be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0

Analysis

max time kernel
218s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe
Size

1.5MB
MD5

09561a100b1576f09fb7f518174bed05
SHA1

5916ee531c7a10e4ec5e601695370a211d3d1c16
SHA256

be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0
SHA512

656515275c790f298aa8e9ccb158f28a3434777742bb7c30a727a8a964b22d86db555ce9fbd7ceadc688c3b2e2fc0c391be61ae2b6468c660a7909e99c57373c
SSDEEP

49152:juLgpUVaEEo2fmX0FZDfQT9K1btlHOqnU:7pFEFymeDf7fHRU

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7035701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7035701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7035701.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7035701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7035701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7035701.exe

Executes dropped EXE 5 IoCs

pid	Process
1964	v3875541.exe
2256	v1864090.exe
4588	v3094298.exe
1120	v5794959.exe
4268	a7035701.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7035701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7035701.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3875541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3875541.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3094298.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1864090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1864090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3094298.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5794959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5794959.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3324	4268	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	a7035701.exe
4268	a7035701.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	a7035701.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1964	5020	be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe	79
PID 5020 wrote to memory of 1964	5020	be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe	79
PID 5020 wrote to memory of 1964	5020	be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe	79
PID 1964 wrote to memory of 2256	1964	v3875541.exe	80
PID 1964 wrote to memory of 2256	1964	v3875541.exe	80
PID 1964 wrote to memory of 2256	1964	v3875541.exe	80
PID 2256 wrote to memory of 4588	2256	v1864090.exe	81
PID 2256 wrote to memory of 4588	2256	v1864090.exe	81
PID 2256 wrote to memory of 4588	2256	v1864090.exe	81
PID 4588 wrote to memory of 1120	4588	v3094298.exe	82
PID 4588 wrote to memory of 1120	4588	v3094298.exe	82
PID 4588 wrote to memory of 1120	4588	v3094298.exe	82
PID 1120 wrote to memory of 4268	1120	v5794959.exe	83
PID 1120 wrote to memory of 4268	1120	v5794959.exe	83
PID 1120 wrote to memory of 4268	1120	v5794959.exe	83

C:\Users\Admin\AppData\Local\Temp\be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe
"C:\Users\Admin\AppData\Local\Temp\be76a066b210baca199783fa8738a670e904db65263f726c3c160783fae708e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3875541.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3875541.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1864090.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1864090.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094298.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094298.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5794959.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5794959.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7035701.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7035701.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1080
        7⤵
        Program crash
        
        PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4268 -ip 4268
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3875541.exe

Filesize
1.4MB

MD5
5dae4e1904b309eb772966ff932ad006

SHA1
4aeb588c4918f912f5d04164db5c97b3493886ae

SHA256
95ecb8db2ef445db93c42e4363baee54b719b6ddf3dcd730b471b288805b5825

SHA512
7aef43a451a1db000ff9dab4ca2628bfe9c92968d358098c4602e92004ef00a9919607f6e357e02e13db8016a12339ce546be6a164aad63320e127b082369be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3875541.exe

Filesize
1.4MB

MD5
5dae4e1904b309eb772966ff932ad006

SHA1
4aeb588c4918f912f5d04164db5c97b3493886ae

SHA256
95ecb8db2ef445db93c42e4363baee54b719b6ddf3dcd730b471b288805b5825

SHA512
7aef43a451a1db000ff9dab4ca2628bfe9c92968d358098c4602e92004ef00a9919607f6e357e02e13db8016a12339ce546be6a164aad63320e127b082369be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1864090.exe

Filesize
915KB

MD5
6931b76644bcd76f2fac255b0295fb26

SHA1
8b8b8b0fc31a41c60631c56cee874b9d79b6847a

SHA256
ea41e42b8b97768c2e08dc2c8b81277f0d733f9054c026ad6398fc4752368133

SHA512
333ef8ed88bbe1eea9b23e371caced17d0b31c21c428d902017d107631853c6cbbe0a1b7b96841d021e4aa9434e95fdd33028ca0c848cd09d8e70e940a4ee85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1864090.exe

Filesize
915KB

MD5
6931b76644bcd76f2fac255b0295fb26

SHA1
8b8b8b0fc31a41c60631c56cee874b9d79b6847a

SHA256
ea41e42b8b97768c2e08dc2c8b81277f0d733f9054c026ad6398fc4752368133

SHA512
333ef8ed88bbe1eea9b23e371caced17d0b31c21c428d902017d107631853c6cbbe0a1b7b96841d021e4aa9434e95fdd33028ca0c848cd09d8e70e940a4ee85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094298.exe

Filesize
711KB

MD5
6cd0b504389ae69995824f569a2dac75

SHA1
ce82b163040d939c31838eea431e5018f633b969

SHA256
c188a0f0b9626d968bd3e36fa81550ef0e505441c70ced7ab1514dd68b603cc0

SHA512
2444f1c431936ec858738eaa55429af89ac6a3626e6e38200ba7cde159de14b9a6b5fa957ad69a3f743034dfba7691451f3659a0160f5e7ca30fd57b44fbcf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094298.exe

Filesize
711KB

MD5
6cd0b504389ae69995824f569a2dac75

SHA1
ce82b163040d939c31838eea431e5018f633b969

SHA256
c188a0f0b9626d968bd3e36fa81550ef0e505441c70ced7ab1514dd68b603cc0

SHA512
2444f1c431936ec858738eaa55429af89ac6a3626e6e38200ba7cde159de14b9a6b5fa957ad69a3f743034dfba7691451f3659a0160f5e7ca30fd57b44fbcf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5794959.exe

Filesize
416KB

MD5
79e60a60ae628044bed5268ad0ddc5d9

SHA1
c0ae7d992652db605f288743fe93bce67090e739

SHA256
a37c97dbf610e902607003737696cebc9ae021947cd247eb4351e9434c9c376c

SHA512
86052956f5158b55cac249a5aa23c95d1552e889c90477a91cad96bcf8c5979a42a683582023f64d666fbd553a4ec111e9e442a370f632d91b672a49facf14c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5794959.exe

Filesize
416KB

MD5
79e60a60ae628044bed5268ad0ddc5d9

SHA1
c0ae7d992652db605f288743fe93bce67090e739

SHA256
a37c97dbf610e902607003737696cebc9ae021947cd247eb4351e9434c9c376c

SHA512
86052956f5158b55cac249a5aa23c95d1552e889c90477a91cad96bcf8c5979a42a683582023f64d666fbd553a4ec111e9e442a370f632d91b672a49facf14c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7035701.exe

Filesize
360KB

MD5
9c2dbb974871de26d611455fa8143bef

SHA1
1ff50dd2c0af360b18afe73ba4fca981770f7a91

SHA256
7f0ed1254a7b740b3e1de375b10f963f27db2a02861becc6b315813a5b18638d

SHA512
46acf22850ecedd2cabc5827961d7bb795e69bffe81e3e96071613e57822c3fdc14395ca2373d145af386d4d1e8fd682e09ccd807870a7768ddae43405147421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7035701.exe

Filesize
360KB

MD5
9c2dbb974871de26d611455fa8143bef

SHA1
1ff50dd2c0af360b18afe73ba4fca981770f7a91

SHA256
7f0ed1254a7b740b3e1de375b10f963f27db2a02861becc6b315813a5b18638d

SHA512
46acf22850ecedd2cabc5827961d7bb795e69bffe81e3e96071613e57822c3fdc14395ca2373d145af386d4d1e8fd682e09ccd807870a7768ddae43405147421

Download Submit
memory/4268-169-0x00000000008A0000-0x00000000008CD000-memory.dmp

Filesize
180KB

Download
memory/4268-170-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4268-171-0x0000000004C80000-0x0000000005224000-memory.dmp

Filesize
5.6MB

Download
memory/4268-172-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4268-173-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4268-177-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-175-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-174-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-179-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-181-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-183-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-185-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-187-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-191-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-189-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-193-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-195-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-197-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-199-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-201-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4268-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4268-203-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4268-204-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4268-208-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download