9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06

Analysis

max time kernel
145s
max time network
166s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe
Size

746KB
MD5

bbe1c1257cc7316e6e23fde5468bad00
SHA1

628898017ba3388252126a997946542f0510505b
SHA256

9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06
SHA512

6cdaf7f429a2026adf187e1417915d57ebbf287b7e1660f4b1737c7d1a430ebf9990f62a0c6b91f8e58d17722dcd1b4cae8a9012531be23481b6e9b1d0ebe96e
SSDEEP

12288:sy90fWlnXnWbNsAUjy8urZWk6Nd7ZbNjCS0vz3j2d:syFl32zUGQk6/5D0vXE

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	95743207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	95743207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	95743207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	95743207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	95743207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	95743207.exe

Executes dropped EXE 3 IoCs

pid	Process
1612	un780050.exe
1488	95743207.exe
1780	rk425581.exe

Loads dropped DLL 8 IoCs

pid	Process
1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe
1612	un780050.exe
1612	un780050.exe
1612	un780050.exe
1488	95743207.exe
1612	un780050.exe
1612	un780050.exe
1780	rk425581.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	95743207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	95743207.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un780050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un780050.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1488	95743207.exe
1488	95743207.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	95743207.exe
Token: SeDebugPrivilege	1780	rk425581.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1688 wrote to memory of 1612	1688	9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe	28
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1488	1612	un780050.exe	29
PID 1612 wrote to memory of 1780	1612	un780050.exe	30
PID 1612 wrote to memory of 1780	1612	un780050.exe	30
PID 1612 wrote to memory of 1780	1612	un780050.exe	30
PID 1612 wrote to memory of 1780	1612	un780050.exe	30
PID 1612 wrote to memory of 1780	1612	un780050.exe	30
PID 1612 wrote to memory of 1780	1612	un780050.exe	30
PID 1612 wrote to memory of 1780	1612	un780050.exe	30

C:\Users\Admin\AppData\Local\Temp\9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe
"C:\Users\Admin\AppData\Local\Temp\9e1c743047a62b39fd6d472a8645acab94988fd35bb39ea400e1aeee55166a06.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780050.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780050.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780050.exe

Filesize
592KB

MD5
a1ffb23e5ae45acc2e9b61507cb9f3ec

SHA1
28f01e8aa57b4bdba0cd7da07e14faff907001e2

SHA256
04a7384b01030ca4ce6fb8389547e28abbfffd18789fd64c1db95b80c55fd42d

SHA512
22e3cea395efa5b43479525ce3ad78249830b395ddd7e559206f5752f6a8811c4794139e84c7087f0c3bd64cdead171f2280efb23b0c50fc9ce2c6efdf721033

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780050.exe

Filesize
592KB

MD5
a1ffb23e5ae45acc2e9b61507cb9f3ec

SHA1
28f01e8aa57b4bdba0cd7da07e14faff907001e2

SHA256
04a7384b01030ca4ce6fb8389547e28abbfffd18789fd64c1db95b80c55fd42d

SHA512
22e3cea395efa5b43479525ce3ad78249830b395ddd7e559206f5752f6a8811c4794139e84c7087f0c3bd64cdead171f2280efb23b0c50fc9ce2c6efdf721033

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe

Filesize
377KB

MD5
2545f3035b04a471d5508bd7d3f875ff

SHA1
bbe474633db11099906cb30da1deb7f0198fc9a7

SHA256
c6ae3ae2700b82645b79292fdc54920c6a41f5764d7337604c0138ba7220b73f

SHA512
71d943ff86a4d7b6e1a14d8b685f916e3e373e3c26baf7509cd812c2559d8d9629d4e5b456755727ba397b60c650a5c20c2a80bb283f77d29b52ecef84075dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe

Filesize
377KB

MD5
2545f3035b04a471d5508bd7d3f875ff

SHA1
bbe474633db11099906cb30da1deb7f0198fc9a7

SHA256
c6ae3ae2700b82645b79292fdc54920c6a41f5764d7337604c0138ba7220b73f

SHA512
71d943ff86a4d7b6e1a14d8b685f916e3e373e3c26baf7509cd812c2559d8d9629d4e5b456755727ba397b60c650a5c20c2a80bb283f77d29b52ecef84075dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe

Filesize
377KB

MD5
2545f3035b04a471d5508bd7d3f875ff

SHA1
bbe474633db11099906cb30da1deb7f0198fc9a7

SHA256
c6ae3ae2700b82645b79292fdc54920c6a41f5764d7337604c0138ba7220b73f

SHA512
71d943ff86a4d7b6e1a14d8b685f916e3e373e3c26baf7509cd812c2559d8d9629d4e5b456755727ba397b60c650a5c20c2a80bb283f77d29b52ecef84075dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe

Filesize
459KB

MD5
bbd6e42f1864837931f0b59b2ed6798f

SHA1
611192a9cd94393387a8cfae23629e6824fe5428

SHA256
ac7dccb4df5cf1658e1b74257cb7aeae245bf1e63ef2b1cca4adb680895444bf

SHA512
6b711e93c05437f1d1c4bcff9bcca728b2fa786d4bf816679d23b652b1da29219f2d0a1de3f21cf1790ea0e578007b2e12e86641c826960d5c8b3bdf744fad61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe

Filesize
459KB

MD5
bbd6e42f1864837931f0b59b2ed6798f

SHA1
611192a9cd94393387a8cfae23629e6824fe5428

SHA256
ac7dccb4df5cf1658e1b74257cb7aeae245bf1e63ef2b1cca4adb680895444bf

SHA512
6b711e93c05437f1d1c4bcff9bcca728b2fa786d4bf816679d23b652b1da29219f2d0a1de3f21cf1790ea0e578007b2e12e86641c826960d5c8b3bdf744fad61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe

Filesize
459KB

MD5
bbd6e42f1864837931f0b59b2ed6798f

SHA1
611192a9cd94393387a8cfae23629e6824fe5428

SHA256
ac7dccb4df5cf1658e1b74257cb7aeae245bf1e63ef2b1cca4adb680895444bf

SHA512
6b711e93c05437f1d1c4bcff9bcca728b2fa786d4bf816679d23b652b1da29219f2d0a1de3f21cf1790ea0e578007b2e12e86641c826960d5c8b3bdf744fad61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780050.exe

Filesize
592KB

MD5
a1ffb23e5ae45acc2e9b61507cb9f3ec

SHA1
28f01e8aa57b4bdba0cd7da07e14faff907001e2

SHA256
04a7384b01030ca4ce6fb8389547e28abbfffd18789fd64c1db95b80c55fd42d

SHA512
22e3cea395efa5b43479525ce3ad78249830b395ddd7e559206f5752f6a8811c4794139e84c7087f0c3bd64cdead171f2280efb23b0c50fc9ce2c6efdf721033

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un780050.exe

Filesize
592KB

MD5
a1ffb23e5ae45acc2e9b61507cb9f3ec

SHA1
28f01e8aa57b4bdba0cd7da07e14faff907001e2

SHA256
04a7384b01030ca4ce6fb8389547e28abbfffd18789fd64c1db95b80c55fd42d

SHA512
22e3cea395efa5b43479525ce3ad78249830b395ddd7e559206f5752f6a8811c4794139e84c7087f0c3bd64cdead171f2280efb23b0c50fc9ce2c6efdf721033

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe

Filesize
377KB

MD5
2545f3035b04a471d5508bd7d3f875ff

SHA1
bbe474633db11099906cb30da1deb7f0198fc9a7

SHA256
c6ae3ae2700b82645b79292fdc54920c6a41f5764d7337604c0138ba7220b73f

SHA512
71d943ff86a4d7b6e1a14d8b685f916e3e373e3c26baf7509cd812c2559d8d9629d4e5b456755727ba397b60c650a5c20c2a80bb283f77d29b52ecef84075dfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe

Filesize
377KB

MD5
2545f3035b04a471d5508bd7d3f875ff

SHA1
bbe474633db11099906cb30da1deb7f0198fc9a7

SHA256
c6ae3ae2700b82645b79292fdc54920c6a41f5764d7337604c0138ba7220b73f

SHA512
71d943ff86a4d7b6e1a14d8b685f916e3e373e3c26baf7509cd812c2559d8d9629d4e5b456755727ba397b60c650a5c20c2a80bb283f77d29b52ecef84075dfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95743207.exe

Filesize
377KB

MD5
2545f3035b04a471d5508bd7d3f875ff

SHA1
bbe474633db11099906cb30da1deb7f0198fc9a7

SHA256
c6ae3ae2700b82645b79292fdc54920c6a41f5764d7337604c0138ba7220b73f

SHA512
71d943ff86a4d7b6e1a14d8b685f916e3e373e3c26baf7509cd812c2559d8d9629d4e5b456755727ba397b60c650a5c20c2a80bb283f77d29b52ecef84075dfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe

Filesize
459KB

MD5
bbd6e42f1864837931f0b59b2ed6798f

SHA1
611192a9cd94393387a8cfae23629e6824fe5428

SHA256
ac7dccb4df5cf1658e1b74257cb7aeae245bf1e63ef2b1cca4adb680895444bf

SHA512
6b711e93c05437f1d1c4bcff9bcca728b2fa786d4bf816679d23b652b1da29219f2d0a1de3f21cf1790ea0e578007b2e12e86641c826960d5c8b3bdf744fad61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe

Filesize
459KB

MD5
bbd6e42f1864837931f0b59b2ed6798f

SHA1
611192a9cd94393387a8cfae23629e6824fe5428

SHA256
ac7dccb4df5cf1658e1b74257cb7aeae245bf1e63ef2b1cca4adb680895444bf

SHA512
6b711e93c05437f1d1c4bcff9bcca728b2fa786d4bf816679d23b652b1da29219f2d0a1de3f21cf1790ea0e578007b2e12e86641c826960d5c8b3bdf744fad61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk425581.exe

Filesize
459KB

MD5
bbd6e42f1864837931f0b59b2ed6798f

SHA1
611192a9cd94393387a8cfae23629e6824fe5428

SHA256
ac7dccb4df5cf1658e1b74257cb7aeae245bf1e63ef2b1cca4adb680895444bf

SHA512
6b711e93c05437f1d1c4bcff9bcca728b2fa786d4bf816679d23b652b1da29219f2d0a1de3f21cf1790ea0e578007b2e12e86641c826960d5c8b3bdf744fad61

Download Submit
memory/1488-109-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-87-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-89-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-91-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-93-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-95-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-97-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-99-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-101-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-103-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-105-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-107-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-85-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-111-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-116-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1488-84-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/1488-82-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1488-81-0x0000000002190000-0x00000000021A8000-memory.dmp

Filesize
96KB

Download
memory/1488-80-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/1488-79-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/1488-78-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/1780-127-0x0000000002720000-0x000000000275C000-memory.dmp

Filesize
240KB

Download
memory/1780-128-0x0000000002760000-0x000000000279A000-memory.dmp

Filesize
232KB

Download
memory/1780-129-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-132-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-130-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-134-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-136-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-138-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-140-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-142-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-144-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-146-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-148-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-150-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-152-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-154-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-157-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/1780-156-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/1780-923-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1780-926-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download