165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54

Resubmissions

19/04/2023, 00:03

230419-aceyjsfb34 10

18/04/2023, 23:54

230418-3xxcjsfa84 10

Analysis

max time kernel
13s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe
Size

1.3MB
MD5

56bcf63a381be768573ed0e866a2613d
SHA1

2974f5b7b0c3279b1d4496b60694fa0348671269
SHA256

165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54
SHA512

1422448df87a822d365403aedea49bbabe8239907cab99e34a2d23aef5924629afff152a9eab97f7933dfe44998ee65e2be5284346f13a6e52d515ceb3a66615
SSDEEP

24576:7yytWeQJhSQinRRP3bxGlgOjIVbwYQWVp+Y+Xz2RQkqc8k/I:uyt34SQqRRvbxGlgUBJo3OKRJ8k

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8749.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8749.exe

Executes dropped EXE 5 IoCs

pid	Process
5084	za279568.exe
792	za923340.exe
1484	za759027.exe
1560	tz8749.exe
3676	v5293Qr.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8749.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za759027.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za279568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za279568.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za923340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za923340.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za759027.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	tz8749.exe
1560	tz8749.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	tz8749.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 5084	4112	165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe	86
PID 4112 wrote to memory of 5084	4112	165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe	86
PID 4112 wrote to memory of 5084	4112	165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe	86
PID 5084 wrote to memory of 792	5084	za279568.exe	88
PID 5084 wrote to memory of 792	5084	za279568.exe	88
PID 5084 wrote to memory of 792	5084	za279568.exe	88
PID 792 wrote to memory of 1484	792	za923340.exe	89
PID 792 wrote to memory of 1484	792	za923340.exe	89
PID 792 wrote to memory of 1484	792	za923340.exe	89
PID 1484 wrote to memory of 1560	1484	za759027.exe	90
PID 1484 wrote to memory of 1560	1484	za759027.exe	90
PID 1484 wrote to memory of 3676	1484	za759027.exe	97
PID 1484 wrote to memory of 3676	1484	za759027.exe	97
PID 1484 wrote to memory of 3676	1484	za759027.exe	97

C:\Users\Admin\AppData\Local\Temp\165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe
"C:\Users\Admin\AppData\Local\Temp\165a8064798a5537d554410c13911f5bfab2378386da7e1d3791c56195cb8c54.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za279568.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za279568.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za923340.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za923340.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za759027.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za759027.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8749.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8749.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5293Qr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5293Qr.exe
        5⤵
        Executes dropped EXE
        
        PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za279568.exe

Filesize
1.1MB

MD5
d11c2f306dd684ae957ec2fa6749da49

SHA1
cb6fbf2353cd54a47b1b0737f08450b1c23184fc

SHA256
32f57a3532d2a34568419c5eed74e50b620fcd4fc96d950cd18dd13492e73c56

SHA512
d668c746fabd629871ad7bab318bf9dab3aa32933db183cdda757058d01175b44b2f9d2dc2fdc89dce18d8c102f4a09ff2014ec9362a54098aa97d3490b63919

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za279568.exe

Filesize
1.1MB

MD5
d11c2f306dd684ae957ec2fa6749da49

SHA1
cb6fbf2353cd54a47b1b0737f08450b1c23184fc

SHA256
32f57a3532d2a34568419c5eed74e50b620fcd4fc96d950cd18dd13492e73c56

SHA512
d668c746fabd629871ad7bab318bf9dab3aa32933db183cdda757058d01175b44b2f9d2dc2fdc89dce18d8c102f4a09ff2014ec9362a54098aa97d3490b63919

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za923340.exe

Filesize
807KB

MD5
8703ab8befc43b86ebaf57ef318368ce

SHA1
3f47f9ea8f9e4937d1aeac8fde54c1c0f11b20cb

SHA256
59f1fba64a91c525af95b4eec9c3a487616b1ebebf23d74876c7bff0345121a4

SHA512
67ac3cb2f07ac6ac4f36ed109fbf74430de8eb39198cce554ad42259564ad3034453249641ecc8ca68dcb167a2a1c0c09087e73e936dbe8fc9c6d28402215728

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za923340.exe

Filesize
807KB

MD5
8703ab8befc43b86ebaf57ef318368ce

SHA1
3f47f9ea8f9e4937d1aeac8fde54c1c0f11b20cb

SHA256
59f1fba64a91c525af95b4eec9c3a487616b1ebebf23d74876c7bff0345121a4

SHA512
67ac3cb2f07ac6ac4f36ed109fbf74430de8eb39198cce554ad42259564ad3034453249641ecc8ca68dcb167a2a1c0c09087e73e936dbe8fc9c6d28402215728

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za759027.exe

Filesize
471KB

MD5
037a42d65068866135ebae23c43faf49

SHA1
abdedc455c39331296e63cb1b13cd787d40b952f

SHA256
7584068cb288c5da926e5eac2857c0a67ae88f16ca85d4fa3f69ae0affa9362a

SHA512
33c27e26a94ead5e83797eec38f34095bf108c934dcf713c83d842cc40413bc59549be8adfe67a10f0c5c1541018da54bd810cf2de960a41d730d217c8f79946

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za759027.exe

Filesize
471KB

MD5
037a42d65068866135ebae23c43faf49

SHA1
abdedc455c39331296e63cb1b13cd787d40b952f

SHA256
7584068cb288c5da926e5eac2857c0a67ae88f16ca85d4fa3f69ae0affa9362a

SHA512
33c27e26a94ead5e83797eec38f34095bf108c934dcf713c83d842cc40413bc59549be8adfe67a10f0c5c1541018da54bd810cf2de960a41d730d217c8f79946

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8749.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8749.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5293Qr.exe

Filesize
486KB

MD5
706d7be7c6e46e26efdc449109d7cda7

SHA1
2ab912d4183a6420abd096bc3745200a97cd1479

SHA256
030a6900e386016c01a5afef383c0857f11916fc26af0be94ec1fd3c99e27e4b

SHA512
099d47bab98854a9047ce5f4408d0f01fe831753cea23f36095461eb793845ac17a92364c9682f5a58ddf915a2a722ed9ebaea5aa84842a8da848310a0b88fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5293Qr.exe

Filesize
486KB

MD5
706d7be7c6e46e26efdc449109d7cda7

SHA1
2ab912d4183a6420abd096bc3745200a97cd1479

SHA256
030a6900e386016c01a5afef383c0857f11916fc26af0be94ec1fd3c99e27e4b

SHA512
099d47bab98854a9047ce5f4408d0f01fe831753cea23f36095461eb793845ac17a92364c9682f5a58ddf915a2a722ed9ebaea5aa84842a8da848310a0b88fec

Download Submit
memory/1560-161-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download