2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db

Analysis

max time kernel
167s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe
Size

1.2MB
MD5

d6d1a7d6a86dd5e399575d2ceec99a3f
SHA1

c9a5306ff28543b37d714932bd8261c3dcf57f3a
SHA256

2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db
SHA512

ef26d76f88f5999f6832179d23b6439cca2b5f2e97650f8fa134b137996b777ce2a3fb643716e88883bde5193ae9b5617b5bc856d0ea08e3182b69b435fe3d35
SSDEEP

24576:cycXb+Wo+Kj2Rnb1cfUP/Yddi3BKzUJ1dWKrLcqy5+Bvw9h8tebbk:LcXfZnb1cVddmBK4bYhqI+I8Ebb

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr554084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr554084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr554084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr554084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr554084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr554084.exe

Executes dropped EXE 4 IoCs

pid	Process
956	un729406.exe
2848	un419098.exe
4136	pr554084.exe
4556	qu534591.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr554084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr554084.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un419098.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un729406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un729406.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un419098.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1260	4136	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4136	pr554084.exe
4136	pr554084.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	pr554084.exe
Token: SeDebugPrivilege	4556	qu534591.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 956	2244	2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe	77
PID 2244 wrote to memory of 956	2244	2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe	77
PID 2244 wrote to memory of 956	2244	2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe	77
PID 956 wrote to memory of 2848	956	un729406.exe	79
PID 956 wrote to memory of 2848	956	un729406.exe	79
PID 956 wrote to memory of 2848	956	un729406.exe	79
PID 2848 wrote to memory of 4136	2848	un419098.exe	80
PID 2848 wrote to memory of 4136	2848	un419098.exe	80
PID 2848 wrote to memory of 4136	2848	un419098.exe	80
PID 2848 wrote to memory of 4556	2848	un419098.exe	92
PID 2848 wrote to memory of 4556	2848	un419098.exe	92
PID 2848 wrote to memory of 4556	2848	un419098.exe	92

C:\Users\Admin\AppData\Local\Temp\2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe
"C:\Users\Admin\AppData\Local\Temp\2e155d551f945a325b395310423db34c3c380e6abf557abab1a1413f5e1157db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729406.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729406.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un419098.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un419098.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr554084.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr554084.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1088
        5⤵
        Program crash
        
        PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534591.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534591.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4136 -ip 4136
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729406.exe

Filesize
862KB

MD5
73fb3c777341453d84b4e775c9e37d5e

SHA1
977f88fdf6e687c95d9279d8a48b3f79ca10e335

SHA256
d16eaeddc1ac0bcef16eb53a657da5c17e644ce649ac3f510c3ce827f333a6f6

SHA512
a13ace2a11288c223008d124e08ae658f640a03ae7e2011b3ac01c99a5b2b3fc9f085b97689fc5c0070a302a09155250a9ab325b506d94a9124b663ed26fb9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un729406.exe

Filesize
862KB

MD5
73fb3c777341453d84b4e775c9e37d5e

SHA1
977f88fdf6e687c95d9279d8a48b3f79ca10e335

SHA256
d16eaeddc1ac0bcef16eb53a657da5c17e644ce649ac3f510c3ce827f333a6f6

SHA512
a13ace2a11288c223008d124e08ae658f640a03ae7e2011b3ac01c99a5b2b3fc9f085b97689fc5c0070a302a09155250a9ab325b506d94a9124b663ed26fb9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un419098.exe

Filesize
708KB

MD5
6877da25752f313ad2beb84c062ff769

SHA1
66528b0d7983fcef7a073eadc9bf0e7ba03c98a8

SHA256
12453563a845f27ef9e1c668510a0f229b3261fcd424c411e53db9305b01244f

SHA512
8cb610cbf27db10180069c25f06caef43bbe42fe910288e7f93bb152a04d6b12bb341b05e99914b9e22cc24596284c31c25b2bf9b630e11a964cde317c5e2da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un419098.exe

Filesize
708KB

MD5
6877da25752f313ad2beb84c062ff769

SHA1
66528b0d7983fcef7a073eadc9bf0e7ba03c98a8

SHA256
12453563a845f27ef9e1c668510a0f229b3261fcd424c411e53db9305b01244f

SHA512
8cb610cbf27db10180069c25f06caef43bbe42fe910288e7f93bb152a04d6b12bb341b05e99914b9e22cc24596284c31c25b2bf9b630e11a964cde317c5e2da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr554084.exe

Filesize
403KB

MD5
2a5bb4c4ca88b4b5d00cfc15e9a273fd

SHA1
e3b19dcce8762f948cdaa61d95d98b4c881bb712

SHA256
590b09438bdedbe703950b85399d2cc1dd2ed206f2285afac02afdcaf2489da4

SHA512
3ba8784977834baa066b3ff8f8cc6c765f9c10c635f0c0cf21ebb1edd1a30ced49cd84d7b71a70afa6cdba8f3e714f7eac44647ecfbc6c8915248bd62a42f5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr554084.exe

Filesize
403KB

MD5
2a5bb4c4ca88b4b5d00cfc15e9a273fd

SHA1
e3b19dcce8762f948cdaa61d95d98b4c881bb712

SHA256
590b09438bdedbe703950b85399d2cc1dd2ed206f2285afac02afdcaf2489da4

SHA512
3ba8784977834baa066b3ff8f8cc6c765f9c10c635f0c0cf21ebb1edd1a30ced49cd84d7b71a70afa6cdba8f3e714f7eac44647ecfbc6c8915248bd62a42f5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534591.exe

Filesize
588KB

MD5
ef169a6696c0be2b53bb26de9585e886

SHA1
47ffe8232a62d73cc21641d0fc86039b27bb8e40

SHA256
420a963ac7850c5af64a7d5e0e1da9e30fc929719adf4b7e527451b8ed8232f7

SHA512
d9c4b517bcf94cb86021a9d9297eaaa57fe9c104d4c8487b5b8604cbd49ad5f90953d2182e6b60cb0cf4234d3d33012861f3e93a1d50f5215bd3f1771dd6b07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu534591.exe

Filesize
588KB

MD5
ef169a6696c0be2b53bb26de9585e886

SHA1
47ffe8232a62d73cc21641d0fc86039b27bb8e40

SHA256
420a963ac7850c5af64a7d5e0e1da9e30fc929719adf4b7e527451b8ed8232f7

SHA512
d9c4b517bcf94cb86021a9d9297eaaa57fe9c104d4c8487b5b8604cbd49ad5f90953d2182e6b60cb0cf4234d3d33012861f3e93a1d50f5215bd3f1771dd6b07b

Download Submit
memory/4136-155-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/4136-156-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/4136-157-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4136-158-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4136-159-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4136-161-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-160-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-163-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-165-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-167-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-169-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-171-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-175-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-173-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-177-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-179-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-183-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-181-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-185-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-187-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4136-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4136-189-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4136-190-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4136-191-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4136-194-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4556-206-0x0000000002350000-0x00000000023AB000-memory.dmp

Filesize
364KB

Download
memory/4556-207-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4556-208-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4556-209-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4556-210-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-211-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-213-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-215-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-217-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-219-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-221-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-223-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-225-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-227-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-229-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-231-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-233-0x00000000028D0000-0x0000000002930000-memory.dmp

Filesize
384KB

Download
memory/4556-234-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/4556-1569-0x0000000002350000-0x00000000023AB000-memory.dmp

Filesize
364KB

Download
memory/4556-2340-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4556-2341-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4556-2342-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4556-2344-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download