b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae

Analysis

max time kernel
149s
max time network
173s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
Size

694KB
MD5

c60c4a001ba4efc0aa692545796f8a6b
SHA1

c9f03196f34962d25fe257fee95b91b4c2d32cc1
SHA256

b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae
SHA512

50109304b71eef128ea4e2ae8d03e23e782c060daf7623051336ace713b5054d8300ab4847022dafee65269567cb5ad850bdce02ab358c69eeb98fb243a1cb4e
SSDEEP

12288:Oy905DsvczTwF8wlDUiz9DtLvF2Hjx+cqRaEIA9CEW+Y0gf4ZRr4oG42bF3:OymF/28iBDT2DkcqLjCEC0i4ZRr4R421

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	07477955.exe

Executes dropped EXE 3 IoCs

pid	Process
1368	un930583.exe
984	07477955.exe
780	rk462201.exe

Loads dropped DLL 8 IoCs

pid	Process
1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
1368	un930583.exe
1368	un930583.exe
1368	un930583.exe
984	07477955.exe
1368	un930583.exe
1368	un930583.exe
780	rk462201.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	07477955.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un930583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un930583.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
984	07477955.exe
984	07477955.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	07477955.exe
Token: SeDebugPrivilege	780	rk462201.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1752 wrote to memory of 1368	1752	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	28
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 984	1368	un930583.exe	29
PID 1368 wrote to memory of 780	1368	un930583.exe	30
PID 1368 wrote to memory of 780	1368	un930583.exe	30
PID 1368 wrote to memory of 780	1368	un930583.exe	30
PID 1368 wrote to memory of 780	1368	un930583.exe	30
PID 1368 wrote to memory of 780	1368	un930583.exe	30
PID 1368 wrote to memory of 780	1368	un930583.exe	30
PID 1368 wrote to memory of 780	1368	un930583.exe	30

C:\Users\Admin\AppData\Local\Temp\b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
"C:\Users\Admin\AppData\Local\Temp\b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe

Filesize
540KB

MD5
3cffb8f6c3980cae0101e1d8a2c6afcc

SHA1
2076ed903cd3644b96112790dd83dac874617615

SHA256
2b698ab8c23c0719f0c2210d55dccb2ff62a97c9fa71029865f99c6eb52a9c71

SHA512
91dc3b9665732ec532720b8292c62f99ed4146318edf8d1a429f0ddcc84c5cdcc52a36f43bfef0b2ce3daada76cad17f5c7d35dc82ed5d2998d1b8058a595f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe

Filesize
540KB

MD5
3cffb8f6c3980cae0101e1d8a2c6afcc

SHA1
2076ed903cd3644b96112790dd83dac874617615

SHA256
2b698ab8c23c0719f0c2210d55dccb2ff62a97c9fa71029865f99c6eb52a9c71

SHA512
91dc3b9665732ec532720b8292c62f99ed4146318edf8d1a429f0ddcc84c5cdcc52a36f43bfef0b2ce3daada76cad17f5c7d35dc82ed5d2998d1b8058a595f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe

Filesize
540KB

MD5
3cffb8f6c3980cae0101e1d8a2c6afcc

SHA1
2076ed903cd3644b96112790dd83dac874617615

SHA256
2b698ab8c23c0719f0c2210d55dccb2ff62a97c9fa71029865f99c6eb52a9c71

SHA512
91dc3b9665732ec532720b8292c62f99ed4146318edf8d1a429f0ddcc84c5cdcc52a36f43bfef0b2ce3daada76cad17f5c7d35dc82ed5d2998d1b8058a595f80

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe

Filesize
540KB

MD5
3cffb8f6c3980cae0101e1d8a2c6afcc

SHA1
2076ed903cd3644b96112790dd83dac874617615

SHA256
2b698ab8c23c0719f0c2210d55dccb2ff62a97c9fa71029865f99c6eb52a9c71

SHA512
91dc3b9665732ec532720b8292c62f99ed4146318edf8d1a429f0ddcc84c5cdcc52a36f43bfef0b2ce3daada76cad17f5c7d35dc82ed5d2998d1b8058a595f80

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
memory/780-150-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-133-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-154-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-152-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-130-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-148-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-146-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-144-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-142-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-140-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-139-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/780-137-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-135-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-156-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-131-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-158-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-160-0x0000000004A60000-0x0000000004A95000-memory.dmp

Filesize
212KB

Download
memory/780-923-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/780-925-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/780-926-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/780-928-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/780-125-0x0000000002D10000-0x0000000002D4C000-memory.dmp

Filesize
240KB

Download
memory/780-126-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/780-128-0x0000000004A60000-0x0000000004A9A000-memory.dmp

Filesize
232KB

Download
memory/780-127-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/780-129-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/984-85-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-114-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/984-110-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/984-108-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/984-109-0x00000000074B0000-0x00000000074F0000-memory.dmp

Filesize
256KB

Download
memory/984-107-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-105-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-103-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-101-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-99-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-97-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-95-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-93-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-91-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-89-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-87-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-83-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-81-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-80-0x0000000002E20000-0x0000000002E33000-memory.dmp

Filesize
76KB

Download
memory/984-79-0x0000000002E20000-0x0000000002E38000-memory.dmp

Filesize
96KB

Download
memory/984-78-0x0000000002CB0000-0x0000000002CCA000-memory.dmp

Filesize
104KB

Download