e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a

Analysis

max time kernel
145s
max time network
163s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe
Size

697KB
MD5

2d1dafe4b956f6580608021cb375c3d3
SHA1

1f587a229f48e1447701a36577ebb38f91d428f4
SHA256

e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a
SHA512

7f1c8f526072bc760d3b9caf5468a61a1c2455dc34d4b1be12e3238125731b67022ef0ddac77c52ed00af7a2fd8b308ed9d07f8a6f1964ff031ebdb39c57d214
SSDEEP

12288:Ay90P3Dj+yEqW37IuqssN5eCLQRAifHjpfQ5uEUBHbKgAEr8dgj5EO0noNs:Ayg/E/0uqssKQQ2gtfiu1B7KgAS8dgjm

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	56127512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	56127512.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	56127512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	56127512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	56127512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	56127512.exe

Executes dropped EXE 3 IoCs

pid	Process
924	un314793.exe
572	56127512.exe
1276	rk628676.exe

Loads dropped DLL 8 IoCs

pid	Process
1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe
924	un314793.exe
924	un314793.exe
924	un314793.exe
572	56127512.exe
924	un314793.exe
924	un314793.exe
1276	rk628676.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	56127512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	56127512.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un314793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un314793.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
572	56127512.exe
572	56127512.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	56127512.exe
Token: SeDebugPrivilege	1276	rk628676.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 1692 wrote to memory of 924	1692	e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe	28
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 572	924	un314793.exe	29
PID 924 wrote to memory of 1276	924	un314793.exe	30
PID 924 wrote to memory of 1276	924	un314793.exe	30
PID 924 wrote to memory of 1276	924	un314793.exe	30
PID 924 wrote to memory of 1276	924	un314793.exe	30
PID 924 wrote to memory of 1276	924	un314793.exe	30
PID 924 wrote to memory of 1276	924	un314793.exe	30
PID 924 wrote to memory of 1276	924	un314793.exe	30

C:\Users\Admin\AppData\Local\Temp\e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe
"C:\Users\Admin\AppData\Local\Temp\e860d6ab0c335f32c1916b2df3a198c2e216cb2940843c71a6d445f52ac8036a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314793.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314793.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314793.exe

Filesize
543KB

MD5
6e403f4896f7b01de628b37d95582aed

SHA1
0069456f88a1e0a5a18e62dd620543c3a88cabf3

SHA256
4dadf7b7a2acd61cf0929ae169e4df9f753dffcacf846502958fcddf4177d249

SHA512
a4c397070f1fab1d003c787af8416297ae2f0199499697c451a52296fd853d3104f835ff58a6e688e167610564362494af3db43415b49896ada3b6eaec028408

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314793.exe

Filesize
543KB

MD5
6e403f4896f7b01de628b37d95582aed

SHA1
0069456f88a1e0a5a18e62dd620543c3a88cabf3

SHA256
4dadf7b7a2acd61cf0929ae169e4df9f753dffcacf846502958fcddf4177d249

SHA512
a4c397070f1fab1d003c787af8416297ae2f0199499697c451a52296fd853d3104f835ff58a6e688e167610564362494af3db43415b49896ada3b6eaec028408

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe

Filesize
265KB

MD5
95efd406b14b3e25fb82ce313172536d

SHA1
da8ab0bb5b1978dae8a1d3e69376ce6fab85b54e

SHA256
951b51b16778e6f16ea75e85663ea7fee596ca71f64be0bf4606f36674e38070

SHA512
ee209752f0ef1cdd4ec55d49f40bb06cb55d7a28b939486de52364a9363491f878f1146f3b38467787ee27b638633f716fd243bc3b386e41937d869f3c0d4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe

Filesize
265KB

MD5
95efd406b14b3e25fb82ce313172536d

SHA1
da8ab0bb5b1978dae8a1d3e69376ce6fab85b54e

SHA256
951b51b16778e6f16ea75e85663ea7fee596ca71f64be0bf4606f36674e38070

SHA512
ee209752f0ef1cdd4ec55d49f40bb06cb55d7a28b939486de52364a9363491f878f1146f3b38467787ee27b638633f716fd243bc3b386e41937d869f3c0d4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe

Filesize
265KB

MD5
95efd406b14b3e25fb82ce313172536d

SHA1
da8ab0bb5b1978dae8a1d3e69376ce6fab85b54e

SHA256
951b51b16778e6f16ea75e85663ea7fee596ca71f64be0bf4606f36674e38070

SHA512
ee209752f0ef1cdd4ec55d49f40bb06cb55d7a28b939486de52364a9363491f878f1146f3b38467787ee27b638633f716fd243bc3b386e41937d869f3c0d4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe

Filesize
347KB

MD5
7a53e9e5ff1c891c38047154774b9f20

SHA1
178100e6edb29653db3879ee0bbb25fcb6f142e0

SHA256
e0f82ae4c353b90086c4986d648c0af44f5448e5f376c7270f1150798f727491

SHA512
6bc27153a4364088ba3a1449f0b30ba9549ccdeee4173e78e0d0648a5cf0899a70e1581ae00aa5f0626890a8877bdd0872dfb84946e12a312cd88feef424278c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe

Filesize
347KB

MD5
7a53e9e5ff1c891c38047154774b9f20

SHA1
178100e6edb29653db3879ee0bbb25fcb6f142e0

SHA256
e0f82ae4c353b90086c4986d648c0af44f5448e5f376c7270f1150798f727491

SHA512
6bc27153a4364088ba3a1449f0b30ba9549ccdeee4173e78e0d0648a5cf0899a70e1581ae00aa5f0626890a8877bdd0872dfb84946e12a312cd88feef424278c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe

Filesize
347KB

MD5
7a53e9e5ff1c891c38047154774b9f20

SHA1
178100e6edb29653db3879ee0bbb25fcb6f142e0

SHA256
e0f82ae4c353b90086c4986d648c0af44f5448e5f376c7270f1150798f727491

SHA512
6bc27153a4364088ba3a1449f0b30ba9549ccdeee4173e78e0d0648a5cf0899a70e1581ae00aa5f0626890a8877bdd0872dfb84946e12a312cd88feef424278c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314793.exe

Filesize
543KB

MD5
6e403f4896f7b01de628b37d95582aed

SHA1
0069456f88a1e0a5a18e62dd620543c3a88cabf3

SHA256
4dadf7b7a2acd61cf0929ae169e4df9f753dffcacf846502958fcddf4177d249

SHA512
a4c397070f1fab1d003c787af8416297ae2f0199499697c451a52296fd853d3104f835ff58a6e688e167610564362494af3db43415b49896ada3b6eaec028408

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un314793.exe

Filesize
543KB

MD5
6e403f4896f7b01de628b37d95582aed

SHA1
0069456f88a1e0a5a18e62dd620543c3a88cabf3

SHA256
4dadf7b7a2acd61cf0929ae169e4df9f753dffcacf846502958fcddf4177d249

SHA512
a4c397070f1fab1d003c787af8416297ae2f0199499697c451a52296fd853d3104f835ff58a6e688e167610564362494af3db43415b49896ada3b6eaec028408

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe

Filesize
265KB

MD5
95efd406b14b3e25fb82ce313172536d

SHA1
da8ab0bb5b1978dae8a1d3e69376ce6fab85b54e

SHA256
951b51b16778e6f16ea75e85663ea7fee596ca71f64be0bf4606f36674e38070

SHA512
ee209752f0ef1cdd4ec55d49f40bb06cb55d7a28b939486de52364a9363491f878f1146f3b38467787ee27b638633f716fd243bc3b386e41937d869f3c0d4192

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe

Filesize
265KB

MD5
95efd406b14b3e25fb82ce313172536d

SHA1
da8ab0bb5b1978dae8a1d3e69376ce6fab85b54e

SHA256
951b51b16778e6f16ea75e85663ea7fee596ca71f64be0bf4606f36674e38070

SHA512
ee209752f0ef1cdd4ec55d49f40bb06cb55d7a28b939486de52364a9363491f878f1146f3b38467787ee27b638633f716fd243bc3b386e41937d869f3c0d4192

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\56127512.exe

Filesize
265KB

MD5
95efd406b14b3e25fb82ce313172536d

SHA1
da8ab0bb5b1978dae8a1d3e69376ce6fab85b54e

SHA256
951b51b16778e6f16ea75e85663ea7fee596ca71f64be0bf4606f36674e38070

SHA512
ee209752f0ef1cdd4ec55d49f40bb06cb55d7a28b939486de52364a9363491f878f1146f3b38467787ee27b638633f716fd243bc3b386e41937d869f3c0d4192

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe

Filesize
347KB

MD5
7a53e9e5ff1c891c38047154774b9f20

SHA1
178100e6edb29653db3879ee0bbb25fcb6f142e0

SHA256
e0f82ae4c353b90086c4986d648c0af44f5448e5f376c7270f1150798f727491

SHA512
6bc27153a4364088ba3a1449f0b30ba9549ccdeee4173e78e0d0648a5cf0899a70e1581ae00aa5f0626890a8877bdd0872dfb84946e12a312cd88feef424278c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe

Filesize
347KB

MD5
7a53e9e5ff1c891c38047154774b9f20

SHA1
178100e6edb29653db3879ee0bbb25fcb6f142e0

SHA256
e0f82ae4c353b90086c4986d648c0af44f5448e5f376c7270f1150798f727491

SHA512
6bc27153a4364088ba3a1449f0b30ba9549ccdeee4173e78e0d0648a5cf0899a70e1581ae00aa5f0626890a8877bdd0872dfb84946e12a312cd88feef424278c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628676.exe

Filesize
347KB

MD5
7a53e9e5ff1c891c38047154774b9f20

SHA1
178100e6edb29653db3879ee0bbb25fcb6f142e0

SHA256
e0f82ae4c353b90086c4986d648c0af44f5448e5f376c7270f1150798f727491

SHA512
6bc27153a4364088ba3a1449f0b30ba9549ccdeee4173e78e0d0648a5cf0899a70e1581ae00aa5f0626890a8877bdd0872dfb84946e12a312cd88feef424278c

Download Submit
memory/572-114-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/572-87-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-89-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-91-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-93-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-95-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-97-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-99-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-101-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-103-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-105-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-107-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-109-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-110-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/572-111-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/572-112-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/572-85-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-116-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/572-83-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-82-0x0000000004730000-0x0000000004743000-memory.dmp

Filesize
76KB

Download
memory/572-81-0x0000000004730000-0x0000000004748000-memory.dmp

Filesize
96KB

Download
memory/572-80-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/572-79-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/572-78-0x0000000002C30000-0x0000000002C4A000-memory.dmp

Filesize
104KB

Download
memory/1276-128-0x00000000032F0000-0x000000000332A000-memory.dmp

Filesize
232KB

Download
memory/1276-147-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-129-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/1276-130-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download
memory/1276-131-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download
memory/1276-132-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-133-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-135-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-137-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-139-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-141-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-143-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-145-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-127-0x00000000032B0000-0x00000000032EC000-memory.dmp

Filesize
240KB

Download
memory/1276-149-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-151-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-153-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-155-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-157-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-159-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-161-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-163-0x00000000032F0000-0x0000000003325000-memory.dmp

Filesize
212KB

Download
memory/1276-926-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download
memory/1276-927-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download
memory/1276-930-0x00000000073A0000-0x00000000073E0000-memory.dmp

Filesize
256KB

Download