9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe
Size

651KB
MD5

ae3a2b9b3f2460f70bbfe670e6b72ca7
SHA1

a301c31059b7a8da81a98c07c44e0346aa12e363
SHA256

9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd
SHA512

89d7c33e68a88476d18bb8a777c57ab6ff38aaa5f9aa98c68b1fb479ff045a3b17cdb99a2b30eb4917d4a7ab3ac8aad42a8ddbf3db722eeae48a0de363bf1b8d
SSDEEP

12288:Ly90a+Ttb54tJcP4LrzD1jqgESiB+0RJc2LmQvYvnw:LyS8tJcP4TObG2L5go

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	95379339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	95379339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	95379339.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	95379339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	95379339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	95379339.exe

Executes dropped EXE 3 IoCs

pid	Process
1640	st916128.exe
1280	95379339.exe
1360	kp389936.exe

Loads dropped DLL 7 IoCs

pid	Process
1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe
1640	st916128.exe
1640	st916128.exe
1280	95379339.exe
1640	st916128.exe
1640	st916128.exe
1360	kp389936.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	95379339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	95379339.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st916128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st916128.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1280	95379339.exe
1280	95379339.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	95379339.exe
Token: SeDebugPrivilege	1360	kp389936.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1472 wrote to memory of 1640	1472	9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe	28
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1280	1640	st916128.exe	29
PID 1640 wrote to memory of 1360	1640	st916128.exe	30
PID 1640 wrote to memory of 1360	1640	st916128.exe	30
PID 1640 wrote to memory of 1360	1640	st916128.exe	30
PID 1640 wrote to memory of 1360	1640	st916128.exe	30
PID 1640 wrote to memory of 1360	1640	st916128.exe	30
PID 1640 wrote to memory of 1360	1640	st916128.exe	30
PID 1640 wrote to memory of 1360	1640	st916128.exe	30

C:\Users\Admin\AppData\Local\Temp\9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe
"C:\Users\Admin\AppData\Local\Temp\9ca2d3ecc80456caa393659c5063e040fd789c5fdd8f1eb06d20b4f273dc6ccd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st916128.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st916128.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95379339.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95379339.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st916128.exe

Filesize
497KB

MD5
01853f8bdfc47d0d138ff29199d11579

SHA1
c2105372b4bea555d0f78bd883703e86afdf69d3

SHA256
ce25b249e73b9068acc88f88e70154eb10fdc2f35688d1c7cce3eb64f78ac3da

SHA512
0757188dd2fb92a6cf004471ed4788bf352f3b16512cb289bde516811c2ad829f2c67910fdbc156f0442795461c4e9f3fe5da73dd5f0759d840d17e71db01beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st916128.exe

Filesize
497KB

MD5
01853f8bdfc47d0d138ff29199d11579

SHA1
c2105372b4bea555d0f78bd883703e86afdf69d3

SHA256
ce25b249e73b9068acc88f88e70154eb10fdc2f35688d1c7cce3eb64f78ac3da

SHA512
0757188dd2fb92a6cf004471ed4788bf352f3b16512cb289bde516811c2ad829f2c67910fdbc156f0442795461c4e9f3fe5da73dd5f0759d840d17e71db01beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95379339.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95379339.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe

Filesize
341KB

MD5
afea20325c83aa6363a908b810553a7c

SHA1
371c6b64f3e936ef5d0af5783de17c9380738afc

SHA256
a67efb84cd58e6029f1a7a4b343f09566f766c91eb5a37ee03bfa6ef959ed131

SHA512
56310b3f3f73091ed5d941bb0022cd93337f51970f35a94ab5b596bd9f6581fd02c39dde90a2de1e5fd1cdc064fa8d50736fbb049a9b661864577d8d974af3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe

Filesize
341KB

MD5
afea20325c83aa6363a908b810553a7c

SHA1
371c6b64f3e936ef5d0af5783de17c9380738afc

SHA256
a67efb84cd58e6029f1a7a4b343f09566f766c91eb5a37ee03bfa6ef959ed131

SHA512
56310b3f3f73091ed5d941bb0022cd93337f51970f35a94ab5b596bd9f6581fd02c39dde90a2de1e5fd1cdc064fa8d50736fbb049a9b661864577d8d974af3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe

Filesize
341KB

MD5
afea20325c83aa6363a908b810553a7c

SHA1
371c6b64f3e936ef5d0af5783de17c9380738afc

SHA256
a67efb84cd58e6029f1a7a4b343f09566f766c91eb5a37ee03bfa6ef959ed131

SHA512
56310b3f3f73091ed5d941bb0022cd93337f51970f35a94ab5b596bd9f6581fd02c39dde90a2de1e5fd1cdc064fa8d50736fbb049a9b661864577d8d974af3d8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st916128.exe

Filesize
497KB

MD5
01853f8bdfc47d0d138ff29199d11579

SHA1
c2105372b4bea555d0f78bd883703e86afdf69d3

SHA256
ce25b249e73b9068acc88f88e70154eb10fdc2f35688d1c7cce3eb64f78ac3da

SHA512
0757188dd2fb92a6cf004471ed4788bf352f3b16512cb289bde516811c2ad829f2c67910fdbc156f0442795461c4e9f3fe5da73dd5f0759d840d17e71db01beb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st916128.exe

Filesize
497KB

MD5
01853f8bdfc47d0d138ff29199d11579

SHA1
c2105372b4bea555d0f78bd883703e86afdf69d3

SHA256
ce25b249e73b9068acc88f88e70154eb10fdc2f35688d1c7cce3eb64f78ac3da

SHA512
0757188dd2fb92a6cf004471ed4788bf352f3b16512cb289bde516811c2ad829f2c67910fdbc156f0442795461c4e9f3fe5da73dd5f0759d840d17e71db01beb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95379339.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95379339.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe

Filesize
341KB

MD5
afea20325c83aa6363a908b810553a7c

SHA1
371c6b64f3e936ef5d0af5783de17c9380738afc

SHA256
a67efb84cd58e6029f1a7a4b343f09566f766c91eb5a37ee03bfa6ef959ed131

SHA512
56310b3f3f73091ed5d941bb0022cd93337f51970f35a94ab5b596bd9f6581fd02c39dde90a2de1e5fd1cdc064fa8d50736fbb049a9b661864577d8d974af3d8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe

Filesize
341KB

MD5
afea20325c83aa6363a908b810553a7c

SHA1
371c6b64f3e936ef5d0af5783de17c9380738afc

SHA256
a67efb84cd58e6029f1a7a4b343f09566f766c91eb5a37ee03bfa6ef959ed131

SHA512
56310b3f3f73091ed5d941bb0022cd93337f51970f35a94ab5b596bd9f6581fd02c39dde90a2de1e5fd1cdc064fa8d50736fbb049a9b661864577d8d974af3d8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp389936.exe

Filesize
341KB

MD5
afea20325c83aa6363a908b810553a7c

SHA1
371c6b64f3e936ef5d0af5783de17c9380738afc

SHA256
a67efb84cd58e6029f1a7a4b343f09566f766c91eb5a37ee03bfa6ef959ed131

SHA512
56310b3f3f73091ed5d941bb0022cd93337f51970f35a94ab5b596bd9f6581fd02c39dde90a2de1e5fd1cdc064fa8d50736fbb049a9b661864577d8d974af3d8

Download Submit
memory/1280-82-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-84-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-86-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-90-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-88-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-94-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-92-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-98-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-96-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-102-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-100-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-104-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-105-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1280-106-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1280-80-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-78-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-77-0x0000000002190000-0x00000000021A3000-memory.dmp

Filesize
76KB

Download
memory/1280-76-0x0000000002190000-0x00000000021A8000-memory.dmp

Filesize
96KB

Download
memory/1280-75-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download
memory/1280-74-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1360-120-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-140-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-119-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-117-0x0000000002370000-0x00000000023AC000-memory.dmp

Filesize
240KB

Download
memory/1360-122-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-124-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-126-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-128-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-130-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-132-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-134-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-136-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-138-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-118-0x00000000023B0000-0x00000000023EA000-memory.dmp

Filesize
232KB

Download
memory/1360-142-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-144-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-146-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-148-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-150-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-152-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-154-0x00000000023B0000-0x00000000023E5000-memory.dmp

Filesize
212KB

Download
memory/1360-543-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/1360-545-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1360-547-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1360-549-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1360-915-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1360-917-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download