Analysis
-
max time kernel
196s -
max time network
239s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-05-2023 19:01
Static task
static1
Behavioral task
behavioral1
Sample
ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe
Resource
win10v2004-20230221-en
General
-
Target
ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe
-
Size
726KB
-
MD5
89305c6f96946fd7d6782af1d5c1c2cf
-
SHA1
777ae6bdf79eceeb05a15edd0f9c90f1578e2773
-
SHA256
ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5
-
SHA512
0b63f6d68aede42a3e44500224619887ad52f2437dd6b137bccfd8972b5669bd317465e3d6cdc002c2e0d5bb1a4e601335ad570ff5fdc7d06acabef7364c4aac
-
SSDEEP
12288:Zy90+t3sbhBvU42bPdi3bZ2Mi/tKjzLM6HDrIXUQ1DwUEOSc7O:Zy7dSBvUbBsbZ2MYKjzLHHDr6UpU/fK
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 14421980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 14421980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 14421980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 14421980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 14421980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 14421980.exe -
Executes dropped EXE 3 IoCs
pid Process 544 un675252.exe 1108 14421980.exe 1224 rk441447.exe -
Loads dropped DLL 8 IoCs
pid Process 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 544 un675252.exe 544 un675252.exe 544 un675252.exe 1108 14421980.exe 544 un675252.exe 544 un675252.exe 1224 rk441447.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 14421980.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 14421980.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce un675252.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un675252.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1108 14421980.exe 1108 14421980.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1108 14421980.exe Token: SeDebugPrivilege 1224 rk441447.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 1688 wrote to memory of 544 1688 ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe 27 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1108 544 un675252.exe 28 PID 544 wrote to memory of 1224 544 un675252.exe 29 PID 544 wrote to memory of 1224 544 un675252.exe 29 PID 544 wrote to memory of 1224 544 un675252.exe 29 PID 544 wrote to memory of 1224 544 un675252.exe 29 PID 544 wrote to memory of 1224 544 un675252.exe 29 PID 544 wrote to memory of 1224 544 un675252.exe 29 PID 544 wrote to memory of 1224 544 un675252.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe"C:\Users\Admin\AppData\Local\Temp\ec4ad5e05b6838b2efca6f12f3cbc48ebf2a8522f54864e44e67c76b8f41dae5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un675252.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14421980.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441447.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
MD50591b053f8c4454da39ad2c1190171f8
SHA1b8803e6a5f06344209df338a186818b69066c31a
SHA25603590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309
SHA512a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0
-
Filesize
572KB
MD50591b053f8c4454da39ad2c1190171f8
SHA1b8803e6a5f06344209df338a186818b69066c31a
SHA25603590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309
SHA512a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0
-
Filesize
332KB
MD5fb53da3ca3a5fe5fe6280859446e754d
SHA1923cbe4f30f3ae13d1c98345b5041393bfc8d75b
SHA256d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77
SHA51217897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35
-
Filesize
332KB
MD5fb53da3ca3a5fe5fe6280859446e754d
SHA1923cbe4f30f3ae13d1c98345b5041393bfc8d75b
SHA256d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77
SHA51217897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35
-
Filesize
332KB
MD5fb53da3ca3a5fe5fe6280859446e754d
SHA1923cbe4f30f3ae13d1c98345b5041393bfc8d75b
SHA256d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77
SHA51217897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35
-
Filesize
415KB
MD5c30ffd6cfde8d59e52b4bf46ece4eca9
SHA19aa85083fbd0396b9797dc84095794c2c347c859
SHA256971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400
SHA512c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908
-
Filesize
415KB
MD5c30ffd6cfde8d59e52b4bf46ece4eca9
SHA19aa85083fbd0396b9797dc84095794c2c347c859
SHA256971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400
SHA512c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908
-
Filesize
415KB
MD5c30ffd6cfde8d59e52b4bf46ece4eca9
SHA19aa85083fbd0396b9797dc84095794c2c347c859
SHA256971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400
SHA512c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908
-
Filesize
572KB
MD50591b053f8c4454da39ad2c1190171f8
SHA1b8803e6a5f06344209df338a186818b69066c31a
SHA25603590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309
SHA512a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0
-
Filesize
572KB
MD50591b053f8c4454da39ad2c1190171f8
SHA1b8803e6a5f06344209df338a186818b69066c31a
SHA25603590d57424953833a9b948bd6948b0f0566c195bd4f8e0e52a693c92ae12309
SHA512a0826c033f37002c8280affc265064171796fe95925521326bc8226024dffcd69beb48bf5b4a00739342191ed0d119202388f6f556f9cbb2363d0da19e0a18f0
-
Filesize
332KB
MD5fb53da3ca3a5fe5fe6280859446e754d
SHA1923cbe4f30f3ae13d1c98345b5041393bfc8d75b
SHA256d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77
SHA51217897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35
-
Filesize
332KB
MD5fb53da3ca3a5fe5fe6280859446e754d
SHA1923cbe4f30f3ae13d1c98345b5041393bfc8d75b
SHA256d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77
SHA51217897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35
-
Filesize
332KB
MD5fb53da3ca3a5fe5fe6280859446e754d
SHA1923cbe4f30f3ae13d1c98345b5041393bfc8d75b
SHA256d0a2f2f42dc54273db5c47a307567e291d3fc379566bb637795aaf406c4e5b77
SHA51217897c34a105399e3608be0e8e695f3c3f868f2ccfcaff530fc4cd87f9a36743311952cb791fe51147a2636ddb888a679647c2e36a44736173a2f8c4a22f3e35
-
Filesize
415KB
MD5c30ffd6cfde8d59e52b4bf46ece4eca9
SHA19aa85083fbd0396b9797dc84095794c2c347c859
SHA256971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400
SHA512c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908
-
Filesize
415KB
MD5c30ffd6cfde8d59e52b4bf46ece4eca9
SHA19aa85083fbd0396b9797dc84095794c2c347c859
SHA256971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400
SHA512c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908
-
Filesize
415KB
MD5c30ffd6cfde8d59e52b4bf46ece4eca9
SHA19aa85083fbd0396b9797dc84095794c2c347c859
SHA256971c612f1a3cb11348a36390dcdb9d3195ad6466d98d66393f24206b86dea400
SHA512c6434bd0b7beb1f7dffd0e517903a1841c4ea3455113b01c029cf5192946d25b9ff115d9c5bf378db8ec6254e3f5b0c4a55befc45099180a472d01deea34e908