ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c

Analysis

max time kernel
149s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
Size

687KB
MD5

c2f156cc9d8af8a50c38eb60e53c7aa4
SHA1

bc7c0defab780cda95d783e528942a66c90ef75a
SHA256

ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c
SHA512

9c5f64525d0d8629a737270d84efd2e9791cf85388070afbed62d1faeab35ba378923ecb93213db072373d83989bab477324be53486de8c4241d7329aa468d41
SSDEEP

12288:vy906JacQHX0DXkjFpyCS5A8Rlbf8XuYi2h5EIXP/Fa9BMn4+/70:vyTQHXUqrSdKu12XEgFiBSlT0

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	50108514.exe

Executes dropped EXE 3 IoCs

pid	Process
1344	un241332.exe
628	50108514.exe
1820	rk570693.exe

Loads dropped DLL 8 IoCs

pid	Process
1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
1344	un241332.exe
1344	un241332.exe
1344	un241332.exe
628	50108514.exe
1344	un241332.exe
1344	un241332.exe
1820	rk570693.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	50108514.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un241332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un241332.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
628	50108514.exe
628	50108514.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	50108514.exe
Token: SeDebugPrivilege	1820	rk570693.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1412 wrote to memory of 1344	1412	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	28
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 628	1344	un241332.exe	29
PID 1344 wrote to memory of 1820	1344	un241332.exe	30
PID 1344 wrote to memory of 1820	1344	un241332.exe	30
PID 1344 wrote to memory of 1820	1344	un241332.exe	30
PID 1344 wrote to memory of 1820	1344	un241332.exe	30
PID 1344 wrote to memory of 1820	1344	un241332.exe	30
PID 1344 wrote to memory of 1820	1344	un241332.exe	30
PID 1344 wrote to memory of 1820	1344	un241332.exe	30

C:\Users\Admin\AppData\Local\Temp\ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
"C:\Users\Admin\AppData\Local\Temp\ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe

Filesize
533KB

MD5
c27356bded81c084175c481d52ad131b

SHA1
f430869e559995d76a0dc60894e0af176a053dc0

SHA256
7fb9aa5308cfde3f0f149229fdaaeb0b1a5aeb73744d0449311ea3d50be9fc0a

SHA512
b0259b26686710d4bc579d231342de80a90550d74fd2a796ce71ff337bfff3a6c05df019e1bed8dd865335c111a69b7414e1525723cde5d5a134d3d55ac410ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe

Filesize
533KB

MD5
c27356bded81c084175c481d52ad131b

SHA1
f430869e559995d76a0dc60894e0af176a053dc0

SHA256
7fb9aa5308cfde3f0f149229fdaaeb0b1a5aeb73744d0449311ea3d50be9fc0a

SHA512
b0259b26686710d4bc579d231342de80a90550d74fd2a796ce71ff337bfff3a6c05df019e1bed8dd865335c111a69b7414e1525723cde5d5a134d3d55ac410ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe

Filesize
533KB

MD5
c27356bded81c084175c481d52ad131b

SHA1
f430869e559995d76a0dc60894e0af176a053dc0

SHA256
7fb9aa5308cfde3f0f149229fdaaeb0b1a5aeb73744d0449311ea3d50be9fc0a

SHA512
b0259b26686710d4bc579d231342de80a90550d74fd2a796ce71ff337bfff3a6c05df019e1bed8dd865335c111a69b7414e1525723cde5d5a134d3d55ac410ed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe

Filesize
533KB

MD5
c27356bded81c084175c481d52ad131b

SHA1
f430869e559995d76a0dc60894e0af176a053dc0

SHA256
7fb9aa5308cfde3f0f149229fdaaeb0b1a5aeb73744d0449311ea3d50be9fc0a

SHA512
b0259b26686710d4bc579d231342de80a90550d74fd2a796ce71ff337bfff3a6c05df019e1bed8dd865335c111a69b7414e1525723cde5d5a134d3d55ac410ed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
memory/628-110-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/628-89-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-91-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-93-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-95-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-97-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-99-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-101-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-103-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-105-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-107-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-109-0x00000000032E0000-0x0000000003320000-memory.dmp

Filesize
256KB

Download
memory/628-108-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/628-87-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-111-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/628-85-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-83-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-81-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-80-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/628-79-0x0000000003340000-0x0000000003358000-memory.dmp

Filesize
96KB

Download
memory/628-78-0x0000000003320000-0x000000000333A000-memory.dmp

Filesize
104KB

Download
memory/1820-124-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/1820-139-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-122-0x00000000032C0000-0x00000000032FC000-memory.dmp

Filesize
240KB

Download
memory/1820-125-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1820-126-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-127-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-129-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-131-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-133-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-135-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-137-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-123-0x0000000004950000-0x000000000498A000-memory.dmp

Filesize
232KB

Download
memory/1820-141-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-143-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-145-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-147-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-149-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-151-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-153-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-155-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-157-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-159-0x0000000004950000-0x0000000004985000-memory.dmp

Filesize
212KB

Download
memory/1820-920-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1820-923-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download