Analysis

  • max time kernel
    196s
  • max time network
    239s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2023 19:01

General

  • Target

    ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe

  • Size

    726KB

  • MD5

    89305c6f96946fd7d6782af1d5c1c2cf

  • SHA1

    777ae6bdf79eceeb05a15edd0f9c90f1578e2773

  • SHA256

    ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5

  • SHA512

    0b63f6d68aede42a3e44500224619887ad52f2437dd6b137bccfd8972b5669bd317465e3d6cdc002c2e0d5bb1a4e601335ad570ff5fdc7d06acabef7364c4aac

  • SSDEEP

    12288:Zy90+t3sbhBvU42bPdi3bZ2Mi/tKjzLM6HDrIXUQ1DwUEOSc7O:Zy7dSBvUbBsbZ2MYKjzLHHDr6UpU/fK

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe
    "C:\Users\Admin\AppData\Local\Temp\ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1224

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe

    Filesize

    572KB

    MD5

    0591b053f8c4454da39ad2c1190171f8

    SHA1

    b8803e6a5f06344209df338a186818b69066c31a

    SHA256

    03590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309

    SHA512

    a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe

    Filesize

    572KB

    MD5

    0591b053f8c4454da39ad2c1190171f8

    SHA1

    b8803e6a5f06344209df338a186818b69066c31a

    SHA256

    03590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309

    SHA512

    a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe

    Filesize

    332KB

    MD5

    fb53da3ca3a5fe5fe6280859446e754d

    SHA1

    923cbe4f30f3ae13d1c98345b5041393bfc8d75b

    SHA256

    d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77

    SHA512

    17897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe

    Filesize

    332KB

    MD5

    fb53da3ca3a5fe5fe6280859446e754d

    SHA1

    923cbe4f30f3ae13d1c98345b5041393bfc8d75b

    SHA256

    d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77

    SHA512

    17897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe

    Filesize

    332KB

    MD5

    fb53da3ca3a5fe5fe6280859446e754d

    SHA1

    923cbe4f30f3ae13d1c98345b5041393bfc8d75b

    SHA256

    d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77

    SHA512

    17897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe

    Filesize

    415KB

    MD5

    c30ffd6cfde8d59e52b4bf46ece4eca9

    SHA1

    9aa85083fbd0396b9797dc84095794c2c347c859

    SHA256

    971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400

    SHA512

    c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe

    Filesize

    415KB

    MD5

    c30ffd6cfde8d59e52b4bf46ece4eca9

    SHA1

    9aa85083fbd0396b9797dc84095794c2c347c859

    SHA256

    971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400

    SHA512

    c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe

    Filesize

    415KB

    MD5

    c30ffd6cfde8d59e52b4bf46ece4eca9

    SHA1

    9aa85083fbd0396b9797dc84095794c2c347c859

    SHA256

    971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400

    SHA512

    c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe

    Filesize

    572KB

    MD5

    0591b053f8c4454da39ad2c1190171f8

    SHA1

    b8803e6a5f06344209df338a186818b69066c31a

    SHA256

    03590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309

    SHA512

    a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe

    Filesize

    572KB

    MD5

    0591b053f8c4454da39ad2c1190171f8

    SHA1

    b8803e6a5f06344209df338a186818b69066c31a

    SHA256

    03590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309

    SHA512

    a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe

    Filesize

    332KB

    MD5

    fb53da3ca3a5fe5fe6280859446e754d

    SHA1

    923cbe4f30f3ae13d1c98345b5041393bfc8d75b

    SHA256

    d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77

    SHA512

    17897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe

    Filesize

    332KB

    MD5

    fb53da3ca3a5fe5fe6280859446e754d

    SHA1

    923cbe4f30f3ae13d1c98345b5041393bfc8d75b

    SHA256

    d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77

    SHA512

    17897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe

    Filesize

    332KB

    MD5

    fb53da3ca3a5fe5fe6280859446e754d

    SHA1

    923cbe4f30f3ae13d1c98345b5041393bfc8d75b

    SHA256

    d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77

    SHA512

    17897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe

    Filesize

    415KB

    MD5

    c30ffd6cfde8d59e52b4bf46ece4eca9

    SHA1

    9aa85083fbd0396b9797dc84095794c2c347c859

    SHA256

    971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400

    SHA512

    c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe

    Filesize

    415KB

    MD5

    c30ffd6cfde8d59e52b4bf46ece4eca9

    SHA1

    9aa85083fbd0396b9797dc84095794c2c347c859

    SHA256

    971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400

    SHA512

    c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe

    Filesize

    415KB

    MD5

    c30ffd6cfde8d59e52b4bf46ece4eca9

    SHA1

    9aa85083fbd0396b9797dc84095794c2c347c859

    SHA256

    971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400

    SHA512

    c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908

  • memory/1108-113-0x00000000023E0000-0x0000000002420000-memory.dmp

    Filesize

    256KB

  • memory/1108-86-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-90-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-88-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-92-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-96-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-94-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-100-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-98-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-104-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-102-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-108-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-106-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-110-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-111-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/1108-84-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-115-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/1108-83-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

  • memory/1108-82-0x0000000000570000-0x0000000000588000-memory.dmp

    Filesize

    96KB

  • memory/1108-81-0x00000000023E0000-0x0000000002420000-memory.dmp

    Filesize

    256KB

  • memory/1108-80-0x00000000023E0000-0x0000000002420000-memory.dmp

    Filesize

    256KB

  • memory/1108-79-0x0000000000540000-0x000000000055A000-memory.dmp

    Filesize

    104KB

  • memory/1108-78-0x0000000000240000-0x000000000026D000-memory.dmp

    Filesize

    180KB

  • memory/1224-128-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-151-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-126-0x0000000001FE0000-0x000000000201C000-memory.dmp

    Filesize

    240KB

  • memory/1224-129-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-131-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-133-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-135-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-137-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-139-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-141-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-143-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-145-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-147-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-127-0x0000000002020000-0x000000000205A000-memory.dmp

    Filesize

    232KB

  • memory/1224-149-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-153-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-155-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-157-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-159-0x0000000002020000-0x0000000002055000-memory.dmp

    Filesize

    212KB

  • memory/1224-353-0x0000000000330000-0x0000000000376000-memory.dmp

    Filesize

    280KB

  • memory/1224-355-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

  • memory/1224-357-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

  • memory/1224-923-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

  • memory/1224-925-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

  • memory/1224-926-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

  • memory/1224-927-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

  • memory/1224-929-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB