fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98

Analysis

max time kernel
144s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe
Size

618KB
MD5

4297ee91095d298c8fd455310b4e2ffe
SHA1

f662635fa59059f1e86d89559f5317305ec6d447
SHA256

fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98
SHA512

4251a5857bc7ad17a29ada1d0670323c93c35d195f5bfb4dc292e52e2fcdd2c93430b04603bdec43c4e51ff8f6aae93501bc407879310cd49fca1a0be9eaaa4c
SSDEEP

12288:6y90B+HW8QRnTd6230sFmc2nbgxdy2YWSJKQuQ7CDESkc3:6y+8QZA2bmp+A2Or7CDElc3

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	70475011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	70475011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	70475011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	70475011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	70475011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	70475011.exe

Executes dropped EXE 3 IoCs

pid	Process
1104	st037336.exe
1100	70475011.exe
1096	kp973787.exe

Loads dropped DLL 6 IoCs

pid	Process
1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe
1104	st037336.exe
1104	st037336.exe
1104	st037336.exe
1104	st037336.exe
1096	kp973787.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	70475011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	70475011.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st037336.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st037336.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	70475011.exe
1100	70475011.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	70475011.exe
Token: SeDebugPrivilege	1096	kp973787.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1420 wrote to memory of 1104	1420	fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe	28
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1100	1104	st037336.exe	29
PID 1104 wrote to memory of 1096	1104	st037336.exe	30
PID 1104 wrote to memory of 1096	1104	st037336.exe	30
PID 1104 wrote to memory of 1096	1104	st037336.exe	30
PID 1104 wrote to memory of 1096	1104	st037336.exe	30
PID 1104 wrote to memory of 1096	1104	st037336.exe	30
PID 1104 wrote to memory of 1096	1104	st037336.exe	30
PID 1104 wrote to memory of 1096	1104	st037336.exe	30

C:\Users\Admin\AppData\Local\Temp\fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe
"C:\Users\Admin\AppData\Local\Temp\fe1bda894766117e7d0eff6440e6b7877eea2e2a40aafe7eb78192df051f6b98.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st037336.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st037336.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70475011.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70475011.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st037336.exe

Filesize
463KB

MD5
d3f08693aaa1a60f3679bce81da66488

SHA1
97b74f6a14f5a49054e3b58cdd0c2fe5c6fbb496

SHA256
f9b4c61ac11652339d45d45b94425e08f840f22c38f326d5c95e164201962bea

SHA512
d9c704a812d3a42438e3a94fd0db02586274d0ca7678b08d51f0042417a00a82fb542b26d4f1dec015099f7f10a2fc869545675bfb71915052815574a42f018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st037336.exe

Filesize
463KB

MD5
d3f08693aaa1a60f3679bce81da66488

SHA1
97b74f6a14f5a49054e3b58cdd0c2fe5c6fbb496

SHA256
f9b4c61ac11652339d45d45b94425e08f840f22c38f326d5c95e164201962bea

SHA512
d9c704a812d3a42438e3a94fd0db02586274d0ca7678b08d51f0042417a00a82fb542b26d4f1dec015099f7f10a2fc869545675bfb71915052815574a42f018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70475011.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\70475011.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe

Filesize
473KB

MD5
204ebde1b44aa7359c506b3289536ab4

SHA1
e4a55056619f789096f6a9e76f8956a6dffd0aed

SHA256
a77417174ab89f21d89530b0c555d360a0831ef8261ed881921adb88eaa8c99f

SHA512
6de01a6070f3dfa8792dc1853cdc0c91d326cf61472f32a8fdde92009a6db38b9cdd694146b55a826c7a94aafd4a01a48a4b5b6cc6fba6f680f17a06e65f766c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe

Filesize
473KB

MD5
204ebde1b44aa7359c506b3289536ab4

SHA1
e4a55056619f789096f6a9e76f8956a6dffd0aed

SHA256
a77417174ab89f21d89530b0c555d360a0831ef8261ed881921adb88eaa8c99f

SHA512
6de01a6070f3dfa8792dc1853cdc0c91d326cf61472f32a8fdde92009a6db38b9cdd694146b55a826c7a94aafd4a01a48a4b5b6cc6fba6f680f17a06e65f766c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe

Filesize
473KB

MD5
204ebde1b44aa7359c506b3289536ab4

SHA1
e4a55056619f789096f6a9e76f8956a6dffd0aed

SHA256
a77417174ab89f21d89530b0c555d360a0831ef8261ed881921adb88eaa8c99f

SHA512
6de01a6070f3dfa8792dc1853cdc0c91d326cf61472f32a8fdde92009a6db38b9cdd694146b55a826c7a94aafd4a01a48a4b5b6cc6fba6f680f17a06e65f766c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st037336.exe

Filesize
463KB

MD5
d3f08693aaa1a60f3679bce81da66488

SHA1
97b74f6a14f5a49054e3b58cdd0c2fe5c6fbb496

SHA256
f9b4c61ac11652339d45d45b94425e08f840f22c38f326d5c95e164201962bea

SHA512
d9c704a812d3a42438e3a94fd0db02586274d0ca7678b08d51f0042417a00a82fb542b26d4f1dec015099f7f10a2fc869545675bfb71915052815574a42f018a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st037336.exe

Filesize
463KB

MD5
d3f08693aaa1a60f3679bce81da66488

SHA1
97b74f6a14f5a49054e3b58cdd0c2fe5c6fbb496

SHA256
f9b4c61ac11652339d45d45b94425e08f840f22c38f326d5c95e164201962bea

SHA512
d9c704a812d3a42438e3a94fd0db02586274d0ca7678b08d51f0042417a00a82fb542b26d4f1dec015099f7f10a2fc869545675bfb71915052815574a42f018a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\70475011.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe

Filesize
473KB

MD5
204ebde1b44aa7359c506b3289536ab4

SHA1
e4a55056619f789096f6a9e76f8956a6dffd0aed

SHA256
a77417174ab89f21d89530b0c555d360a0831ef8261ed881921adb88eaa8c99f

SHA512
6de01a6070f3dfa8792dc1853cdc0c91d326cf61472f32a8fdde92009a6db38b9cdd694146b55a826c7a94aafd4a01a48a4b5b6cc6fba6f680f17a06e65f766c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe

Filesize
473KB

MD5
204ebde1b44aa7359c506b3289536ab4

SHA1
e4a55056619f789096f6a9e76f8956a6dffd0aed

SHA256
a77417174ab89f21d89530b0c555d360a0831ef8261ed881921adb88eaa8c99f

SHA512
6de01a6070f3dfa8792dc1853cdc0c91d326cf61472f32a8fdde92009a6db38b9cdd694146b55a826c7a94aafd4a01a48a4b5b6cc6fba6f680f17a06e65f766c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp973787.exe

Filesize
473KB

MD5
204ebde1b44aa7359c506b3289536ab4

SHA1
e4a55056619f789096f6a9e76f8956a6dffd0aed

SHA256
a77417174ab89f21d89530b0c555d360a0831ef8261ed881921adb88eaa8c99f

SHA512
6de01a6070f3dfa8792dc1853cdc0c91d326cf61472f32a8fdde92009a6db38b9cdd694146b55a826c7a94aafd4a01a48a4b5b6cc6fba6f680f17a06e65f766c

Download Submit
memory/1096-87-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1096-107-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-84-0x0000000002440000-0x000000000247A000-memory.dmp

Filesize
232KB

Download
memory/1096-85-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1096-86-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1096-121-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/1096-89-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-88-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-91-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-93-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-95-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-83-0x00000000022E0000-0x000000000231C000-memory.dmp

Filesize
240KB

Download
memory/1096-105-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-103-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-101-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-99-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-97-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-119-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-117-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-115-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-113-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-111-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1096-109-0x0000000002440000-0x0000000002475000-memory.dmp

Filesize
212KB

Download
memory/1100-72-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download