e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe
Size

746KB
MD5

94bb9c172a4c91ebf140a9eb833338b8
SHA1

a17da9f20e4f3356c851f5f50b10d71d723cad35
SHA256

e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43
SHA512

55fd943b5c959d817fd98936d3a9b92184e6f44ed788745611b7232639e9c5693eafc4e0da9bdbffd814e435b17d60dbfac6fcd5cb1c6147ce02d3052adbeee5
SSDEEP

12288:Ly90LIf0wZNF9tizd+YFp+D4EbJKirF1DbF0/86b9y7uM9otk5Cd:Lye7wTEB+NDHfrFX0/86b9ylo3d

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	70506850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	70506850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	70506850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	70506850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	70506850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	70506850.exe

Executes dropped EXE 3 IoCs

pid	Process
580	un402988.exe
1560	70506850.exe
1344	rk740568.exe

Loads dropped DLL 8 IoCs

pid	Process
920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe
580	un402988.exe
580	un402988.exe
580	un402988.exe
1560	70506850.exe
580	un402988.exe
580	un402988.exe
1344	rk740568.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	70506850.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	70506850.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un402988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un402988.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	70506850.exe
1560	70506850.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	70506850.exe
Token: SeDebugPrivilege	1344	rk740568.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 920 wrote to memory of 580	920	e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe	27
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1560	580	un402988.exe	28
PID 580 wrote to memory of 1344	580	un402988.exe	29
PID 580 wrote to memory of 1344	580	un402988.exe	29
PID 580 wrote to memory of 1344	580	un402988.exe	29
PID 580 wrote to memory of 1344	580	un402988.exe	29
PID 580 wrote to memory of 1344	580	un402988.exe	29
PID 580 wrote to memory of 1344	580	un402988.exe	29
PID 580 wrote to memory of 1344	580	un402988.exe	29

C:\Users\Admin\AppData\Local\Temp\e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe
"C:\Users\Admin\AppData\Local\Temp\e645817b2de73e89c4e3263557c427c01e159a78848e997054da4d560f26ae43.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402988.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402988.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402988.exe

Filesize
592KB

MD5
06f63f2b9ef73fb279ee99ecfe60f1b3

SHA1
0ae4bfc1ade633ee4bed690f61735f8e6fff568c

SHA256
99320f790024cc577328a9ef2e234f47ccd8579685c96d653f26be67f16e98ca

SHA512
c877178bd4ae9cb070725c52cb6761352b658221e3cdf4219328e5f2c4df2c15cebfb94ad6cfe80429f05936213d7f89f271cc724053aae59e88e5d83cf9aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402988.exe

Filesize
592KB

MD5
06f63f2b9ef73fb279ee99ecfe60f1b3

SHA1
0ae4bfc1ade633ee4bed690f61735f8e6fff568c

SHA256
99320f790024cc577328a9ef2e234f47ccd8579685c96d653f26be67f16e98ca

SHA512
c877178bd4ae9cb070725c52cb6761352b658221e3cdf4219328e5f2c4df2c15cebfb94ad6cfe80429f05936213d7f89f271cc724053aae59e88e5d83cf9aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe

Filesize
376KB

MD5
a9f351c1733aed9846b8414ed2ba78ed

SHA1
ac52c66b4cf26c663f974f581092f32b2c2f5101

SHA256
eb4bd4eef892b6e3781b4d79b30732bab6d9344bf74bb027bcb507366fcdcb92

SHA512
eb62d1b81cb0bf489438a134756427ac87d4047ddb92003bdd8eabb6e600a71858aaeaee0fc7f74ae42e447eaa8f41a9c81f370c6db9981ec4198df9f884df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe

Filesize
376KB

MD5
a9f351c1733aed9846b8414ed2ba78ed

SHA1
ac52c66b4cf26c663f974f581092f32b2c2f5101

SHA256
eb4bd4eef892b6e3781b4d79b30732bab6d9344bf74bb027bcb507366fcdcb92

SHA512
eb62d1b81cb0bf489438a134756427ac87d4047ddb92003bdd8eabb6e600a71858aaeaee0fc7f74ae42e447eaa8f41a9c81f370c6db9981ec4198df9f884df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe

Filesize
376KB

MD5
a9f351c1733aed9846b8414ed2ba78ed

SHA1
ac52c66b4cf26c663f974f581092f32b2c2f5101

SHA256
eb4bd4eef892b6e3781b4d79b30732bab6d9344bf74bb027bcb507366fcdcb92

SHA512
eb62d1b81cb0bf489438a134756427ac87d4047ddb92003bdd8eabb6e600a71858aaeaee0fc7f74ae42e447eaa8f41a9c81f370c6db9981ec4198df9f884df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe

Filesize
459KB

MD5
aaecac303079dcf8ded2a9f9d6f99791

SHA1
92a7a197745a24301e01720f14716151e14e57b7

SHA256
c5ddbb2abb1756839ec0dce0ffc87cab40645d5a7b91f749e767d7c3994a840e

SHA512
684c22a736380871c47e0f7259725a9c392583ab50c3716e3cddc28e8f45581f45fa953c9568e053f38af5d21e6672ad6160d0cb92b3473bff04459cc116e304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe

Filesize
459KB

MD5
aaecac303079dcf8ded2a9f9d6f99791

SHA1
92a7a197745a24301e01720f14716151e14e57b7

SHA256
c5ddbb2abb1756839ec0dce0ffc87cab40645d5a7b91f749e767d7c3994a840e

SHA512
684c22a736380871c47e0f7259725a9c392583ab50c3716e3cddc28e8f45581f45fa953c9568e053f38af5d21e6672ad6160d0cb92b3473bff04459cc116e304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe

Filesize
459KB

MD5
aaecac303079dcf8ded2a9f9d6f99791

SHA1
92a7a197745a24301e01720f14716151e14e57b7

SHA256
c5ddbb2abb1756839ec0dce0ffc87cab40645d5a7b91f749e767d7c3994a840e

SHA512
684c22a736380871c47e0f7259725a9c392583ab50c3716e3cddc28e8f45581f45fa953c9568e053f38af5d21e6672ad6160d0cb92b3473bff04459cc116e304

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402988.exe

Filesize
592KB

MD5
06f63f2b9ef73fb279ee99ecfe60f1b3

SHA1
0ae4bfc1ade633ee4bed690f61735f8e6fff568c

SHA256
99320f790024cc577328a9ef2e234f47ccd8579685c96d653f26be67f16e98ca

SHA512
c877178bd4ae9cb070725c52cb6761352b658221e3cdf4219328e5f2c4df2c15cebfb94ad6cfe80429f05936213d7f89f271cc724053aae59e88e5d83cf9aea9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402988.exe

Filesize
592KB

MD5
06f63f2b9ef73fb279ee99ecfe60f1b3

SHA1
0ae4bfc1ade633ee4bed690f61735f8e6fff568c

SHA256
99320f790024cc577328a9ef2e234f47ccd8579685c96d653f26be67f16e98ca

SHA512
c877178bd4ae9cb070725c52cb6761352b658221e3cdf4219328e5f2c4df2c15cebfb94ad6cfe80429f05936213d7f89f271cc724053aae59e88e5d83cf9aea9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe

Filesize
376KB

MD5
a9f351c1733aed9846b8414ed2ba78ed

SHA1
ac52c66b4cf26c663f974f581092f32b2c2f5101

SHA256
eb4bd4eef892b6e3781b4d79b30732bab6d9344bf74bb027bcb507366fcdcb92

SHA512
eb62d1b81cb0bf489438a134756427ac87d4047ddb92003bdd8eabb6e600a71858aaeaee0fc7f74ae42e447eaa8f41a9c81f370c6db9981ec4198df9f884df3f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe

Filesize
376KB

MD5
a9f351c1733aed9846b8414ed2ba78ed

SHA1
ac52c66b4cf26c663f974f581092f32b2c2f5101

SHA256
eb4bd4eef892b6e3781b4d79b30732bab6d9344bf74bb027bcb507366fcdcb92

SHA512
eb62d1b81cb0bf489438a134756427ac87d4047ddb92003bdd8eabb6e600a71858aaeaee0fc7f74ae42e447eaa8f41a9c81f370c6db9981ec4198df9f884df3f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\70506850.exe

Filesize
376KB

MD5
a9f351c1733aed9846b8414ed2ba78ed

SHA1
ac52c66b4cf26c663f974f581092f32b2c2f5101

SHA256
eb4bd4eef892b6e3781b4d79b30732bab6d9344bf74bb027bcb507366fcdcb92

SHA512
eb62d1b81cb0bf489438a134756427ac87d4047ddb92003bdd8eabb6e600a71858aaeaee0fc7f74ae42e447eaa8f41a9c81f370c6db9981ec4198df9f884df3f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe

Filesize
459KB

MD5
aaecac303079dcf8ded2a9f9d6f99791

SHA1
92a7a197745a24301e01720f14716151e14e57b7

SHA256
c5ddbb2abb1756839ec0dce0ffc87cab40645d5a7b91f749e767d7c3994a840e

SHA512
684c22a736380871c47e0f7259725a9c392583ab50c3716e3cddc28e8f45581f45fa953c9568e053f38af5d21e6672ad6160d0cb92b3473bff04459cc116e304

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe

Filesize
459KB

MD5
aaecac303079dcf8ded2a9f9d6f99791

SHA1
92a7a197745a24301e01720f14716151e14e57b7

SHA256
c5ddbb2abb1756839ec0dce0ffc87cab40645d5a7b91f749e767d7c3994a840e

SHA512
684c22a736380871c47e0f7259725a9c392583ab50c3716e3cddc28e8f45581f45fa953c9568e053f38af5d21e6672ad6160d0cb92b3473bff04459cc116e304

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk740568.exe

Filesize
459KB

MD5
aaecac303079dcf8ded2a9f9d6f99791

SHA1
92a7a197745a24301e01720f14716151e14e57b7

SHA256
c5ddbb2abb1756839ec0dce0ffc87cab40645d5a7b91f749e767d7c3994a840e

SHA512
684c22a736380871c47e0f7259725a9c392583ab50c3716e3cddc28e8f45581f45fa953c9568e053f38af5d21e6672ad6160d0cb92b3473bff04459cc116e304

Download Submit
memory/1344-136-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-146-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-927-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-925-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-924-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-923-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-921-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-162-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-160-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-158-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-156-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-154-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-152-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-150-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-148-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-144-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-142-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-140-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-138-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-134-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-132-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-130-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1344-123-0x00000000025C0000-0x00000000025FC000-memory.dmp

Filesize
240KB

Download
memory/1344-124-0x0000000002610000-0x000000000264A000-memory.dmp

Filesize
232KB

Download
memory/1344-125-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/1344-126-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-127-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-128-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1344-129-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1560-108-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-110-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-81-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/1560-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1560-82-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/1560-83-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-84-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1560-86-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-106-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-79-0x00000000022B0000-0x00000000022C8000-memory.dmp

Filesize
96KB

Download
memory/1560-80-0x00000000002D0000-0x00000000002FD000-memory.dmp

Filesize
180KB

Download
memory/1560-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1560-104-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-100-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-102-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-98-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-94-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-96-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-92-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-88-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/1560-90-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download