d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349

Analysis

max time kernel
151s
max time network
167s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
Size

746KB
MD5

f5196113a822fecf2f0dfaec034700fc
SHA1

f8b869f2f6bdb056dee305c9e0b9a06f4eb9e9fd
SHA256

d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349
SHA512

0240a94afe8f36f0f32b27cf82bcd7dbfc9562bb0855b2afbfe6a5cfec525576def9f6b602281e51bd5fb70b792e64231ca77206237c0b0d2a28b981a48e670b
SSDEEP

12288:zy906RYszDOrW9NDA740J1CUemRbgDi3FU9mFWmaJbB4wylQxXQnzDgo:zy7zyrv740JRgDiVU9APMbBZylCXU

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	12111206.exe

Executes dropped EXE 3 IoCs

pid	Process
1132	un482102.exe
276	12111206.exe
1108	rk804851.exe

Loads dropped DLL 8 IoCs

pid	Process
2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
1132	un482102.exe
1132	un482102.exe
1132	un482102.exe
276	12111206.exe
1132	un482102.exe
1132	un482102.exe
1108	rk804851.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	12111206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	12111206.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un482102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un482102.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
276	12111206.exe
276	12111206.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	12111206.exe
Token: SeDebugPrivilege	1108	rk804851.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 2000 wrote to memory of 1132	2000	d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe	27
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 276	1132	un482102.exe	28
PID 1132 wrote to memory of 1108	1132	un482102.exe	29
PID 1132 wrote to memory of 1108	1132	un482102.exe	29
PID 1132 wrote to memory of 1108	1132	un482102.exe	29
PID 1132 wrote to memory of 1108	1132	un482102.exe	29
PID 1132 wrote to memory of 1108	1132	un482102.exe	29
PID 1132 wrote to memory of 1108	1132	un482102.exe	29
PID 1132 wrote to memory of 1108	1132	un482102.exe	29

C:\Users\Admin\AppData\Local\Temp\d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe
"C:\Users\Admin\AppData\Local\Temp\d535475a00f71bcf55aa10be4a00005b35f8721277b07cd4c73da5c3aaedb349.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe

Filesize
592KB

MD5
830af7bf9007d60863ffa536f8aec7f7

SHA1
e701215cc5733f9f74565230a9ff2caf4bc73e53

SHA256
d01b1f86e587f33306fa675b14b115c8ca35a55e5c76da58415f413c468e5cb9

SHA512
f28ea5e9d26c802276a730b5cdd497c3bf17772c8a072fd64d1bed4d69783afc1c6efdd2b394473d19e2aaad45dbd75dd94b3919ecb484ca41971de07faad9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe

Filesize
592KB

MD5
830af7bf9007d60863ffa536f8aec7f7

SHA1
e701215cc5733f9f74565230a9ff2caf4bc73e53

SHA256
d01b1f86e587f33306fa675b14b115c8ca35a55e5c76da58415f413c468e5cb9

SHA512
f28ea5e9d26c802276a730b5cdd497c3bf17772c8a072fd64d1bed4d69783afc1c6efdd2b394473d19e2aaad45dbd75dd94b3919ecb484ca41971de07faad9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe

Filesize
592KB

MD5
830af7bf9007d60863ffa536f8aec7f7

SHA1
e701215cc5733f9f74565230a9ff2caf4bc73e53

SHA256
d01b1f86e587f33306fa675b14b115c8ca35a55e5c76da58415f413c468e5cb9

SHA512
f28ea5e9d26c802276a730b5cdd497c3bf17772c8a072fd64d1bed4d69783afc1c6efdd2b394473d19e2aaad45dbd75dd94b3919ecb484ca41971de07faad9a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482102.exe

Filesize
592KB

MD5
830af7bf9007d60863ffa536f8aec7f7

SHA1
e701215cc5733f9f74565230a9ff2caf4bc73e53

SHA256
d01b1f86e587f33306fa675b14b115c8ca35a55e5c76da58415f413c468e5cb9

SHA512
f28ea5e9d26c802276a730b5cdd497c3bf17772c8a072fd64d1bed4d69783afc1c6efdd2b394473d19e2aaad45dbd75dd94b3919ecb484ca41971de07faad9a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\12111206.exe

Filesize
377KB

MD5
55b0b7ab8dc08b5c680d49a5cd68e276

SHA1
a8e7063a2771962f93eb242420d8dec0baa3a92e

SHA256
6679c0e7c1d4e4aab1037d79c1e4e1b6c76fa1da348d3a1d070ca28dc729d737

SHA512
e54fc0ba0e9fa9a6a0430ca44c53d1ec8a3ea5a58115b867f4c103fc8448db05b2f05913c8f16254676f4ad99c878703a435abc7c8c65ad2604775dc2f113b46

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk804851.exe

Filesize
459KB

MD5
3a5088d5f067927d3f4b5f8f23a15d4a

SHA1
501ce588de552a238246cffc26be1eb2e94b1721

SHA256
a8e1cbef27b34c1caba1275cce8709bb940e4f880f34daa7a0cf6c597e671225

SHA512
3374eca93d951640dc2531916bd4b32dc9e18b010f5c0e6601f64f34890c64c9f95d06c87018c55262a3a4f42790ba1207c4bff380239d3a0dbad934b3ed3949

Download Submit
memory/276-110-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/276-79-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/276-89-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-91-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-93-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-95-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-97-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-99-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-101-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-103-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-105-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-107-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-109-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-111-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/276-85-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/276-113-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/276-114-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/276-117-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/276-83-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-82-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-81-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/276-80-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/276-87-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/276-78-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1108-144-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-146-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-130-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-131-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-132-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/1108-134-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-136-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-138-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-140-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-148-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-129-0x0000000004DB0000-0x0000000004DEA000-memory.dmp

Filesize
232KB

Download
memory/1108-128-0x0000000004D70000-0x0000000004DAC000-memory.dmp

Filesize
240KB

Download
memory/1108-142-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-150-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-152-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-154-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-158-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-156-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-160-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-162-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/1108-923-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1108-926-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download