d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Size

747KB
MD5

441f88bcf41639caed3a648d098442cf
SHA1

a589bdbb510d62a7083f84df582499274735d2cb
SHA256

d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e
SHA512

752b3ff61f2a8bd4af18c4f60b6f84f8c5be66f993d1dfcda9a24888c1a96d63f8f80810902a39b85ca32e5656454098210749fadf3de153513669fc24eeeeac
SSDEEP

12288:3y90LHeU5MUvfTisw5KEIjD6/BM92tmoB+8bIgWWv5RY5vGcILMbp:3y8h7isoPs6/OaZdbIgpMnILmp

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	62372485.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	62372485.exe

Executes dropped EXE 3 IoCs

pid	Process
2020	un940277.exe
1296	62372485.exe
340	rk649223.exe

Loads dropped DLL 8 IoCs

pid	Process
1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
2020	un940277.exe
2020	un940277.exe
2020	un940277.exe
1296	62372485.exe
2020	un940277.exe
2020	un940277.exe
340	rk649223.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	62372485.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un940277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un940277.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	62372485.exe
1296	62372485.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	62372485.exe
Token: SeDebugPrivilege	340	rk649223.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 1148 wrote to memory of 2020	1148	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	28
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 1296	2020	un940277.exe	29
PID 2020 wrote to memory of 340	2020	un940277.exe	30
PID 2020 wrote to memory of 340	2020	un940277.exe	30
PID 2020 wrote to memory of 340	2020	un940277.exe	30
PID 2020 wrote to memory of 340	2020	un940277.exe	30
PID 2020 wrote to memory of 340	2020	un940277.exe	30
PID 2020 wrote to memory of 340	2020	un940277.exe	30
PID 2020 wrote to memory of 340	2020	un940277.exe	30

C:\Users\Admin\AppData\Local\Temp\d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
"C:\Users\Admin\AppData\Local\Temp\d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe

Filesize
593KB

MD5
4c7a2a0b89157829e1e7718117963697

SHA1
d339aac1286cb16e099829a3614ae5bacb0590fa

SHA256
f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c

SHA512
2fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe

Filesize
593KB

MD5
4c7a2a0b89157829e1e7718117963697

SHA1
d339aac1286cb16e099829a3614ae5bacb0590fa

SHA256
f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c

SHA512
2fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe

Filesize
593KB

MD5
4c7a2a0b89157829e1e7718117963697

SHA1
d339aac1286cb16e099829a3614ae5bacb0590fa

SHA256
f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c

SHA512
2fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe

Filesize
593KB

MD5
4c7a2a0b89157829e1e7718117963697

SHA1
d339aac1286cb16e099829a3614ae5bacb0590fa

SHA256
f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c

SHA512
2fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
memory/340-136-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-146-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-925-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/340-923-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/340-922-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/340-162-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-160-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-158-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-156-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-154-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-152-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-150-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-148-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-144-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-142-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-140-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-138-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-134-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-132-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-130-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-129-0x0000000002590000-0x00000000025C5000-memory.dmp

Filesize
212KB

Download
memory/340-128-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/340-123-0x0000000002550000-0x000000000258C000-memory.dmp

Filesize
240KB

Download
memory/340-124-0x0000000002590000-0x00000000025CA000-memory.dmp

Filesize
232KB

Download
memory/340-125-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/340-126-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/340-127-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1296-89-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-110-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/1296-81-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-83-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-85-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-78-0x0000000000910000-0x000000000092A000-memory.dmp

Filesize
104KB

Download
memory/1296-87-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1296-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1296-109-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/1296-80-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-79-0x0000000002310000-0x0000000002328000-memory.dmp

Filesize
96KB

Download
memory/1296-108-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1296-107-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-103-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-105-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-101-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-99-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-97-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-95-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-93-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1296-91-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download