d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890

Analysis

max time kernel
146s
max time network
168s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
Size

690KB
MD5

c739646777bfd5d1ae7da944ad269ac3
SHA1

d98aca4ac920187c5332a85100ced78017feed0c
SHA256

d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890
SHA512

f34e727e6126821eeb8c8d7ddbf65f0f7fa972718c24cbc2b6fd2e1134378c8ee5a438ef7c5650ca4db405a2dcee6cb20fde687719177b93fa41b10144a3acc7
SSDEEP

12288:Jy90NVXamCIhcVExQBlYGPDqbH7/mAbrLari36NaT3Hc8/oXHyy:Jy8VXcVEW74H7+Ab3ari360T3c85y

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	66824932.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	66824932.exe

Executes dropped EXE 3 IoCs

pid	Process
900	un924195.exe
1308	66824932.exe
2040	rk810407.exe

Loads dropped DLL 8 IoCs

pid	Process
832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
900	un924195.exe
900	un924195.exe
900	un924195.exe
1308	66824932.exe
900	un924195.exe
900	un924195.exe
2040	rk810407.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	66824932.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	66824932.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un924195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un924195.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	66824932.exe
1308	66824932.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	66824932.exe
Token: SeDebugPrivilege	2040	rk810407.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 832 wrote to memory of 900	832	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	27
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 1308	900	un924195.exe	28
PID 900 wrote to memory of 2040	900	un924195.exe	29
PID 900 wrote to memory of 2040	900	un924195.exe	29
PID 900 wrote to memory of 2040	900	un924195.exe	29
PID 900 wrote to memory of 2040	900	un924195.exe	29
PID 900 wrote to memory of 2040	900	un924195.exe	29
PID 900 wrote to memory of 2040	900	un924195.exe	29
PID 900 wrote to memory of 2040	900	un924195.exe	29

C:\Users\Admin\AppData\Local\Temp\d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
"C:\Users\Admin\AppData\Local\Temp\d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe

Filesize
536KB

MD5
2ad672d5abbebef235a4972809593839

SHA1
c655da2f1fd47c1a5b604536fbc59cd878f343f5

SHA256
12a282aa9dcca2ee23d956e73455e7a4f4608184286f108fadb2d63ebd2edd86

SHA512
0741dd229369b9b6120f04e58e3b11a54faea91857ccc1c43bf051b22297b8783ffd25f435e4272922c4c3c82ce800da5577c2fe1552ac46974588f8cacb0c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe

Filesize
536KB

MD5
2ad672d5abbebef235a4972809593839

SHA1
c655da2f1fd47c1a5b604536fbc59cd878f343f5

SHA256
12a282aa9dcca2ee23d956e73455e7a4f4608184286f108fadb2d63ebd2edd86

SHA512
0741dd229369b9b6120f04e58e3b11a54faea91857ccc1c43bf051b22297b8783ffd25f435e4272922c4c3c82ce800da5577c2fe1552ac46974588f8cacb0c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe

Filesize
536KB

MD5
2ad672d5abbebef235a4972809593839

SHA1
c655da2f1fd47c1a5b604536fbc59cd878f343f5

SHA256
12a282aa9dcca2ee23d956e73455e7a4f4608184286f108fadb2d63ebd2edd86

SHA512
0741dd229369b9b6120f04e58e3b11a54faea91857ccc1c43bf051b22297b8783ffd25f435e4272922c4c3c82ce800da5577c2fe1552ac46974588f8cacb0c8f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe

Filesize
536KB

MD5
2ad672d5abbebef235a4972809593839

SHA1
c655da2f1fd47c1a5b604536fbc59cd878f343f5

SHA256
12a282aa9dcca2ee23d956e73455e7a4f4608184286f108fadb2d63ebd2edd86

SHA512
0741dd229369b9b6120f04e58e3b11a54faea91857ccc1c43bf051b22297b8783ffd25f435e4272922c4c3c82ce800da5577c2fe1552ac46974588f8cacb0c8f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
memory/1308-113-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1308-88-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-90-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-92-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-94-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-98-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-96-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-102-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-100-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-106-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-104-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-108-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-109-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1308-110-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1308-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1308-86-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1308-84-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-82-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-81-0x0000000000A90000-0x0000000000AA3000-memory.dmp

Filesize
76KB

Download
memory/1308-80-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/1308-79-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/1308-78-0x00000000005F0000-0x000000000061D000-memory.dmp

Filesize
180KB

Download
memory/2040-128-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/2040-145-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-126-0x0000000000AD0000-0x0000000000B0C000-memory.dmp

Filesize
240KB

Download
memory/2040-129-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2040-130-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2040-131-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2040-132-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-133-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-135-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-137-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-139-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-141-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-143-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-127-0x0000000002050000-0x000000000208A000-memory.dmp

Filesize
232KB

Download
memory/2040-147-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-149-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-151-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-153-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-155-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-157-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-159-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-161-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-163-0x0000000002050000-0x0000000002085000-memory.dmp

Filesize
212KB

Download
memory/2040-925-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2040-926-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2040-929-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download