e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0

Analysis

max time kernel
217s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe
Size

695KB
MD5

a5d7d7aa7665e12fc8d71a341c3130e2
SHA1

f4f37caf70071a7dfee2c70f081d933be6ebbd19
SHA256

e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0
SHA512

eb1ac077f3c6b5271f767411cb750ae3ac692494a6c6bccae38bab521b45f84c8ac218a17b550f1300193cd833423647ddc882972bc7de8a3e35277fbc1cf744
SSDEEP

12288:Ny90mXTZFubLxC/+tZ9COuFiHdt5jWZpPWy6Bn18btKGA+q3c+:NyStC/+tXCP4Urz6Bn18bt503d

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	67166031.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	67166031.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	67166031.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	67166031.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	67166031.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	67166031.exe

Executes dropped EXE 3 IoCs

pid	Process
4456	un871210.exe
208	67166031.exe
1308	rk954358.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	67166031.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	67166031.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un871210.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un871210.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3088	208	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
208	67166031.exe
208	67166031.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	67166031.exe
Token: SeDebugPrivilege	1308	rk954358.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 4456	796	e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe	79
PID 796 wrote to memory of 4456	796	e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe	79
PID 796 wrote to memory of 4456	796	e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe	79
PID 4456 wrote to memory of 208	4456	un871210.exe	80
PID 4456 wrote to memory of 208	4456	un871210.exe	80
PID 4456 wrote to memory of 208	4456	un871210.exe	80
PID 4456 wrote to memory of 1308	4456	un871210.exe	84
PID 4456 wrote to memory of 1308	4456	un871210.exe	84
PID 4456 wrote to memory of 1308	4456	un871210.exe	84

C:\Users\Admin\AppData\Local\Temp\e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe
"C:\Users\Admin\AppData\Local\Temp\e41bf2b6dda69f86c72e4295ba6a5684ad52ad3c1d76d437db02aba19e7cffc0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un871210.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un871210.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67166031.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67166031.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1088
      4⤵
      Program crash
      PID:3088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954358.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954358.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 208 -ip 208
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un871210.exe

Filesize
541KB

MD5
1f40057b700f19ecd8f90276397e2ca0

SHA1
397636bd2abc0d33f04b69c1bbbccad26d3b9da6

SHA256
d95d395428d5b58cf367a759470d23ad8e07b67cc2d5398354e342f56253d178

SHA512
594b94a2d6ddfb4b2c34e53da589eed28c3ad3bef185d185504204244ac07c8ca5d50d79f254079959a662feb55cd9c1b4e896544ccd5dc64325b250c7c54af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un871210.exe

Filesize
541KB

MD5
1f40057b700f19ecd8f90276397e2ca0

SHA1
397636bd2abc0d33f04b69c1bbbccad26d3b9da6

SHA256
d95d395428d5b58cf367a759470d23ad8e07b67cc2d5398354e342f56253d178

SHA512
594b94a2d6ddfb4b2c34e53da589eed28c3ad3bef185d185504204244ac07c8ca5d50d79f254079959a662feb55cd9c1b4e896544ccd5dc64325b250c7c54af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67166031.exe

Filesize
258KB

MD5
71537c23116dbedf40aba52eb6199d7b

SHA1
678490e081dc57d9ec769a76e34e1b2cb52a588b

SHA256
0bea06aff520a74a98890d2221ac3c177d348b940ee63fc4cb063949dfd53c82

SHA512
27234b4d0b3ff78c31578aa7d2c9e96050f82ac12b816f62d60985fa66015bc03f7f7bf05c39c2c77d9ddaf0d8fc82231e0a2c70e4ba3b8d0c83858b0fd3c756

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\67166031.exe

Filesize
258KB

MD5
71537c23116dbedf40aba52eb6199d7b

SHA1
678490e081dc57d9ec769a76e34e1b2cb52a588b

SHA256
0bea06aff520a74a98890d2221ac3c177d348b940ee63fc4cb063949dfd53c82

SHA512
27234b4d0b3ff78c31578aa7d2c9e96050f82ac12b816f62d60985fa66015bc03f7f7bf05c39c2c77d9ddaf0d8fc82231e0a2c70e4ba3b8d0c83858b0fd3c756

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954358.exe

Filesize
340KB

MD5
cc056d29bd59b5d63000449bea75b815

SHA1
a4cdd85b736918c5ad5f5571822725ed54694687

SHA256
785bd8e4845ed8fdd60803c11fc0437837cda11480190354d543bb92144b541f

SHA512
ac13b84460948e4e7d3e57c0167d24e4fa4972719fa59e053973e64da3e4308df1fdbf6b2633895f71111828be8f58f2a12f8c443ab33a9345338ed2fae12890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk954358.exe

Filesize
340KB

MD5
cc056d29bd59b5d63000449bea75b815

SHA1
a4cdd85b736918c5ad5f5571822725ed54694687

SHA256
785bd8e4845ed8fdd60803c11fc0437837cda11480190354d543bb92144b541f

SHA512
ac13b84460948e4e7d3e57c0167d24e4fa4972719fa59e053973e64da3e4308df1fdbf6b2633895f71111828be8f58f2a12f8c443ab33a9345338ed2fae12890

Download Submit
memory/208-179-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-184-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/208-152-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/208-153-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/208-154-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/208-155-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/208-156-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-157-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-159-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-161-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-163-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-165-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-167-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-169-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-171-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-173-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-175-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-177-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-150-0x0000000002C10000-0x0000000002C3D000-memory.dmp

Filesize
180KB

Download
memory/208-181-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-183-0x0000000004DE0000-0x0000000004DF3000-memory.dmp

Filesize
76KB

Download
memory/208-151-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/208-185-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/208-186-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/208-190-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/208-149-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/208-148-0x0000000002C10000-0x0000000002C3D000-memory.dmp

Filesize
180KB

Download
memory/1308-215-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-224-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-207-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-209-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-211-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-213-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-205-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-219-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-204-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-222-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1308-217-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-226-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-228-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1308-223-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/1308-220-0x0000000002D20000-0x0000000002D66000-memory.dmp

Filesize
280KB

Download