e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
Size

690KB
MD5

7fa6cc9ae7238019b166562de282928a
SHA1

e8370fe2717ad008a952e541f22b898851129746
SHA256

e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71
SHA512

f451d959602d32cafb7f08a19202856996366d761e276f0311c8b8a9dc6b85a2bf66ea47b7686e442d198f231f3cccc55e8122ae871250f0b77cef7ae43d72bc
SSDEEP

12288:zy90ia8sCba0f8e0srtnpcXoJdRWadO8V2uBqAlYCiJ76DtD1RHiL:zyTa8sCb5ke0d4JvzOo2y3iZ6Dx1BiL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	03093245.exe

Executes dropped EXE 3 IoCs

pid	Process
1772	un631066.exe
1704	03093245.exe
1032	rk364979.exe

Loads dropped DLL 8 IoCs

pid	Process
1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
1772	un631066.exe
1772	un631066.exe
1772	un631066.exe
1704	03093245.exe
1772	un631066.exe
1772	un631066.exe
1032	rk364979.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	03093245.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un631066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un631066.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	03093245.exe
1704	03093245.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	03093245.exe
Token: SeDebugPrivilege	1032	rk364979.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1520 wrote to memory of 1772	1520	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	27
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1704	1772	un631066.exe	28
PID 1772 wrote to memory of 1032	1772	un631066.exe	29
PID 1772 wrote to memory of 1032	1772	un631066.exe	29
PID 1772 wrote to memory of 1032	1772	un631066.exe	29
PID 1772 wrote to memory of 1032	1772	un631066.exe	29
PID 1772 wrote to memory of 1032	1772	un631066.exe	29
PID 1772 wrote to memory of 1032	1772	un631066.exe	29
PID 1772 wrote to memory of 1032	1772	un631066.exe	29

C:\Users\Admin\AppData\Local\Temp\e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
"C:\Users\Admin\AppData\Local\Temp\e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe

Filesize
536KB

MD5
ae2e72e004eb797e4f25a43584eaf1dc

SHA1
7abd7e3de6e22c26c965730d5803a902fd77985d

SHA256
24fcda44d4dbf3ab7c82566d6c4794bf48a425485a9f819aa03358b36f1dbd60

SHA512
35220d9c6b7ea9be7a88689a13cb1ab55016befeb750533ff9e3ee8058c864d073d45ef170d8a3166b2669ad7dee3fdb5b5577a798a9ffc32a13bb6f5d715047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe

Filesize
536KB

MD5
ae2e72e004eb797e4f25a43584eaf1dc

SHA1
7abd7e3de6e22c26c965730d5803a902fd77985d

SHA256
24fcda44d4dbf3ab7c82566d6c4794bf48a425485a9f819aa03358b36f1dbd60

SHA512
35220d9c6b7ea9be7a88689a13cb1ab55016befeb750533ff9e3ee8058c864d073d45ef170d8a3166b2669ad7dee3fdb5b5577a798a9ffc32a13bb6f5d715047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe

Filesize
536KB

MD5
ae2e72e004eb797e4f25a43584eaf1dc

SHA1
7abd7e3de6e22c26c965730d5803a902fd77985d

SHA256
24fcda44d4dbf3ab7c82566d6c4794bf48a425485a9f819aa03358b36f1dbd60

SHA512
35220d9c6b7ea9be7a88689a13cb1ab55016befeb750533ff9e3ee8058c864d073d45ef170d8a3166b2669ad7dee3fdb5b5577a798a9ffc32a13bb6f5d715047

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe

Filesize
536KB

MD5
ae2e72e004eb797e4f25a43584eaf1dc

SHA1
7abd7e3de6e22c26c965730d5803a902fd77985d

SHA256
24fcda44d4dbf3ab7c82566d6c4794bf48a425485a9f819aa03358b36f1dbd60

SHA512
35220d9c6b7ea9be7a88689a13cb1ab55016befeb750533ff9e3ee8058c864d073d45ef170d8a3166b2669ad7dee3fdb5b5577a798a9ffc32a13bb6f5d715047

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
memory/1032-140-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-142-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-925-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1032-922-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1032-921-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1032-161-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-159-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-157-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-155-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-153-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-146-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-150-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-151-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1032-149-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1032-147-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1032-144-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-138-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-136-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-134-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-132-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-130-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-128-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-123-0x0000000000770000-0x00000000007AC000-memory.dmp

Filesize
240KB

Download
memory/1032-124-0x0000000000C00000-0x0000000000C3A000-memory.dmp

Filesize
232KB

Download
memory/1032-125-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1032-126-0x0000000000C00000-0x0000000000C35000-memory.dmp

Filesize
212KB

Download
memory/1704-108-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/1704-81-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-109-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1704-83-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-85-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-87-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-78-0x0000000000B10000-0x0000000000B2A000-memory.dmp

Filesize
104KB

Download
memory/1704-112-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1704-110-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1704-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1704-91-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-80-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-89-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-107-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-105-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-103-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-101-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-99-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-97-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-95-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-93-0x0000000001F80000-0x0000000001F93000-memory.dmp

Filesize
76KB

Download
memory/1704-79-0x0000000001F80000-0x0000000001F98000-memory.dmp

Filesize
96KB

Download