d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Size

707KB
MD5

416bdb8e05ee78385956ed39aaace2b5
SHA1

17547f35983565f00cd149006563cd6a78179d53
SHA256

d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb
SHA512

3a2e8078b13733fa8e40a11e2468052b65b04e28376a24e6e1b3e3bd81790815114e42929e215360d73c12af97558aeae721f701763d69a3a2f7ca3c4b2b9d96
SSDEEP

12288:Oy90Iz9hP9yGNwto6t/CvF2wjxxcb4wG+ulJWkDGsTdn7Um1pduAeJvGjipl:OyN7P9nA22ojcbCX3i479/qVGwl

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	77211406.exe

Executes dropped EXE 3 IoCs

pid	Process
1744	un304808.exe
432	77211406.exe
1632	rk687410.exe

Loads dropped DLL 8 IoCs

pid	Process
1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
1744	un304808.exe
1744	un304808.exe
1744	un304808.exe
432	77211406.exe
1744	un304808.exe
1744	un304808.exe
1632	rk687410.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77211406.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un304808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un304808.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
432	77211406.exe
432	77211406.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	77211406.exe
Token: SeDebugPrivilege	1632	rk687410.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1652 wrote to memory of 1744	1652	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	28
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 432	1744	un304808.exe	29
PID 1744 wrote to memory of 1632	1744	un304808.exe	30
PID 1744 wrote to memory of 1632	1744	un304808.exe	30
PID 1744 wrote to memory of 1632	1744	un304808.exe	30
PID 1744 wrote to memory of 1632	1744	un304808.exe	30
PID 1744 wrote to memory of 1632	1744	un304808.exe	30
PID 1744 wrote to memory of 1632	1744	un304808.exe	30
PID 1744 wrote to memory of 1632	1744	un304808.exe	30

C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
"C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

Filesize
553KB

MD5
b5715a8a7dfde31a802387b19321f31b

SHA1
39f0756bbc2cc322fff969028603b8572981e923

SHA256
70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339

SHA512
92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

Filesize
553KB

MD5
b5715a8a7dfde31a802387b19321f31b

SHA1
39f0756bbc2cc322fff969028603b8572981e923

SHA256
70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339

SHA512
92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

Filesize
553KB

MD5
b5715a8a7dfde31a802387b19321f31b

SHA1
39f0756bbc2cc322fff969028603b8572981e923

SHA256
70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339

SHA512
92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

Filesize
553KB

MD5
b5715a8a7dfde31a802387b19321f31b

SHA1
39f0756bbc2cc322fff969028603b8572981e923

SHA256
70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339

SHA512
92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
memory/432-110-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/432-87-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-89-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-91-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-93-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-95-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-97-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-101-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-99-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-105-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-103-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-109-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-107-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-85-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-113-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/432-83-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-82-0x00000000048E0000-0x00000000048F3000-memory.dmp

Filesize
76KB

Download
memory/432-81-0x00000000071A0000-0x00000000071E0000-memory.dmp

Filesize
256KB

Download
memory/432-80-0x0000000000370000-0x000000000039D000-memory.dmp

Filesize
180KB

Download
memory/432-79-0x00000000048E0000-0x00000000048F8000-memory.dmp

Filesize
96KB

Download
memory/432-78-0x0000000003300000-0x000000000331A000-memory.dmp

Filesize
104KB

Download
memory/1632-127-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-144-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-124-0x0000000004B50000-0x0000000004B8C000-memory.dmp

Filesize
240KB

Download
memory/1632-126-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/1632-129-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-128-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1632-130-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1632-132-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-134-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-136-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-138-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-140-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-142-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-125-0x00000000070A0000-0x00000000070DA000-memory.dmp

Filesize
232KB

Download
memory/1632-146-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-148-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-150-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-152-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-154-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-156-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-160-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-158-0x00000000070A0000-0x00000000070D5000-memory.dmp

Filesize
212KB

Download
memory/1632-922-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1632-923-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1632-924-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1632-926-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download