9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db

Analysis

max time kernel
143s
max time network
168s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
Size

690KB
MD5

f8f94d9fc049a9ccc9be5e9fbdd3f1a9
SHA1

dc60384e67de7035339832e31d5139c41479ca26
SHA256

9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db
SHA512

67329f11acbf62bcde00353c26c2c593e982721184b2cea749bfa3289ecbb39804c4241b9f87568db0cf3505b9361062de5525de8081a70587a5933350510861
SSDEEP

12288:4y90L0U8VB5KOE0F6cSDKYyWIziAYom00qX2KmB194k17/Y:4yhU8VTKT0Ik2AY9g2KYDTjY

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58392694.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	58392694.exe

Executes dropped EXE 3 IoCs

pid	Process
1764	un720969.exe
1028	58392694.exe
1664	rk103705.exe

Loads dropped DLL 8 IoCs

pid	Process
1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
1764	un720969.exe
1764	un720969.exe
1764	un720969.exe
1028	58392694.exe
1764	un720969.exe
1764	un720969.exe
1664	rk103705.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	58392694.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un720969.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un720969.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1028	58392694.exe
1028	58392694.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	58392694.exe
Token: SeDebugPrivilege	1664	rk103705.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1228 wrote to memory of 1764	1228	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	28
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1028	1764	un720969.exe	29
PID 1764 wrote to memory of 1664	1764	un720969.exe	30
PID 1764 wrote to memory of 1664	1764	un720969.exe	30
PID 1764 wrote to memory of 1664	1764	un720969.exe	30
PID 1764 wrote to memory of 1664	1764	un720969.exe	30
PID 1764 wrote to memory of 1664	1764	un720969.exe	30
PID 1764 wrote to memory of 1664	1764	un720969.exe	30
PID 1764 wrote to memory of 1664	1764	un720969.exe	30

C:\Users\Admin\AppData\Local\Temp\9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
"C:\Users\Admin\AppData\Local\Temp\9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe

Filesize
536KB

MD5
b17a5eb94041f4dde9825f8f2d378711

SHA1
7c05b63f81de92fd917e9b5a4eacdfd5dd7847ca

SHA256
a5c8e5ac3f8bd5c9dc758ce436fc62e497c2ce941a8d02e2d5c44758e1295eb5

SHA512
bd2240d5a476d588521cc8ff72fa8967c0f2a1852d7ab19eb30162e28bf55e99eb6949321be1e22b19685c7d92c8b9ff3295cf12a313aa95ca3d1182289ebcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe

Filesize
536KB

MD5
b17a5eb94041f4dde9825f8f2d378711

SHA1
7c05b63f81de92fd917e9b5a4eacdfd5dd7847ca

SHA256
a5c8e5ac3f8bd5c9dc758ce436fc62e497c2ce941a8d02e2d5c44758e1295eb5

SHA512
bd2240d5a476d588521cc8ff72fa8967c0f2a1852d7ab19eb30162e28bf55e99eb6949321be1e22b19685c7d92c8b9ff3295cf12a313aa95ca3d1182289ebcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe

Filesize
536KB

MD5
b17a5eb94041f4dde9825f8f2d378711

SHA1
7c05b63f81de92fd917e9b5a4eacdfd5dd7847ca

SHA256
a5c8e5ac3f8bd5c9dc758ce436fc62e497c2ce941a8d02e2d5c44758e1295eb5

SHA512
bd2240d5a476d588521cc8ff72fa8967c0f2a1852d7ab19eb30162e28bf55e99eb6949321be1e22b19685c7d92c8b9ff3295cf12a313aa95ca3d1182289ebcc8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe

Filesize
536KB

MD5
b17a5eb94041f4dde9825f8f2d378711

SHA1
7c05b63f81de92fd917e9b5a4eacdfd5dd7847ca

SHA256
a5c8e5ac3f8bd5c9dc758ce436fc62e497c2ce941a8d02e2d5c44758e1295eb5

SHA512
bd2240d5a476d588521cc8ff72fa8967c0f2a1852d7ab19eb30162e28bf55e99eb6949321be1e22b19685c7d92c8b9ff3295cf12a313aa95ca3d1182289ebcc8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
memory/1028-110-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1028-89-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-91-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-93-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-95-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-97-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-99-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-101-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-103-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-105-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-107-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-108-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/1028-109-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/1028-87-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-113-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1028-85-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-83-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-81-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-80-0x00000000020E0000-0x00000000020F3000-memory.dmp

Filesize
76KB

Download
memory/1028-79-0x00000000020E0000-0x00000000020F8000-memory.dmp

Filesize
96KB

Download
memory/1028-78-0x00000000009E0000-0x00000000009FA000-memory.dmp

Filesize
104KB

Download
memory/1664-126-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-147-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-124-0x0000000002350000-0x000000000238C000-memory.dmp

Filesize
240KB

Download
memory/1664-127-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-129-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-131-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-133-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-135-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-137-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-139-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-141-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-143-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-145-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-125-0x00000000049A0000-0x00000000049DA000-memory.dmp

Filesize
232KB

Download
memory/1664-149-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-151-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-153-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-155-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-157-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1664-159-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/1664-161-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1664-163-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1664-921-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1664-923-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1664-925-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download