afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe
Size

746KB
MD5

adf0037afcb7e3243dc3e18c68c54489
SHA1

ea24d7bf0a601f62531820b930f227912801df8d
SHA256

afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1
SHA512

7b5ac16735f0f4d5b034a2dced17db05a2c785fb4d33db80ce01dfcbc25914f63a776e0414956a3fccc57c57c2ecc1804ead1a20f81188d13249ae49b771f968
SSDEEP

12288:My90i4wzBRU0OhdseCKj9919TvrdMsHD9dEBtaXeyYnIFkLFAP:MyL4URUtHCe1p1HPcaXRQu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	41480357.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	41480357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	41480357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	41480357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	41480357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	41480357.exe

Executes dropped EXE 3 IoCs

pid	Process
936	un400406.exe
580	41480357.exe
912	rk399460.exe

Loads dropped DLL 8 IoCs

pid	Process
1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe
936	un400406.exe
936	un400406.exe
936	un400406.exe
580	41480357.exe
936	un400406.exe
936	un400406.exe
912	rk399460.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	41480357.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	41480357.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un400406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un400406.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	41480357.exe
580	41480357.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	41480357.exe
Token: SeDebugPrivilege	912	rk399460.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 1920 wrote to memory of 936	1920	afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe	28
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 580	936	un400406.exe	29
PID 936 wrote to memory of 912	936	un400406.exe	30
PID 936 wrote to memory of 912	936	un400406.exe	30
PID 936 wrote to memory of 912	936	un400406.exe	30
PID 936 wrote to memory of 912	936	un400406.exe	30
PID 936 wrote to memory of 912	936	un400406.exe	30
PID 936 wrote to memory of 912	936	un400406.exe	30
PID 936 wrote to memory of 912	936	un400406.exe	30

C:\Users\Admin\AppData\Local\Temp\afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe
"C:\Users\Admin\AppData\Local\Temp\afe5affd301c75794b80fd9a2e329e01c9e87e4ecac2836a1f915093d4fb07f1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400406.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400406.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400406.exe

Filesize
592KB

MD5
f5a48491f6969fdd7cb022f09408d725

SHA1
b7611fdd1569090a1a206395e158472bacd0ad1a

SHA256
8308678ab7da1221ffc039af8751561d208c335ccf0d571a36c48963fd9abf62

SHA512
717f75b4013b33226625a31505e0d76e42311322b30d3c11a8ff74dc58eae7675e96bd5926eddf4912f5530e17108fc665516525c58c62400bd75afb38fc396c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400406.exe

Filesize
592KB

MD5
f5a48491f6969fdd7cb022f09408d725

SHA1
b7611fdd1569090a1a206395e158472bacd0ad1a

SHA256
8308678ab7da1221ffc039af8751561d208c335ccf0d571a36c48963fd9abf62

SHA512
717f75b4013b33226625a31505e0d76e42311322b30d3c11a8ff74dc58eae7675e96bd5926eddf4912f5530e17108fc665516525c58c62400bd75afb38fc396c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe

Filesize
376KB

MD5
be710d2ed9a2927f6c72955eade9dee1

SHA1
09efa3ce781e12071aa2b2e269126f47ed19cef1

SHA256
791f35b6f0eb7e0b0b2b33ff7cf9f8e42721438f1a64f0e534287be20b959e17

SHA512
8203df15632bb767c46ce415cdef018c8f80a47d3f8bbe1d62b18e10793c96a2ea62612f45d55a6ab0dae269d016d1268e7597b7c5cf977dc20d43231f6239b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe

Filesize
376KB

MD5
be710d2ed9a2927f6c72955eade9dee1

SHA1
09efa3ce781e12071aa2b2e269126f47ed19cef1

SHA256
791f35b6f0eb7e0b0b2b33ff7cf9f8e42721438f1a64f0e534287be20b959e17

SHA512
8203df15632bb767c46ce415cdef018c8f80a47d3f8bbe1d62b18e10793c96a2ea62612f45d55a6ab0dae269d016d1268e7597b7c5cf977dc20d43231f6239b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe

Filesize
376KB

MD5
be710d2ed9a2927f6c72955eade9dee1

SHA1
09efa3ce781e12071aa2b2e269126f47ed19cef1

SHA256
791f35b6f0eb7e0b0b2b33ff7cf9f8e42721438f1a64f0e534287be20b959e17

SHA512
8203df15632bb767c46ce415cdef018c8f80a47d3f8bbe1d62b18e10793c96a2ea62612f45d55a6ab0dae269d016d1268e7597b7c5cf977dc20d43231f6239b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe

Filesize
459KB

MD5
bbf06ca591c540d253232067d70eb17c

SHA1
5a04c7ec2584a0e29e693bcd90ed3e172a9ebffd

SHA256
cb2c14d36ad5d295dd143f206bfd4d95d564fc7c8bb4d2c8d1a7e76531023e88

SHA512
c7e1dfd3e19a7654f1da2b0ccd63075601edfa244379a33da7a597c0e71b52a58e88dc2fa3d6c70784cb4a4293a0a71dced64bae886e58851ab9b5de36208e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe

Filesize
459KB

MD5
bbf06ca591c540d253232067d70eb17c

SHA1
5a04c7ec2584a0e29e693bcd90ed3e172a9ebffd

SHA256
cb2c14d36ad5d295dd143f206bfd4d95d564fc7c8bb4d2c8d1a7e76531023e88

SHA512
c7e1dfd3e19a7654f1da2b0ccd63075601edfa244379a33da7a597c0e71b52a58e88dc2fa3d6c70784cb4a4293a0a71dced64bae886e58851ab9b5de36208e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe

Filesize
459KB

MD5
bbf06ca591c540d253232067d70eb17c

SHA1
5a04c7ec2584a0e29e693bcd90ed3e172a9ebffd

SHA256
cb2c14d36ad5d295dd143f206bfd4d95d564fc7c8bb4d2c8d1a7e76531023e88

SHA512
c7e1dfd3e19a7654f1da2b0ccd63075601edfa244379a33da7a597c0e71b52a58e88dc2fa3d6c70784cb4a4293a0a71dced64bae886e58851ab9b5de36208e7b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400406.exe

Filesize
592KB

MD5
f5a48491f6969fdd7cb022f09408d725

SHA1
b7611fdd1569090a1a206395e158472bacd0ad1a

SHA256
8308678ab7da1221ffc039af8751561d208c335ccf0d571a36c48963fd9abf62

SHA512
717f75b4013b33226625a31505e0d76e42311322b30d3c11a8ff74dc58eae7675e96bd5926eddf4912f5530e17108fc665516525c58c62400bd75afb38fc396c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un400406.exe

Filesize
592KB

MD5
f5a48491f6969fdd7cb022f09408d725

SHA1
b7611fdd1569090a1a206395e158472bacd0ad1a

SHA256
8308678ab7da1221ffc039af8751561d208c335ccf0d571a36c48963fd9abf62

SHA512
717f75b4013b33226625a31505e0d76e42311322b30d3c11a8ff74dc58eae7675e96bd5926eddf4912f5530e17108fc665516525c58c62400bd75afb38fc396c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe

Filesize
376KB

MD5
be710d2ed9a2927f6c72955eade9dee1

SHA1
09efa3ce781e12071aa2b2e269126f47ed19cef1

SHA256
791f35b6f0eb7e0b0b2b33ff7cf9f8e42721438f1a64f0e534287be20b959e17

SHA512
8203df15632bb767c46ce415cdef018c8f80a47d3f8bbe1d62b18e10793c96a2ea62612f45d55a6ab0dae269d016d1268e7597b7c5cf977dc20d43231f6239b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe

Filesize
376KB

MD5
be710d2ed9a2927f6c72955eade9dee1

SHA1
09efa3ce781e12071aa2b2e269126f47ed19cef1

SHA256
791f35b6f0eb7e0b0b2b33ff7cf9f8e42721438f1a64f0e534287be20b959e17

SHA512
8203df15632bb767c46ce415cdef018c8f80a47d3f8bbe1d62b18e10793c96a2ea62612f45d55a6ab0dae269d016d1268e7597b7c5cf977dc20d43231f6239b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\41480357.exe

Filesize
376KB

MD5
be710d2ed9a2927f6c72955eade9dee1

SHA1
09efa3ce781e12071aa2b2e269126f47ed19cef1

SHA256
791f35b6f0eb7e0b0b2b33ff7cf9f8e42721438f1a64f0e534287be20b959e17

SHA512
8203df15632bb767c46ce415cdef018c8f80a47d3f8bbe1d62b18e10793c96a2ea62612f45d55a6ab0dae269d016d1268e7597b7c5cf977dc20d43231f6239b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe

Filesize
459KB

MD5
bbf06ca591c540d253232067d70eb17c

SHA1
5a04c7ec2584a0e29e693bcd90ed3e172a9ebffd

SHA256
cb2c14d36ad5d295dd143f206bfd4d95d564fc7c8bb4d2c8d1a7e76531023e88

SHA512
c7e1dfd3e19a7654f1da2b0ccd63075601edfa244379a33da7a597c0e71b52a58e88dc2fa3d6c70784cb4a4293a0a71dced64bae886e58851ab9b5de36208e7b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe

Filesize
459KB

MD5
bbf06ca591c540d253232067d70eb17c

SHA1
5a04c7ec2584a0e29e693bcd90ed3e172a9ebffd

SHA256
cb2c14d36ad5d295dd143f206bfd4d95d564fc7c8bb4d2c8d1a7e76531023e88

SHA512
c7e1dfd3e19a7654f1da2b0ccd63075601edfa244379a33da7a597c0e71b52a58e88dc2fa3d6c70784cb4a4293a0a71dced64bae886e58851ab9b5de36208e7b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk399460.exe

Filesize
459KB

MD5
bbf06ca591c540d253232067d70eb17c

SHA1
5a04c7ec2584a0e29e693bcd90ed3e172a9ebffd

SHA256
cb2c14d36ad5d295dd143f206bfd4d95d564fc7c8bb4d2c8d1a7e76531023e88

SHA512
c7e1dfd3e19a7654f1da2b0ccd63075601edfa244379a33da7a597c0e71b52a58e88dc2fa3d6c70784cb4a4293a0a71dced64bae886e58851ab9b5de36208e7b

Download Submit
memory/580-87-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-89-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-91-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-93-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-95-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-97-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-99-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-101-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-103-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-105-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-107-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-109-0x0000000000E40000-0x0000000000E80000-memory.dmp

Filesize
256KB

Download
memory/580-110-0x0000000000E40000-0x0000000000E80000-memory.dmp

Filesize
256KB

Download
memory/580-108-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/580-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/580-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/580-85-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-83-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-81-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-80-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/580-79-0x0000000000E10000-0x0000000000E28000-memory.dmp

Filesize
96KB

Download
memory/580-78-0x0000000000D40000-0x0000000000D5A000-memory.dmp

Filesize
104KB

Download
memory/912-126-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-145-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-125-0x0000000002560000-0x000000000259A000-memory.dmp

Filesize
232KB

Download
memory/912-124-0x0000000000C10000-0x0000000000C4C000-memory.dmp

Filesize
240KB

Download
memory/912-127-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-129-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-135-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-133-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-131-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-137-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-139-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-141-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-143-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-123-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/912-147-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-149-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-151-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-153-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-157-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-155-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-159-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/912-918-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/912-920-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/912-919-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/912-922-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/912-923-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/912-924-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download