d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe
Size

693KB
MD5

257c5899f3f77070f7378c656861dec4
SHA1

0fb9feefe8b1696fcb12de9ffee8089f8c969950
SHA256

d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1
SHA512

6e09112491333210076eaac729248397a6be5829ad9391c1cc40d81c7c9279a4236c2f35bd74c00f6f650985b38706d9e533da4781fbdbc39f19c0d264c1bfba
SSDEEP

12288:0y90GDmYZREv27UVoI3P4UVSlQ5Ez7weSpaBW/gnvt2:0yJFZR6273r1q5s7KaI2t2

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	36970243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36970243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36970243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36970243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36970243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36970243.exe

Executes dropped EXE 3 IoCs

pid	Process
632	un046162.exe
1748	36970243.exe
996	rk178862.exe

Loads dropped DLL 8 IoCs

pid	Process
1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe
632	un046162.exe
632	un046162.exe
632	un046162.exe
1748	36970243.exe
632	un046162.exe
632	un046162.exe
996	rk178862.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	36970243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36970243.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un046162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un046162.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1748	36970243.exe
1748	36970243.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	36970243.exe
Token: SeDebugPrivilege	996	rk178862.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 1500 wrote to memory of 632	1500	d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe	27
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 1748	632	un046162.exe	28
PID 632 wrote to memory of 996	632	un046162.exe	29
PID 632 wrote to memory of 996	632	un046162.exe	29
PID 632 wrote to memory of 996	632	un046162.exe	29
PID 632 wrote to memory of 996	632	un046162.exe	29
PID 632 wrote to memory of 996	632	un046162.exe	29
PID 632 wrote to memory of 996	632	un046162.exe	29
PID 632 wrote to memory of 996	632	un046162.exe	29

C:\Users\Admin\AppData\Local\Temp\d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe
"C:\Users\Admin\AppData\Local\Temp\d64f74ce08b66edfbb162d1f6e0824ae39108c225161b24ecfefa5d135b7e7c1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046162.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046162.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046162.exe

Filesize
540KB

MD5
c73f2a0a2dd1c6d78af4adf3332e17dd

SHA1
9d56bad3a0668d4f8440ac9183058674d7f12d90

SHA256
019b5800e32df37ef58ea91cc19aad93d0a9f3a2c821e58a5d04eb4d18efb421

SHA512
1b7db9d330ac7f7953ceba0a28d2f662b527e096e3881b5b9c03e6d6fdc45d18c771b87e768d0c3cbed5680dc47bcbde128f78a89c7e4d273c10eb6f48486051

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046162.exe

Filesize
540KB

MD5
c73f2a0a2dd1c6d78af4adf3332e17dd

SHA1
9d56bad3a0668d4f8440ac9183058674d7f12d90

SHA256
019b5800e32df37ef58ea91cc19aad93d0a9f3a2c821e58a5d04eb4d18efb421

SHA512
1b7db9d330ac7f7953ceba0a28d2f662b527e096e3881b5b9c03e6d6fdc45d18c771b87e768d0c3cbed5680dc47bcbde128f78a89c7e4d273c10eb6f48486051

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe

Filesize
258KB

MD5
597ac9e8fbc1311bf1ad1b8be04d4eca

SHA1
70310732ac15956aba4d18c29b958539d12faa84

SHA256
0c0ebd3f74d9897fa98ff21b54d18db1c22c2ecbbd8f0447dd7ce29fba1f0c8d

SHA512
581526ae6192e6e8e6530fab0ed016b87cb28b1d4e0fe997e948f2f00805cbb9c1a5949368af44c7816079c161fc05a2767224c359440abbd30b1feda1169310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe

Filesize
258KB

MD5
597ac9e8fbc1311bf1ad1b8be04d4eca

SHA1
70310732ac15956aba4d18c29b958539d12faa84

SHA256
0c0ebd3f74d9897fa98ff21b54d18db1c22c2ecbbd8f0447dd7ce29fba1f0c8d

SHA512
581526ae6192e6e8e6530fab0ed016b87cb28b1d4e0fe997e948f2f00805cbb9c1a5949368af44c7816079c161fc05a2767224c359440abbd30b1feda1169310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe

Filesize
258KB

MD5
597ac9e8fbc1311bf1ad1b8be04d4eca

SHA1
70310732ac15956aba4d18c29b958539d12faa84

SHA256
0c0ebd3f74d9897fa98ff21b54d18db1c22c2ecbbd8f0447dd7ce29fba1f0c8d

SHA512
581526ae6192e6e8e6530fab0ed016b87cb28b1d4e0fe997e948f2f00805cbb9c1a5949368af44c7816079c161fc05a2767224c359440abbd30b1feda1169310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe

Filesize
340KB

MD5
a5302a23fa5c1528f2d0b337100dcdbe

SHA1
2dd9d8e77797fff0255c215bcc0e765caf6b560d

SHA256
2a9c97a418713061f03beec11452ba11fabe5a4c5a0b6487855a56ed70268ed5

SHA512
e997d7746cce438a62152decb9d468f6cb9ba74f06d64d3403316d6db7aefe94c17bdbc1f5cd49713033aad23c325eef19f1fb461a61f0556f2b4ca398656236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe

Filesize
340KB

MD5
a5302a23fa5c1528f2d0b337100dcdbe

SHA1
2dd9d8e77797fff0255c215bcc0e765caf6b560d

SHA256
2a9c97a418713061f03beec11452ba11fabe5a4c5a0b6487855a56ed70268ed5

SHA512
e997d7746cce438a62152decb9d468f6cb9ba74f06d64d3403316d6db7aefe94c17bdbc1f5cd49713033aad23c325eef19f1fb461a61f0556f2b4ca398656236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe

Filesize
340KB

MD5
a5302a23fa5c1528f2d0b337100dcdbe

SHA1
2dd9d8e77797fff0255c215bcc0e765caf6b560d

SHA256
2a9c97a418713061f03beec11452ba11fabe5a4c5a0b6487855a56ed70268ed5

SHA512
e997d7746cce438a62152decb9d468f6cb9ba74f06d64d3403316d6db7aefe94c17bdbc1f5cd49713033aad23c325eef19f1fb461a61f0556f2b4ca398656236

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046162.exe

Filesize
540KB

MD5
c73f2a0a2dd1c6d78af4adf3332e17dd

SHA1
9d56bad3a0668d4f8440ac9183058674d7f12d90

SHA256
019b5800e32df37ef58ea91cc19aad93d0a9f3a2c821e58a5d04eb4d18efb421

SHA512
1b7db9d330ac7f7953ceba0a28d2f662b527e096e3881b5b9c03e6d6fdc45d18c771b87e768d0c3cbed5680dc47bcbde128f78a89c7e4d273c10eb6f48486051

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un046162.exe

Filesize
540KB

MD5
c73f2a0a2dd1c6d78af4adf3332e17dd

SHA1
9d56bad3a0668d4f8440ac9183058674d7f12d90

SHA256
019b5800e32df37ef58ea91cc19aad93d0a9f3a2c821e58a5d04eb4d18efb421

SHA512
1b7db9d330ac7f7953ceba0a28d2f662b527e096e3881b5b9c03e6d6fdc45d18c771b87e768d0c3cbed5680dc47bcbde128f78a89c7e4d273c10eb6f48486051

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe

Filesize
258KB

MD5
597ac9e8fbc1311bf1ad1b8be04d4eca

SHA1
70310732ac15956aba4d18c29b958539d12faa84

SHA256
0c0ebd3f74d9897fa98ff21b54d18db1c22c2ecbbd8f0447dd7ce29fba1f0c8d

SHA512
581526ae6192e6e8e6530fab0ed016b87cb28b1d4e0fe997e948f2f00805cbb9c1a5949368af44c7816079c161fc05a2767224c359440abbd30b1feda1169310

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe

Filesize
258KB

MD5
597ac9e8fbc1311bf1ad1b8be04d4eca

SHA1
70310732ac15956aba4d18c29b958539d12faa84

SHA256
0c0ebd3f74d9897fa98ff21b54d18db1c22c2ecbbd8f0447dd7ce29fba1f0c8d

SHA512
581526ae6192e6e8e6530fab0ed016b87cb28b1d4e0fe997e948f2f00805cbb9c1a5949368af44c7816079c161fc05a2767224c359440abbd30b1feda1169310

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36970243.exe

Filesize
258KB

MD5
597ac9e8fbc1311bf1ad1b8be04d4eca

SHA1
70310732ac15956aba4d18c29b958539d12faa84

SHA256
0c0ebd3f74d9897fa98ff21b54d18db1c22c2ecbbd8f0447dd7ce29fba1f0c8d

SHA512
581526ae6192e6e8e6530fab0ed016b87cb28b1d4e0fe997e948f2f00805cbb9c1a5949368af44c7816079c161fc05a2767224c359440abbd30b1feda1169310

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe

Filesize
340KB

MD5
a5302a23fa5c1528f2d0b337100dcdbe

SHA1
2dd9d8e77797fff0255c215bcc0e765caf6b560d

SHA256
2a9c97a418713061f03beec11452ba11fabe5a4c5a0b6487855a56ed70268ed5

SHA512
e997d7746cce438a62152decb9d468f6cb9ba74f06d64d3403316d6db7aefe94c17bdbc1f5cd49713033aad23c325eef19f1fb461a61f0556f2b4ca398656236

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe

Filesize
340KB

MD5
a5302a23fa5c1528f2d0b337100dcdbe

SHA1
2dd9d8e77797fff0255c215bcc0e765caf6b560d

SHA256
2a9c97a418713061f03beec11452ba11fabe5a4c5a0b6487855a56ed70268ed5

SHA512
e997d7746cce438a62152decb9d468f6cb9ba74f06d64d3403316d6db7aefe94c17bdbc1f5cd49713033aad23c325eef19f1fb461a61f0556f2b4ca398656236

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk178862.exe

Filesize
340KB

MD5
a5302a23fa5c1528f2d0b337100dcdbe

SHA1
2dd9d8e77797fff0255c215bcc0e765caf6b560d

SHA256
2a9c97a418713061f03beec11452ba11fabe5a4c5a0b6487855a56ed70268ed5

SHA512
e997d7746cce438a62152decb9d468f6cb9ba74f06d64d3403316d6db7aefe94c17bdbc1f5cd49713033aad23c325eef19f1fb461a61f0556f2b4ca398656236

Download Submit
memory/996-155-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-137-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-159-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-157-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-129-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-153-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-151-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-149-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-147-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-145-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-143-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-141-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-139-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-449-0x00000000002C0000-0x0000000000306000-memory.dmp

Filesize
280KB

Download
memory/996-135-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-133-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-131-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-451-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/996-453-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/996-921-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/996-924-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/996-925-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/996-926-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/996-124-0x0000000004850000-0x000000000488C000-memory.dmp

Filesize
240KB

Download
memory/996-125-0x0000000004890000-0x00000000048CA000-memory.dmp

Filesize
232KB

Download
memory/996-126-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/996-127-0x0000000004890000-0x00000000048C5000-memory.dmp

Filesize
212KB

Download
memory/1748-80-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-113-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1748-112-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1748-108-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/1748-111-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1748-109-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1748-110-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1748-91-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-95-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-99-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-101-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-103-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-105-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-107-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-97-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-93-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-89-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-85-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-87-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-81-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-83-0x00000000032C0000-0x00000000032D3000-memory.dmp

Filesize
76KB

Download
memory/1748-79-0x00000000032C0000-0x00000000032D8000-memory.dmp

Filesize
96KB

Download
memory/1748-78-0x0000000003280000-0x000000000329A000-memory.dmp

Filesize
104KB

Download