f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d

Analysis

max time kernel
148s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
Size

746KB
MD5

4b53634946708eb662a8a377edac685d
SHA1

c97e4612369703bd8b807628582c3451601e05cf
SHA256

f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d
SHA512

9ae1551fe7162c26b2dddc36e04ba69f8246ea011d7c328a2dbd292a194f9a978d4090cf66c2edcead525c59a195ac333bcdcacc085a01ef59c66bdbdb90d61d
SSDEEP

12288:Ny90HFiljGXWvJFKxRUHo9kQ68pGEvrr9axBtAosAr0wp+xcxxtqd:NyKdmGxKI9k1BQrkJAoGxcXkd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	19686149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	19686149.exe

Executes dropped EXE 3 IoCs

pid	Process
2024	un939618.exe
1984	19686149.exe
1020	rk594735.exe

Loads dropped DLL 8 IoCs

pid	Process
1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
2024	un939618.exe
2024	un939618.exe
2024	un939618.exe
1984	19686149.exe
2024	un939618.exe
2024	un939618.exe
1020	rk594735.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	19686149.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un939618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un939618.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	19686149.exe
1984	19686149.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	19686149.exe
Token: SeDebugPrivilege	1020	rk594735.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 1228 wrote to memory of 2024	1228	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	27
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1984	2024	un939618.exe	28
PID 2024 wrote to memory of 1020	2024	un939618.exe	29
PID 2024 wrote to memory of 1020	2024	un939618.exe	29
PID 2024 wrote to memory of 1020	2024	un939618.exe	29
PID 2024 wrote to memory of 1020	2024	un939618.exe	29
PID 2024 wrote to memory of 1020	2024	un939618.exe	29
PID 2024 wrote to memory of 1020	2024	un939618.exe	29
PID 2024 wrote to memory of 1020	2024	un939618.exe	29

C:\Users\Admin\AppData\Local\Temp\f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
"C:\Users\Admin\AppData\Local\Temp\f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe

Filesize
592KB

MD5
78dce45a13b995d3396c59fcae5f8d92

SHA1
dbd6d450c367c5af9de2a0f5342543934a36a48f

SHA256
9b5316a729befe990929e5f3f99888d1f4da18ad1b0e838f4d98fd1fc8bb128d

SHA512
a4fabab12d874698d0682cadd678aaae9c81fad33961b5b96909c5feb8877a10a47053c99f287497a813b49bc9a076ac0d0bad9b6277853f6c50576f2979ef58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe

Filesize
592KB

MD5
78dce45a13b995d3396c59fcae5f8d92

SHA1
dbd6d450c367c5af9de2a0f5342543934a36a48f

SHA256
9b5316a729befe990929e5f3f99888d1f4da18ad1b0e838f4d98fd1fc8bb128d

SHA512
a4fabab12d874698d0682cadd678aaae9c81fad33961b5b96909c5feb8877a10a47053c99f287497a813b49bc9a076ac0d0bad9b6277853f6c50576f2979ef58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe

Filesize
592KB

MD5
78dce45a13b995d3396c59fcae5f8d92

SHA1
dbd6d450c367c5af9de2a0f5342543934a36a48f

SHA256
9b5316a729befe990929e5f3f99888d1f4da18ad1b0e838f4d98fd1fc8bb128d

SHA512
a4fabab12d874698d0682cadd678aaae9c81fad33961b5b96909c5feb8877a10a47053c99f287497a813b49bc9a076ac0d0bad9b6277853f6c50576f2979ef58

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe

Filesize
592KB

MD5
78dce45a13b995d3396c59fcae5f8d92

SHA1
dbd6d450c367c5af9de2a0f5342543934a36a48f

SHA256
9b5316a729befe990929e5f3f99888d1f4da18ad1b0e838f4d98fd1fc8bb128d

SHA512
a4fabab12d874698d0682cadd678aaae9c81fad33961b5b96909c5feb8877a10a47053c99f287497a813b49bc9a076ac0d0bad9b6277853f6c50576f2979ef58

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
memory/1020-150-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-132-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-154-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-152-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-126-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-148-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-146-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-144-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-142-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-140-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-138-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-136-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-134-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-156-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-130-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-128-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-158-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1020-656-0x0000000000320000-0x0000000000366000-memory.dmp

Filesize
280KB

Download
memory/1020-658-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1020-660-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1020-664-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1020-665-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1020-123-0x0000000002530000-0x000000000256C000-memory.dmp

Filesize
240KB

Download
memory/1020-124-0x0000000002570000-0x00000000025AA000-memory.dmp

Filesize
232KB

Download
memory/1020-125-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/1984-85-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1984-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1984-108-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/1984-110-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1984-109-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1984-107-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-105-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-103-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-101-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-99-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-97-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-95-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-93-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-91-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-89-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-87-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-83-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-81-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-80-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/1984-79-0x00000000008C0000-0x00000000008D8000-memory.dmp

Filesize
96KB

Download
memory/1984-78-0x0000000000850000-0x000000000086A000-memory.dmp

Filesize
104KB

Download