f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a

Analysis

max time kernel
176s
max time network
182s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
Size

694KB
MD5

3f92a310c625725ac14eede0651791ce
SHA1

1a1ae6715f2bce5a2dd6236bd80b4614ff6645d7
SHA256

f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a
SHA512

f9a75a89c8e7182ef07392fcb8cc677317754a9456e080927bb7b24b7d2af64fa9f579e6f30c84fca618261138e52abad807dc8a650ce63bb5109c52a82754c6
SSDEEP

12288:Qy90pEPoPLLYhdxCmRM6eHwpFTK0gF8Lbc7Sd+1WK6FL18bZK6A+M9p9:QysFLYkKM1oFXgFH4y6FL18bZ5i9X

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	23561019.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	23561019.exe

Executes dropped EXE 3 IoCs

pid	Process
1948	un111140.exe
332	23561019.exe
988	rk745928.exe

Loads dropped DLL 8 IoCs

pid	Process
2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
1948	un111140.exe
1948	un111140.exe
1948	un111140.exe
332	23561019.exe
1948	un111140.exe
1948	un111140.exe
988	rk745928.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	23561019.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un111140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un111140.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
332	23561019.exe
332	23561019.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	23561019.exe
Token: SeDebugPrivilege	988	rk745928.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 2000 wrote to memory of 1948	2000	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	28
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 332	1948	un111140.exe	29
PID 1948 wrote to memory of 988	1948	un111140.exe	30
PID 1948 wrote to memory of 988	1948	un111140.exe	30
PID 1948 wrote to memory of 988	1948	un111140.exe	30
PID 1948 wrote to memory of 988	1948	un111140.exe	30
PID 1948 wrote to memory of 988	1948	un111140.exe	30
PID 1948 wrote to memory of 988	1948	un111140.exe	30
PID 1948 wrote to memory of 988	1948	un111140.exe	30

C:\Users\Admin\AppData\Local\Temp\f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
"C:\Users\Admin\AppData\Local\Temp\f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe

Filesize
540KB

MD5
763c0cf6e9bdadedd86ddc78e9cd7612

SHA1
c6fe2d0dfd91f8f6e9adb96f3ec3e4a847c26cd9

SHA256
41023780cd24f27a497f27f2f136433e2dad3b30317e3cef1f17d065abb34393

SHA512
8612076ca8f475092f855b445775cf5c9a10df6703a68c622d2de1eb5a40471c3a044739d96fa2807529579ee977883981c843a91e3cbf39587719b7f40c86a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe

Filesize
540KB

MD5
763c0cf6e9bdadedd86ddc78e9cd7612

SHA1
c6fe2d0dfd91f8f6e9adb96f3ec3e4a847c26cd9

SHA256
41023780cd24f27a497f27f2f136433e2dad3b30317e3cef1f17d065abb34393

SHA512
8612076ca8f475092f855b445775cf5c9a10df6703a68c622d2de1eb5a40471c3a044739d96fa2807529579ee977883981c843a91e3cbf39587719b7f40c86a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe

Filesize
540KB

MD5
763c0cf6e9bdadedd86ddc78e9cd7612

SHA1
c6fe2d0dfd91f8f6e9adb96f3ec3e4a847c26cd9

SHA256
41023780cd24f27a497f27f2f136433e2dad3b30317e3cef1f17d065abb34393

SHA512
8612076ca8f475092f855b445775cf5c9a10df6703a68c622d2de1eb5a40471c3a044739d96fa2807529579ee977883981c843a91e3cbf39587719b7f40c86a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe

Filesize
540KB

MD5
763c0cf6e9bdadedd86ddc78e9cd7612

SHA1
c6fe2d0dfd91f8f6e9adb96f3ec3e4a847c26cd9

SHA256
41023780cd24f27a497f27f2f136433e2dad3b30317e3cef1f17d065abb34393

SHA512
8612076ca8f475092f855b445775cf5c9a10df6703a68c622d2de1eb5a40471c3a044739d96fa2807529579ee977883981c843a91e3cbf39587719b7f40c86a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
memory/332-84-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-86-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-88-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-90-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-92-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-94-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-96-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-98-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-100-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-102-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-104-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-106-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-108-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-110-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/332-112-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/332-83-0x0000000003220000-0x0000000003233000-memory.dmp

Filesize
76KB

Download
memory/332-80-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/332-81-0x0000000007350000-0x0000000007390000-memory.dmp

Filesize
256KB

Download
memory/332-82-0x0000000007350000-0x0000000007390000-memory.dmp

Filesize
256KB

Download
memory/332-79-0x0000000003220000-0x0000000003238000-memory.dmp

Filesize
96KB

Download
memory/332-78-0x0000000002CB0000-0x0000000002CCA000-memory.dmp

Filesize
104KB

Download
memory/988-124-0x00000000049C0000-0x00000000049FA000-memory.dmp

Filesize
232KB

Download
memory/988-146-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-125-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-128-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-126-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-130-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-132-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-134-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-136-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-138-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-140-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-142-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-144-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-123-0x00000000046E0000-0x000000000471C000-memory.dmp

Filesize
240KB

Download
memory/988-148-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-150-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-152-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-154-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-156-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-158-0x00000000049C0000-0x00000000049F5000-memory.dmp

Filesize
212KB

Download
memory/988-439-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/988-443-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/988-441-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/988-920-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/988-922-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/988-923-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download