03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e

General

Target

03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe
Size

479KB
MD5

373319478f432e1550549a02618fcb4a
SHA1

cbb24d60ff3e10b4cd12dba0bb9ba0df7b9171d3
SHA256

03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e
SHA512

cf761d8164741131ee5e78b6070eee2ed5a28fecd19b689df7299b3d65cdd71bd6dc4fae13cd2cc2769c5ebba5eff171b387e753ec303a44b46c63ab8470f7cb
SSDEEP

12288:+MrLy90NwpU7geIVsyC4faWISGYKi6wmuLT:FykqUBIVs/HSG06m

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0536996.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0536996.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0536996.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0536996.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0536996.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0536996.exe

Executes dropped EXE 3 IoCs

pid	Process
876	v5857293.exe
956	a0536996.exe
3808	b9367941.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0536996.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0536996.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5857293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5857293.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
956	a0536996.exe
956	a0536996.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	a0536996.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 876	4264	03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe	79
PID 4264 wrote to memory of 876	4264	03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe	79
PID 4264 wrote to memory of 876	4264	03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe	79
PID 876 wrote to memory of 956	876	v5857293.exe	80
PID 876 wrote to memory of 956	876	v5857293.exe	80
PID 876 wrote to memory of 956	876	v5857293.exe	80
PID 876 wrote to memory of 3808	876	v5857293.exe	84
PID 876 wrote to memory of 3808	876	v5857293.exe	84
PID 876 wrote to memory of 3808	876	v5857293.exe	84

C:\Users\Admin\AppData\Local\Temp\03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe
"C:\Users\Admin\AppData\Local\Temp\03f70b0907e5d671bb40b2096bb6aee5d0d794a6a8cb92e239175f713f8f478e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5857293.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5857293.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0536996.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0536996.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9367941.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9367941.exe
    3⤵
    - Executes dropped EXE
    PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5857293.exe

Filesize
307KB

MD5
dbe76f681c9b5fecfd2a4221bb017fc6

SHA1
b7f5d5432437657e59dadb8021849cb744ebb739

SHA256
67eb32137b0a9925c3fb712f6492f427ca4e7e4bd38a7f6c095138ae9220d602

SHA512
999686efdbe441202018d8df34f15d736709cda850d6b7f51b1b6ef2a08ad2efb6dc162d356b525e7aef022819d2d7172bc2bca6f325923d9ef9244c6ff73a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5857293.exe

Filesize
307KB

MD5
dbe76f681c9b5fecfd2a4221bb017fc6

SHA1
b7f5d5432437657e59dadb8021849cb744ebb739

SHA256
67eb32137b0a9925c3fb712f6492f427ca4e7e4bd38a7f6c095138ae9220d602

SHA512
999686efdbe441202018d8df34f15d736709cda850d6b7f51b1b6ef2a08ad2efb6dc162d356b525e7aef022819d2d7172bc2bca6f325923d9ef9244c6ff73a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0536996.exe

Filesize
175KB

MD5
04d46e76b7300bc2cb90ba2400eff340

SHA1
d50289619481863b9d1b4de3ab2b18578fd9a6d0

SHA256
3edff7af9a3d8ff6e44016a4ba491f0876e28dcbd778442fa50cf396cdf24c23

SHA512
59a82cb13b75a8272ccdd640ef67f54aa12201b8f5090335de92e06e10e10b885595b160e046b9c5c1f1f99da81196f97b5a90ceaf7fb4788cf3af865c12fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0536996.exe

Filesize
175KB

MD5
04d46e76b7300bc2cb90ba2400eff340

SHA1
d50289619481863b9d1b4de3ab2b18578fd9a6d0

SHA256
3edff7af9a3d8ff6e44016a4ba491f0876e28dcbd778442fa50cf396cdf24c23

SHA512
59a82cb13b75a8272ccdd640ef67f54aa12201b8f5090335de92e06e10e10b885595b160e046b9c5c1f1f99da81196f97b5a90ceaf7fb4788cf3af865c12fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9367941.exe

Filesize
136KB

MD5
4dba42f4adba23026fc7ee8107761fc7

SHA1
7083f2034e01f10990efe76facd4e3126cc2a6ba

SHA256
bdbd338b78ad4ff207768718cb34c0045c50366b3804d5d67fd18fc5b604cf6b

SHA512
8084bf8d30af8a5f93852b02a31acb54bcafc935e9e96e6a73dcba732ad3ddb478e4589e8d920435c1e1bf7ce09e37b9e5136185d665b6744856caa2e59bab92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9367941.exe

Filesize
136KB

MD5
4dba42f4adba23026fc7ee8107761fc7

SHA1
7083f2034e01f10990efe76facd4e3126cc2a6ba

SHA256
bdbd338b78ad4ff207768718cb34c0045c50366b3804d5d67fd18fc5b604cf6b

SHA512
8084bf8d30af8a5f93852b02a31acb54bcafc935e9e96e6a73dcba732ad3ddb478e4589e8d920435c1e1bf7ce09e37b9e5136185d665b6744856caa2e59bab92

Download Submit
memory/956-169-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-177-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/956-153-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-155-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-157-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-159-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-161-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-163-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-165-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-167-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-148-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-171-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-173-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-175-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-176-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/956-151-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-178-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/956-179-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/956-180-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/956-181-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/956-149-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/956-147-0x0000000004AB0000-0x0000000005054000-memory.dmp

Filesize
5.6MB

Download
memory/3808-186-0x0000000000C90000-0x0000000000CB8000-memory.dmp

Filesize
160KB

Download
memory/3808-187-0x0000000007F90000-0x00000000085A8000-memory.dmp

Filesize
6.1MB

Download
memory/3808-188-0x00000000079C0000-0x00000000079D2000-memory.dmp

Filesize
72KB

Download
memory/3808-189-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

Filesize
1.0MB

Download
memory/3808-190-0x0000000007A20000-0x0000000007A5C000-memory.dmp

Filesize
240KB

Download
memory/3808-191-0x0000000007D70000-0x0000000007D80000-memory.dmp

Filesize
64KB

Download
memory/3808-192-0x0000000007D70000-0x0000000007D80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads