d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe
Size

612KB
MD5

90e1dad4cf477bdce051bd598257b1fb
SHA1

3214a5ccfa673e9fc7afc7e25b43902337658921
SHA256

d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208
SHA512

ea082666c64c89e13903f9fcf84e64b3bfc4ddef0986f88a0b5fabaf6b0203081915d4d0153181ee938ad452e1404fe8438e8d4467a29c64651c14e08ff99911
SSDEEP

6144:Fmp0yN90QEZN3kkgK3wk3b+q4F7LwUIVDZg0wnaXIorUf6BU7kWYFj7zwB17PCK6:Ny90d5J37L+NmaCri6WwxHwBBVZxH5E

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	15502081.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	15502081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	15502081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	15502081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	15502081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	15502081.exe

Executes dropped EXE 3 IoCs

pid	Process
1184	st129965.exe
284	15502081.exe
1816	kp950400.exe

Loads dropped DLL 6 IoCs

pid	Process
1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe
1184	st129965.exe
1184	st129965.exe
1184	st129965.exe
1184	st129965.exe
1816	kp950400.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	15502081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	15502081.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st129965.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st129965.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
284	15502081.exe
284	15502081.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	284	15502081.exe
Token: SeDebugPrivilege	1816	kp950400.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1228 wrote to memory of 1184	1228	d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe	28
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 284	1184	st129965.exe	29
PID 1184 wrote to memory of 1816	1184	st129965.exe	30
PID 1184 wrote to memory of 1816	1184	st129965.exe	30
PID 1184 wrote to memory of 1816	1184	st129965.exe	30
PID 1184 wrote to memory of 1816	1184	st129965.exe	30
PID 1184 wrote to memory of 1816	1184	st129965.exe	30
PID 1184 wrote to memory of 1816	1184	st129965.exe	30
PID 1184 wrote to memory of 1816	1184	st129965.exe	30

C:\Users\Admin\AppData\Local\Temp\d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe
"C:\Users\Admin\AppData\Local\Temp\d168994bd0d06490b3ab69ab74830ae16e89a0798efc5cc21f6bf377feac1208.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st129965.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st129965.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15502081.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15502081.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st129965.exe

Filesize
458KB

MD5
88464faf1afa0a66af20b277f0ab828a

SHA1
cc92daabf8ce52a6bf2b6a93b97c9a9a729fd9c6

SHA256
90c67167bf2f138a3ac20881439299896bf5281b2e67f0183f9a588f1d0b90cf

SHA512
844ae7af20e4cb7d401f07f50bfbacb63f0e6b7f749d655ad38b0edc9c7d85402fb213da46d49a49a0abfd50350e8fcd69be7d59d4f6a0a14369be9eaeffafbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st129965.exe

Filesize
458KB

MD5
88464faf1afa0a66af20b277f0ab828a

SHA1
cc92daabf8ce52a6bf2b6a93b97c9a9a729fd9c6

SHA256
90c67167bf2f138a3ac20881439299896bf5281b2e67f0183f9a588f1d0b90cf

SHA512
844ae7af20e4cb7d401f07f50bfbacb63f0e6b7f749d655ad38b0edc9c7d85402fb213da46d49a49a0abfd50350e8fcd69be7d59d4f6a0a14369be9eaeffafbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15502081.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15502081.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe

Filesize
460KB

MD5
fc5c2455975858ef2197d04286c52be1

SHA1
25385938e8027bf67d0c2d303a8acae793a9478b

SHA256
a3de15700ec22fe9d646017630447a3deaafc209b0af43297eea9f6b9ae73b70

SHA512
c9d51385b0d6bdb4338f9043dfb48f40056a94201204c3ff6988542f3f275c404652a2cedac40c9ab77702b604c65581069cec8d2eac47736e6c18b7b419ef33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe

Filesize
460KB

MD5
fc5c2455975858ef2197d04286c52be1

SHA1
25385938e8027bf67d0c2d303a8acae793a9478b

SHA256
a3de15700ec22fe9d646017630447a3deaafc209b0af43297eea9f6b9ae73b70

SHA512
c9d51385b0d6bdb4338f9043dfb48f40056a94201204c3ff6988542f3f275c404652a2cedac40c9ab77702b604c65581069cec8d2eac47736e6c18b7b419ef33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe

Filesize
460KB

MD5
fc5c2455975858ef2197d04286c52be1

SHA1
25385938e8027bf67d0c2d303a8acae793a9478b

SHA256
a3de15700ec22fe9d646017630447a3deaafc209b0af43297eea9f6b9ae73b70

SHA512
c9d51385b0d6bdb4338f9043dfb48f40056a94201204c3ff6988542f3f275c404652a2cedac40c9ab77702b604c65581069cec8d2eac47736e6c18b7b419ef33

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st129965.exe

Filesize
458KB

MD5
88464faf1afa0a66af20b277f0ab828a

SHA1
cc92daabf8ce52a6bf2b6a93b97c9a9a729fd9c6

SHA256
90c67167bf2f138a3ac20881439299896bf5281b2e67f0183f9a588f1d0b90cf

SHA512
844ae7af20e4cb7d401f07f50bfbacb63f0e6b7f749d655ad38b0edc9c7d85402fb213da46d49a49a0abfd50350e8fcd69be7d59d4f6a0a14369be9eaeffafbd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st129965.exe

Filesize
458KB

MD5
88464faf1afa0a66af20b277f0ab828a

SHA1
cc92daabf8ce52a6bf2b6a93b97c9a9a729fd9c6

SHA256
90c67167bf2f138a3ac20881439299896bf5281b2e67f0183f9a588f1d0b90cf

SHA512
844ae7af20e4cb7d401f07f50bfbacb63f0e6b7f749d655ad38b0edc9c7d85402fb213da46d49a49a0abfd50350e8fcd69be7d59d4f6a0a14369be9eaeffafbd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\15502081.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe

Filesize
460KB

MD5
fc5c2455975858ef2197d04286c52be1

SHA1
25385938e8027bf67d0c2d303a8acae793a9478b

SHA256
a3de15700ec22fe9d646017630447a3deaafc209b0af43297eea9f6b9ae73b70

SHA512
c9d51385b0d6bdb4338f9043dfb48f40056a94201204c3ff6988542f3f275c404652a2cedac40c9ab77702b604c65581069cec8d2eac47736e6c18b7b419ef33

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe

Filesize
460KB

MD5
fc5c2455975858ef2197d04286c52be1

SHA1
25385938e8027bf67d0c2d303a8acae793a9478b

SHA256
a3de15700ec22fe9d646017630447a3deaafc209b0af43297eea9f6b9ae73b70

SHA512
c9d51385b0d6bdb4338f9043dfb48f40056a94201204c3ff6988542f3f275c404652a2cedac40c9ab77702b604c65581069cec8d2eac47736e6c18b7b419ef33

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp950400.exe

Filesize
460KB

MD5
fc5c2455975858ef2197d04286c52be1

SHA1
25385938e8027bf67d0c2d303a8acae793a9478b

SHA256
a3de15700ec22fe9d646017630447a3deaafc209b0af43297eea9f6b9ae73b70

SHA512
c9d51385b0d6bdb4338f9043dfb48f40056a94201204c3ff6988542f3f275c404652a2cedac40c9ab77702b604c65581069cec8d2eac47736e6c18b7b419ef33

Download Submit
memory/284-72-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download
memory/1816-106-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-120-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-85-0x0000000001070000-0x00000000010AC000-memory.dmp

Filesize
240KB

Download
memory/1816-86-0x00000000010B0000-0x00000000010EA000-memory.dmp

Filesize
232KB

Download
memory/1816-87-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-88-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-90-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-92-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-94-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-96-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-98-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-100-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-102-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-104-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-83-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/1816-108-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-110-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-112-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-114-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-116-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-118-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-84-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/1816-122-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-124-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-126-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-128-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-130-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-132-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-134-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-136-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-138-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-140-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-142-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-144-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-146-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-148-0x00000000010B0000-0x00000000010E5000-memory.dmp

Filesize
212KB

Download
memory/1816-199-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1816-201-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1816-882-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1816-884-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1816-885-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1816-886-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1816-887-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download