MD5
5b0c1ec327fc3d0bf2dd62d19f377042

SHA1
3ed64ad038b50e0bf52728044ead1f8bc79c4dba

SHA256
f453c51187b6a677f38f015344a2e3b176b76207e9d7982dad604629bc3507e5

SHA512
2f67e8eba809838f20c2879421055ef84f65c8cc11defe3900065dc27e2236987f5a70d4c847ec157f6b3d1a2ccb44f533f1050d389fbdd1e7242f9face1d518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki164814.exe

Filesize
1.1MB

MD5
5b0c1ec327fc3d0bf2dd62d19f377042

SHA1
3ed64ad038b50e0bf52728044ead1f8bc79c4dba

SHA256
f453c51187b6a677f38f015344a2e3b176b76207e9d7982dad604629bc3507e5

SHA512
2f67e8eba809838f20c2879421055ef84f65c8cc11defe3900065dc27e2236987f5a70d4c847ec157f6b3d1a2ccb44f533f1050d389fbdd1e7242f9face1d518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki832080.exe

Filesize
998KB

MD5
1016a4c0f03729a7e9f5019c9bfa2a5d

SHA1
219b413550b30a5db399af16a60d388822b33d64

SHA256
b9025dc3afb5edd6885ac6b608dcec77da98aabc450e9eb50029725f86e243d1

SHA512
2d97c4dd00a147ed0a5d0979dbf8db4f43846ac8c9e3da09669ec264dc623668344f3e52e0d87ccea433518b2a428abd1170294e9ec8f79f7f1b09517464d1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki832080.exe

Filesize
998KB

MD5
1016a4c0f03729a7e9f5019c9bfa2a5d

SHA1
219b413550b30a5db399af16a60d388822b33d64

SHA256
b9025dc3afb5edd6885ac6b608dcec77da98aabc450e9eb50029725f86e243d1

SHA512
2d97c4dd00a147ed0a5d0979dbf8db4f43846ac8c9e3da09669ec264dc623668344f3e52e0d87ccea433518b2a428abd1170294e9ec8f79f7f1b09517464d1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki497859.exe

Filesize
815KB

MD5
ace33d3be66a46ccaa5d89512f9e6d1e

SHA1
800951d393806db5c80d6fda0daea7018b9dc0a0

SHA256
967a26876a2d460577aef01984d1109969df5f04ec0671c8e373b923b43cf520

SHA512
641310445b557afe88e37d1724079ac377428efabbbe209a4b7e3b08f3e4299ef214d7a589aa6537f9dff466f1d0f1a85995784a69f176e4158e6033ae78d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki497859.exe

Filesize
815KB

MD5
ace33d3be66a46ccaa5d89512f9e6d1e

SHA1
800951d393806db5c80d6fda0daea7018b9dc0a0

SHA256
967a26876a2d460577aef01984d1109969df5f04ec0671c8e373b923b43cf520

SHA512
641310445b557afe88e37d1724079ac377428efabbbe209a4b7e3b08f3e4299ef214d7a589aa6537f9dff466f1d0f1a85995784a69f176e4158e6033ae78d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki265594.exe

Filesize
341KB

MD5
cb9e6fcddbac3ce73b63cae8584d26c1

SHA1
b75d2bf8940a1e08739cf3e7e0044cce1a108a29

SHA256
8ba191b0bc384bc38c76b8d58aec9b0680767e6f5f9f4cfedfc007518bd2d32d

SHA512
ec6cc36f3d9ecb1b9c18d6ea175778f59ffa996025a0db274df1a8074a26f539a70a58918ffb60eb5489d56bc88244362be576fba69958252a790281a19f2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki265594.exe

Filesize
341KB

MD5
cb9e6fcddbac3ce73b63cae8584d26c1

SHA1
b75d2bf8940a1e08739cf3e7e0044cce1a108a29

SHA256
8ba191b0bc384bc38c76b8d58aec9b0680767e6f5f9f4cfedfc007518bd2d32d

SHA512
ec6cc36f3d9ecb1b9c18d6ea175778f59ffa996025a0db274df1a8074a26f539a70a58918ffb60eb5489d56bc88244362be576fba69958252a790281a19f2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az777052.exe

Filesize
11KB

MD5
3980b618ff21d8baeeadddebb90911c3

SHA1
6d8715ba96900b25420b079bee6dad97c05b655c

SHA256
e56621e7053a7d7ae74116a68fd38f6577c86f9dd1e74933c05c47d70ac802a8

SHA512
e4a2b6aa79a1a856bbe0b87707e1cae03a23c3a8b389fa58a4e28a7af889a776cfe52e34db5aac33dc81160c66bae9296ecdb66d30aa885200c3c5768fe36d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az777052.exe

Filesize
11KB

MD5
3980b618ff21d8baeeadddebb90911c3

SHA1
6d8715ba96900b25420b079bee6dad97c05b655c

SHA256
e56621e7053a7d7ae74116a68fd38f6577c86f9dd1e74933c05c47d70ac802a8

SHA512
e4a2b6aa79a1a856bbe0b87707e1cae03a23c3a8b389fa58a4e28a7af889a776cfe52e34db5aac33dc81160c66bae9296ecdb66d30aa885200c3c5768fe36d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu329507.exe

Filesize
317KB

MD5
b962db67b6d2fb8fa03ddd0e4a8afd63

SHA1
1c47f6137fea6aa6cf5c8381d75a45fb25f8fe3c

SHA256
590b2c1c165851186823c1f753eb0b55b08f4a095b8265cb6334ee9835ad8f87

SHA512
c2e692c6abcf046f3d245750db068fedcc68b5bba48206f732ef9f1eeb212b247587d47ca8577388ec437bb218438881bfb461d53397e3f325da2993e31093e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu329507.exe

Filesize
317KB

MD5
b962db67b6d2fb8fa03ddd0e4a8afd63

SHA1
1c47f6137fea6aa6cf5c8381d75a45fb25f8fe3c

SHA256
590b2c1c165851186823c1f753eb0b55b08f4a095b8265cb6334ee9835ad8f87

SHA512
c2e692c6abcf046f3d245750db068fedcc68b5bba48206f732ef9f1eeb212b247587d47ca8577388ec437bb218438881bfb461d53397e3f325da2993e31093e3

Download Submit
memory/3352-168-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/4320-177-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-193-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-176-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-174-0x0000000000630000-0x000000000065D000-memory.dmp

Filesize
180KB

Download
memory/4320-179-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-181-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-183-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-185-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-187-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-189-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-191-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-175-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/4320-195-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-197-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-199-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-201-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-203-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4320-204-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/4320-205-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/4320-206-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/4320-207-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download