7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644

General

Target

7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
Size

1.3MB
MD5

a2b7a1f87ca533a7b348f8240d54c0e9
SHA1

bb9dc4fdbf8892b2c7669bc95cf97e3e22694e20
SHA256

7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644
SHA512

37361eb9000b50a5f9637458bd401d4d0924c3a23fdc1bc9877fd31cccfb2b34db5f6fa11591fea9b936f1ef4b1277985d782567af73ae8490eb1f3637be46a1
SSDEEP

24576:QyCArgU9mIrkDQu+IkJq7tJyc7mDYBuK7J4zPnTFVrJ/iQ:XCAkbxC4ZJ6hK7wTFT

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n4159844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n4159844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n4159844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n4159844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n4159844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n4159844.exe

Executes dropped EXE 4 IoCs

pid	Process
228	z6292979.exe
3828	z9301734.exe
3932	z3082283.exe
1948	n4159844.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n4159844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n4159844.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3082283.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6292979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6292979.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9301734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9301734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3082283.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	n4159844.exe
1948	n4159844.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	n4159844.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 228	4172	7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe	79
PID 4172 wrote to memory of 228	4172	7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe	79
PID 4172 wrote to memory of 228	4172	7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe	79
PID 228 wrote to memory of 3828	228	z6292979.exe	80
PID 228 wrote to memory of 3828	228	z6292979.exe	80
PID 228 wrote to memory of 3828	228	z6292979.exe	80
PID 3828 wrote to memory of 3932	3828	z9301734.exe	81
PID 3828 wrote to memory of 3932	3828	z9301734.exe	81
PID 3828 wrote to memory of 3932	3828	z9301734.exe	81
PID 3932 wrote to memory of 1948	3932	z3082283.exe	82
PID 3932 wrote to memory of 1948	3932	z3082283.exe	82
PID 3932 wrote to memory of 1948	3932	z3082283.exe	82

C:\Users\Admin\AppData\Local\Temp\7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
"C:\Users\Admin\AppData\Local\Temp\7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6292979.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6292979.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9301734.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9301734.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3082283.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3082283.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n4159844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n4159844.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6292979.exe

Filesize
1.1MB

MD5
8079776b6a061d3a31c887259e911f0f

SHA1
1458a5d426101ab2e3c6c4432afe26dad854adab

SHA256
c346d44a0777738e41f7a095c7b325f4ae2a3ef51e3337d0720775a96fbb6528

SHA512
8004a58a24ac2c667c2eaa88331e32c0376b576f3b4d9b3322e0d8554cd58854d4a689ce590be7d6474168aaad39097db6853562ad396dca4d6b9025659e104d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6292979.exe

Filesize
1.1MB

MD5
8079776b6a061d3a31c887259e911f0f

SHA1
1458a5d426101ab2e3c6c4432afe26dad854adab

SHA256
c346d44a0777738e41f7a095c7b325f4ae2a3ef51e3337d0720775a96fbb6528

SHA512
8004a58a24ac2c667c2eaa88331e32c0376b576f3b4d9b3322e0d8554cd58854d4a689ce590be7d6474168aaad39097db6853562ad396dca4d6b9025659e104d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9301734.exe

Filesize
620KB

MD5
8cf3b894d309480522d188d136d914b0

SHA1
e412cc06813361e9d1a97a708e46f902f7e50203

SHA256
40382fc4c5399556d77332e6798ef2bd05c60cbe6b454801cbd7c48807cfcc5d

SHA512
42cadce3ebd5b8f8b3a2f60df56b089ae0cfa69308b2c37e45d7f1e97c1c4de2783f752bbec0337b2f5f4175827815ee907c4ab365d1193564d8c76e647c0db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9301734.exe

Filesize
620KB

MD5
8cf3b894d309480522d188d136d914b0

SHA1
e412cc06813361e9d1a97a708e46f902f7e50203

SHA256
40382fc4c5399556d77332e6798ef2bd05c60cbe6b454801cbd7c48807cfcc5d

SHA512
42cadce3ebd5b8f8b3a2f60df56b089ae0cfa69308b2c37e45d7f1e97c1c4de2783f752bbec0337b2f5f4175827815ee907c4ab365d1193564d8c76e647c0db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3082283.exe

Filesize
416KB

MD5
efb63f09726d6f25f72c778af703a554

SHA1
2cd25b33b7fed62e0abf4b51f85ddc42e2310362

SHA256
b54296eedccda843c9ca4e6b56aa48930b242646c9cecf2690f4a33ce6137e18

SHA512
15317c62e5f95c4cb23c2cc920e463bb2b65808092272ce5cf0c4a92c52d10da9115afc7c68929361f7d4bff29639464dbc9c78c01e4f50b20764956b33a281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3082283.exe

Filesize
416KB

MD5
efb63f09726d6f25f72c778af703a554

SHA1
2cd25b33b7fed62e0abf4b51f85ddc42e2310362

SHA256
b54296eedccda843c9ca4e6b56aa48930b242646c9cecf2690f4a33ce6137e18

SHA512
15317c62e5f95c4cb23c2cc920e463bb2b65808092272ce5cf0c4a92c52d10da9115afc7c68929361f7d4bff29639464dbc9c78c01e4f50b20764956b33a281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n4159844.exe

Filesize
360KB

MD5
2f135b7a50669638855a101b3119221e

SHA1
3a32de8034cbdf0ea7c1203e6c685472fadc6064

SHA256
83d4e88d0dc7e94adc22a5c1f396a453d55ba8d865ffec906d689541ea500dc9

SHA512
d8b2c323e84d7881c0297edb6003820600ee00ad522a42e152a472c9c2410a2394211eb3260db31fc0d52949c803b17d90b2e57524cc4e41c0be765ca90e0942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n4159844.exe

Filesize
360KB

MD5
2f135b7a50669638855a101b3119221e

SHA1
3a32de8034cbdf0ea7c1203e6c685472fadc6064

SHA256
83d4e88d0dc7e94adc22a5c1f396a453d55ba8d865ffec906d689541ea500dc9

SHA512
d8b2c323e84d7881c0297edb6003820600ee00ad522a42e152a472c9c2410a2394211eb3260db31fc0d52949c803b17d90b2e57524cc4e41c0be765ca90e0942

Download Submit
memory/1948-162-0x0000000000920000-0x000000000094D000-memory.dmp

Filesize
180KB

Download
memory/1948-163-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1948-164-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1948-165-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/1948-166-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-167-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-175-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-177-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-173-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-171-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-169-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-179-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-181-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-183-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-185-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-187-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-189-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-191-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-193-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1948-196-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1948-195-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1948-197-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1948-199-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1948-200-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads