b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
Size

690KB
MD5

f3d76114bb3d37f07092c2065af67b9e
SHA1

8bfe88e9f2a49d883b43b62930bd64fd7291eec0
SHA256

b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8
SHA512

4cd3f7e315d677390d35dd2fe9da721db87853abbd0a911d97070519eb9b285b72ff622da27b4ec939b4b6bfd059546c3dd2ea8d156f0ec6230ad5415cf32211
SSDEEP

12288:2y90MFhE0jMyvXQHOUaYGw4r3DExQByzZIJbQBXaq41EMbrLyrNb6RfTYCWygxx:2yPBMEQbay4bDEhzZqgaQMb3yrNb6RTm

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	47738677.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	47738677.exe

Executes dropped EXE 3 IoCs

pid	Process
1956	un303104.exe
296	47738677.exe
1080	rk667911.exe

Loads dropped DLL 8 IoCs

pid	Process
2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
1956	un303104.exe
1956	un303104.exe
1956	un303104.exe
296	47738677.exe
1956	un303104.exe
1956	un303104.exe
1080	rk667911.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	47738677.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un303104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un303104.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
296	47738677.exe
296	47738677.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	47738677.exe
Token: SeDebugPrivilege	1080	rk667911.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 2004 wrote to memory of 1956	2004	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	28
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 296	1956	un303104.exe	29
PID 1956 wrote to memory of 1080	1956	un303104.exe	30
PID 1956 wrote to memory of 1080	1956	un303104.exe	30
PID 1956 wrote to memory of 1080	1956	un303104.exe	30
PID 1956 wrote to memory of 1080	1956	un303104.exe	30
PID 1956 wrote to memory of 1080	1956	un303104.exe	30
PID 1956 wrote to memory of 1080	1956	un303104.exe	30
PID 1956 wrote to memory of 1080	1956	un303104.exe	30

C:\Users\Admin\AppData\Local\Temp\b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
"C:\Users\Admin\AppData\Local\Temp\b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe

Filesize
536KB

MD5
d67b01a4f6a9f71498dea3f4cb75af96

SHA1
aca861f0945ff570a36266c8a273c4d2e2cdc7be

SHA256
686bc71c4f6934ef3e485d4b159ecb219188e001fdd49b2799845b23ed762d8b

SHA512
0436fd680fd39549a8ee0341a6aee7a1adca382a6596978421bab10d1131996e04a8b2c4858cab353b8407974ffaefceb344e98d36cdc1a7ab823d572253da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe

Filesize
536KB

MD5
d67b01a4f6a9f71498dea3f4cb75af96

SHA1
aca861f0945ff570a36266c8a273c4d2e2cdc7be

SHA256
686bc71c4f6934ef3e485d4b159ecb219188e001fdd49b2799845b23ed762d8b

SHA512
0436fd680fd39549a8ee0341a6aee7a1adca382a6596978421bab10d1131996e04a8b2c4858cab353b8407974ffaefceb344e98d36cdc1a7ab823d572253da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe

Filesize
536KB

MD5
d67b01a4f6a9f71498dea3f4cb75af96

SHA1
aca861f0945ff570a36266c8a273c4d2e2cdc7be

SHA256
686bc71c4f6934ef3e485d4b159ecb219188e001fdd49b2799845b23ed762d8b

SHA512
0436fd680fd39549a8ee0341a6aee7a1adca382a6596978421bab10d1131996e04a8b2c4858cab353b8407974ffaefceb344e98d36cdc1a7ab823d572253da15

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe

Filesize
536KB

MD5
d67b01a4f6a9f71498dea3f4cb75af96

SHA1
aca861f0945ff570a36266c8a273c4d2e2cdc7be

SHA256
686bc71c4f6934ef3e485d4b159ecb219188e001fdd49b2799845b23ed762d8b

SHA512
0436fd680fd39549a8ee0341a6aee7a1adca382a6596978421bab10d1131996e04a8b2c4858cab353b8407974ffaefceb344e98d36cdc1a7ab823d572253da15

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
memory/296-113-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/296-89-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-91-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-93-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-95-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-97-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-99-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-101-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-103-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-105-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-107-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-110-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/296-109-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/296-108-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/296-111-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/296-112-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/296-87-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/296-85-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-83-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-81-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-80-0x0000000001FC0000-0x0000000001FD3000-memory.dmp

Filesize
76KB

Download
memory/296-79-0x0000000001FC0000-0x0000000001FD8000-memory.dmp

Filesize
96KB

Download
memory/296-78-0x0000000001EB0000-0x0000000001ECA000-memory.dmp

Filesize
104KB

Download
memory/1080-127-0x0000000002330000-0x000000000236A000-memory.dmp

Filesize
232KB

Download
memory/1080-149-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-128-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-129-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-131-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-133-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-135-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-137-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-139-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-141-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-143-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-145-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-147-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-126-0x0000000000AF0000-0x0000000000B2C000-memory.dmp

Filesize
240KB

Download
memory/1080-151-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-153-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-155-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-157-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-159-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/1080-235-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/1080-237-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1080-239-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1080-241-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1080-924-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1080-926-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1080-928-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download