307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e

Analysis

max time kernel
230s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe
Size

1.5MB
MD5

ea1bb0fcdc2bf8b2052834f86bd0310e
SHA1

7a6f1839f93f69d3d7e34e2f8cd737e0d4884d19
SHA256

307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e
SHA512

cd796a1ecad33362c1ed1d9766579bee036e239900f28761c9bc63d65a6e23489ac772f2b12aac37c241335560ae046ba04b3658e9fafa93865108b2e7016a42
SSDEEP

49152:XZLVwZqsq1TI4itS+StWWkJeSeZ6cD5rb:VCO6ZtS+SkeSIndP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0209937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0209937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0209937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0209937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0209937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0209937.exe

Executes dropped EXE 5 IoCs

pid	Process
224	v1413832.exe
1356	v8595443.exe
2452	v0932546.exe
1076	v0350244.exe
3736	a0209937.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0209937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0209937.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1413832.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0350244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0932546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0350244.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1413832.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8595443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8595443.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0932546.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2360	3736	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	a0209937.exe
3736	a0209937.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	a0209937.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 224	4144	307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe	80
PID 4144 wrote to memory of 224	4144	307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe	80
PID 4144 wrote to memory of 224	4144	307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe	80
PID 224 wrote to memory of 1356	224	v1413832.exe	81
PID 224 wrote to memory of 1356	224	v1413832.exe	81
PID 224 wrote to memory of 1356	224	v1413832.exe	81
PID 1356 wrote to memory of 2452	1356	v8595443.exe	82
PID 1356 wrote to memory of 2452	1356	v8595443.exe	82
PID 1356 wrote to memory of 2452	1356	v8595443.exe	82
PID 2452 wrote to memory of 1076	2452	v0932546.exe	83
PID 2452 wrote to memory of 1076	2452	v0932546.exe	83
PID 2452 wrote to memory of 1076	2452	v0932546.exe	83
PID 1076 wrote to memory of 3736	1076	v0350244.exe	84
PID 1076 wrote to memory of 3736	1076	v0350244.exe	84
PID 1076 wrote to memory of 3736	1076	v0350244.exe	84

C:\Users\Admin\AppData\Local\Temp\307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe
"C:\Users\Admin\AppData\Local\Temp\307ff5f51c2349fd918ffd7073c11235ad26a5038f6d812082db62e405f1380e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1413832.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1413832.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8595443.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8595443.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0932546.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0932546.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0350244.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0350244.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0209937.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0209937.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1084
        7⤵
        Program crash
        
        PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3736 -ip 3736
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1413832.exe

Filesize
1.4MB

MD5
f092e1f8afe95333cf184f155b9b37f3

SHA1
67318706a035b11917ec62260a92fad99cf36bd9

SHA256
60f5ccd272cc5869c5c7dcef2c3167f1b3cb48f2c0edda6ffad87b3ca08b3c15

SHA512
cf2ad650b5cfb8a8a1f250d1cffe1a2e688af33106dfc4f97a5b7211ef37465fdf08f0713770449c2c5a75e7ba12998934e2fc0e710d18bfd672d5716eb0c98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1413832.exe

Filesize
1.4MB

MD5
f092e1f8afe95333cf184f155b9b37f3

SHA1
67318706a035b11917ec62260a92fad99cf36bd9

SHA256
60f5ccd272cc5869c5c7dcef2c3167f1b3cb48f2c0edda6ffad87b3ca08b3c15

SHA512
cf2ad650b5cfb8a8a1f250d1cffe1a2e688af33106dfc4f97a5b7211ef37465fdf08f0713770449c2c5a75e7ba12998934e2fc0e710d18bfd672d5716eb0c98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8595443.exe

Filesize
915KB

MD5
ea220d18f805d9ca5c566218194d8641

SHA1
1c54424d7cf7fb8d061448035aa7c35ff252741d

SHA256
ec2734a24f3fa9fbc185a948c8dfad63a8a941de5b08572b665c07e86789a902

SHA512
e6089574fc58d0665533dd5260185f12aea41efd978c065a828f309927253f6479e74ff400b114d0a716829032d5e915d03f85d755e0448a0dcce4fe33976bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8595443.exe

Filesize
915KB

MD5
ea220d18f805d9ca5c566218194d8641

SHA1
1c54424d7cf7fb8d061448035aa7c35ff252741d

SHA256
ec2734a24f3fa9fbc185a948c8dfad63a8a941de5b08572b665c07e86789a902

SHA512
e6089574fc58d0665533dd5260185f12aea41efd978c065a828f309927253f6479e74ff400b114d0a716829032d5e915d03f85d755e0448a0dcce4fe33976bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0932546.exe

Filesize
710KB

MD5
4bc4e2ed22ac86a8faccab796fbc0524

SHA1
75bf06064b28b565425b208315f21f255c9d8f38

SHA256
d52dd3f10c2c00094b3ee86d9a707ca881a3ab666f0fb8ebe7b9eb314b79cabe

SHA512
bbaf7dfe876325f6b0a997069f67bf1d7ccacd4b3c9851bf6b7a18a10156a52d0f731d42471df2ed23b7f5e6ba3a2fcd4053f870d4e76ca5e2894f064dd5401b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0932546.exe

Filesize
710KB

MD5
4bc4e2ed22ac86a8faccab796fbc0524

SHA1
75bf06064b28b565425b208315f21f255c9d8f38

SHA256
d52dd3f10c2c00094b3ee86d9a707ca881a3ab666f0fb8ebe7b9eb314b79cabe

SHA512
bbaf7dfe876325f6b0a997069f67bf1d7ccacd4b3c9851bf6b7a18a10156a52d0f731d42471df2ed23b7f5e6ba3a2fcd4053f870d4e76ca5e2894f064dd5401b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0350244.exe

Filesize
418KB

MD5
37437d42244e090994b9db09c6a9b39f

SHA1
5722480dd2b58322a7e8fc229d4fd6455d30c9c5

SHA256
eb575d408918bd33a9cc9e7de501fafb714fb32a2ae5ceda8d6ae711f99bf1d4

SHA512
82f55e10396e6135aad86a77831dac546ec991356fd2df5534ac9db9bbace05593c301c04935b02b58d63f61a3c14d1ebcda50ac9e79c6338e1577630890e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0350244.exe

Filesize
418KB

MD5
37437d42244e090994b9db09c6a9b39f

SHA1
5722480dd2b58322a7e8fc229d4fd6455d30c9c5

SHA256
eb575d408918bd33a9cc9e7de501fafb714fb32a2ae5ceda8d6ae711f99bf1d4

SHA512
82f55e10396e6135aad86a77831dac546ec991356fd2df5534ac9db9bbace05593c301c04935b02b58d63f61a3c14d1ebcda50ac9e79c6338e1577630890e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0209937.exe

Filesize
361KB

MD5
652fd228f941c7db2ce2e77402051a7b

SHA1
31e00c839bc4522130867ef0a6e4da07d028a582

SHA256
5da287bb19e244a6d2a0e27e3cddd8b4698daebdf77a9ee80b4fef9932941b48

SHA512
5a29ce876bca9d1e0330ea40e381f0bea2c5dd563fb553401b44127ed0b2d44ff3b95237f8c03d46ca0b41590a161aeb4ad7a02c49bc77be758f1f4e1e52d159

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0209937.exe

Filesize
361KB

MD5
652fd228f941c7db2ce2e77402051a7b

SHA1
31e00c839bc4522130867ef0a6e4da07d028a582

SHA256
5da287bb19e244a6d2a0e27e3cddd8b4698daebdf77a9ee80b4fef9932941b48

SHA512
5a29ce876bca9d1e0330ea40e381f0bea2c5dd563fb553401b44127ed0b2d44ff3b95237f8c03d46ca0b41590a161aeb4ad7a02c49bc77be758f1f4e1e52d159

Download Submit
memory/3736-178-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-188-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-171-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3736-172-0x0000000000A90000-0x0000000000ABD000-memory.dmp

Filesize
180KB

Download
memory/3736-173-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3736-174-0x0000000004E80000-0x0000000005424000-memory.dmp

Filesize
5.6MB

Download
memory/3736-176-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-175-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-169-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3736-182-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-180-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-184-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-186-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-170-0x0000000000A90000-0x0000000000ABD000-memory.dmp

Filesize
180KB

Download
memory/3736-190-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3736-191-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3736-192-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-196-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-194-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-198-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-200-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-202-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-204-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/3736-205-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3736-206-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3736-207-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3736-208-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3736-211-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download