ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55

Analysis

max time kernel
150s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe
Size

611KB
MD5

39665c91d56245f43c44b64788d3c57f
SHA1

40ee81a54cb9e8ae01d74b53057709034c74ffb4
SHA256

ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55
SHA512

02f518caac544593b28d92e06148e034c6ffe8a4f4e51fe8777959b230b5286197837264c3de7a1f32c30d2ae36ff58a55de40c489184b948f2aa19249348c61
SSDEEP

12288:5y90iSJLlM0i7GusQwOmDFwq2s059ZCRzlG:5yZStlDiKypmDCC059oZ0

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	91141793.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	91141793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	91141793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	91141793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	91141793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	91141793.exe

Executes dropped EXE 3 IoCs

pid	Process
1560	st365479.exe
764	91141793.exe
984	kp522292.exe

Loads dropped DLL 6 IoCs

pid	Process
2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe
1560	st365479.exe
1560	st365479.exe
1560	st365479.exe
1560	st365479.exe
984	kp522292.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	91141793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	91141793.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st365479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st365479.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
764	91141793.exe
764	91141793.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	91141793.exe
Token: SeDebugPrivilege	984	kp522292.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 2008 wrote to memory of 1560	2008	ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe	27
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 764	1560	st365479.exe	28
PID 1560 wrote to memory of 984	1560	st365479.exe	29
PID 1560 wrote to memory of 984	1560	st365479.exe	29
PID 1560 wrote to memory of 984	1560	st365479.exe	29
PID 1560 wrote to memory of 984	1560	st365479.exe	29
PID 1560 wrote to memory of 984	1560	st365479.exe	29
PID 1560 wrote to memory of 984	1560	st365479.exe	29
PID 1560 wrote to memory of 984	1560	st365479.exe	29

C:\Users\Admin\AppData\Local\Temp\ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe
"C:\Users\Admin\AppData\Local\Temp\ec7a686159e289f0f98ee03e0b7f49848db08c10b2d4e73cf49f167edd05bb55.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st365479.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st365479.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91141793.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91141793.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st365479.exe

Filesize
458KB

MD5
bc717f08fbc555bf42c877d7d81c7122

SHA1
9fa765f7dc13f2e5921ff6b9b97ab98244f4f2b4

SHA256
3031d10bc3ef17b0c591b40861bc79752ed9c58727fe6a7a5602694cf9081fed

SHA512
176cbd582a2943070a4832a7918097bdede24633594812c2d409c8e221583d57658d052698f7072aa85e477240c6451c6517eb36974628dca2af3179bd166e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st365479.exe

Filesize
458KB

MD5
bc717f08fbc555bf42c877d7d81c7122

SHA1
9fa765f7dc13f2e5921ff6b9b97ab98244f4f2b4

SHA256
3031d10bc3ef17b0c591b40861bc79752ed9c58727fe6a7a5602694cf9081fed

SHA512
176cbd582a2943070a4832a7918097bdede24633594812c2d409c8e221583d57658d052698f7072aa85e477240c6451c6517eb36974628dca2af3179bd166e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91141793.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91141793.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe

Filesize
459KB

MD5
ea76b7034912043effaab1a8c78dbaaf

SHA1
eea3818fdf6d5d21899e8f5f652a2195017888c0

SHA256
9ed2b2c022c41376ace4c0b975695028271ab772b34bda1cfca7f972a1df8673

SHA512
7869c9f54105ecc19ab4783e9cee56b66357cd0a78ecb16627bb0e9db684ffa7b6096711ee89a30a47601148de726e03a8331e083845d7f174fab134793bd555

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe

Filesize
459KB

MD5
ea76b7034912043effaab1a8c78dbaaf

SHA1
eea3818fdf6d5d21899e8f5f652a2195017888c0

SHA256
9ed2b2c022c41376ace4c0b975695028271ab772b34bda1cfca7f972a1df8673

SHA512
7869c9f54105ecc19ab4783e9cee56b66357cd0a78ecb16627bb0e9db684ffa7b6096711ee89a30a47601148de726e03a8331e083845d7f174fab134793bd555

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe

Filesize
459KB

MD5
ea76b7034912043effaab1a8c78dbaaf

SHA1
eea3818fdf6d5d21899e8f5f652a2195017888c0

SHA256
9ed2b2c022c41376ace4c0b975695028271ab772b34bda1cfca7f972a1df8673

SHA512
7869c9f54105ecc19ab4783e9cee56b66357cd0a78ecb16627bb0e9db684ffa7b6096711ee89a30a47601148de726e03a8331e083845d7f174fab134793bd555

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st365479.exe

Filesize
458KB

MD5
bc717f08fbc555bf42c877d7d81c7122

SHA1
9fa765f7dc13f2e5921ff6b9b97ab98244f4f2b4

SHA256
3031d10bc3ef17b0c591b40861bc79752ed9c58727fe6a7a5602694cf9081fed

SHA512
176cbd582a2943070a4832a7918097bdede24633594812c2d409c8e221583d57658d052698f7072aa85e477240c6451c6517eb36974628dca2af3179bd166e6b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st365479.exe

Filesize
458KB

MD5
bc717f08fbc555bf42c877d7d81c7122

SHA1
9fa765f7dc13f2e5921ff6b9b97ab98244f4f2b4

SHA256
3031d10bc3ef17b0c591b40861bc79752ed9c58727fe6a7a5602694cf9081fed

SHA512
176cbd582a2943070a4832a7918097bdede24633594812c2d409c8e221583d57658d052698f7072aa85e477240c6451c6517eb36974628dca2af3179bd166e6b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\91141793.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe

Filesize
459KB

MD5
ea76b7034912043effaab1a8c78dbaaf

SHA1
eea3818fdf6d5d21899e8f5f652a2195017888c0

SHA256
9ed2b2c022c41376ace4c0b975695028271ab772b34bda1cfca7f972a1df8673

SHA512
7869c9f54105ecc19ab4783e9cee56b66357cd0a78ecb16627bb0e9db684ffa7b6096711ee89a30a47601148de726e03a8331e083845d7f174fab134793bd555

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe

Filesize
459KB

MD5
ea76b7034912043effaab1a8c78dbaaf

SHA1
eea3818fdf6d5d21899e8f5f652a2195017888c0

SHA256
9ed2b2c022c41376ace4c0b975695028271ab772b34bda1cfca7f972a1df8673

SHA512
7869c9f54105ecc19ab4783e9cee56b66357cd0a78ecb16627bb0e9db684ffa7b6096711ee89a30a47601148de726e03a8331e083845d7f174fab134793bd555

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp522292.exe

Filesize
459KB

MD5
ea76b7034912043effaab1a8c78dbaaf

SHA1
eea3818fdf6d5d21899e8f5f652a2195017888c0

SHA256
9ed2b2c022c41376ace4c0b975695028271ab772b34bda1cfca7f972a1df8673

SHA512
7869c9f54105ecc19ab4783e9cee56b66357cd0a78ecb16627bb0e9db684ffa7b6096711ee89a30a47601148de726e03a8331e083845d7f174fab134793bd555

Download Submit
memory/764-72-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/984-107-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-121-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-85-0x0000000002630000-0x000000000266A000-memory.dmp

Filesize
232KB

Download
memory/984-86-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-87-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-89-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-91-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-93-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-99-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-101-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-97-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-95-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-103-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-105-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-83-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/984-109-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-111-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-113-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-115-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-117-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-119-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-84-0x00000000025F0000-0x000000000262C000-memory.dmp

Filesize
240KB

Download
memory/984-125-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-127-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-123-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-129-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-131-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-133-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-136-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/984-137-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-139-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/984-135-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/984-140-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-148-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-146-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-144-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-142-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-150-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-152-0x0000000002630000-0x0000000002665000-memory.dmp

Filesize
212KB

Download
memory/984-882-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/984-883-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/984-885-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download