e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe
Size

612KB
MD5

a8d3d81789d1e650804aac303b3dff34
SHA1

4276cf621c752618a4a9710181b1e5f89ca628eb
SHA256

e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e
SHA512

f93031e1025f1e0685a7e93e4e848033ffdfb25b94b27d99acac4860e106b398a25f93e2d26bcf636c6773663dd170384be16e290e2ebb69c8836a175926aff1
SSDEEP

12288:Vy90DVk9qi2NzoRcdBEnw2yjFwq2jELg550Rr:VyaVk9qi2NMRcYxyjC2LQi1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	17534350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	17534350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	17534350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	17534350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	17534350.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	17534350.exe

Executes dropped EXE 3 IoCs

pid	Process
924	st659731.exe
1496	17534350.exe
900	kp584470.exe

Loads dropped DLL 6 IoCs

pid	Process
1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe
924	st659731.exe
924	st659731.exe
924	st659731.exe
924	st659731.exe
900	kp584470.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	17534350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	17534350.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st659731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st659731.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	17534350.exe
1496	17534350.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	17534350.exe
Token: SeDebugPrivilege	900	kp584470.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 1384 wrote to memory of 924	1384	e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe	28
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 1496	924	st659731.exe	29
PID 924 wrote to memory of 900	924	st659731.exe	30
PID 924 wrote to memory of 900	924	st659731.exe	30
PID 924 wrote to memory of 900	924	st659731.exe	30
PID 924 wrote to memory of 900	924	st659731.exe	30
PID 924 wrote to memory of 900	924	st659731.exe	30
PID 924 wrote to memory of 900	924	st659731.exe	30
PID 924 wrote to memory of 900	924	st659731.exe	30

C:\Users\Admin\AppData\Local\Temp\e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe
"C:\Users\Admin\AppData\Local\Temp\e7b83919b7a4b9b57ecdc38a3b79c0022aa7c60cd270e2b0c57e1eeddb49796e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st659731.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st659731.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17534350.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17534350.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st659731.exe

Filesize
458KB

MD5
41148b723e735c9105ac97c518b9b55e

SHA1
33877fe6bf4c650cf640d2c664feff2d554c439d

SHA256
f5dcb28be9ed5999dc058fad517ce4d57f0fe352e530465e242e1a2a07502aa4

SHA512
e340d9566272d69e1bee9879c3eaf835dc10405230f53e3866bd4f7d9615e57dcb4076a190ff37c9bc6376d069311f64108af2df7755a335ce827c058d4b4091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st659731.exe

Filesize
458KB

MD5
41148b723e735c9105ac97c518b9b55e

SHA1
33877fe6bf4c650cf640d2c664feff2d554c439d

SHA256
f5dcb28be9ed5999dc058fad517ce4d57f0fe352e530465e242e1a2a07502aa4

SHA512
e340d9566272d69e1bee9879c3eaf835dc10405230f53e3866bd4f7d9615e57dcb4076a190ff37c9bc6376d069311f64108af2df7755a335ce827c058d4b4091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17534350.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17534350.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe

Filesize
459KB

MD5
3b98b0ea168a6300618f8dedef6a7b16

SHA1
82446468d9ce7820de388a1b222aa0d96083dfe5

SHA256
decac5d17ca93855205781b9719c841e23028a0d663ac2b5ee47521f1c1b8d91

SHA512
8f60bf68e4528c4b0bf0a275fc827ad0111dbf6fcec5185b9e4639af3e2813314c985354b34314cf9d2531b7e962b24bb76ec16fe21c32150b1be08093579fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe

Filesize
459KB

MD5
3b98b0ea168a6300618f8dedef6a7b16

SHA1
82446468d9ce7820de388a1b222aa0d96083dfe5

SHA256
decac5d17ca93855205781b9719c841e23028a0d663ac2b5ee47521f1c1b8d91

SHA512
8f60bf68e4528c4b0bf0a275fc827ad0111dbf6fcec5185b9e4639af3e2813314c985354b34314cf9d2531b7e962b24bb76ec16fe21c32150b1be08093579fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe

Filesize
459KB

MD5
3b98b0ea168a6300618f8dedef6a7b16

SHA1
82446468d9ce7820de388a1b222aa0d96083dfe5

SHA256
decac5d17ca93855205781b9719c841e23028a0d663ac2b5ee47521f1c1b8d91

SHA512
8f60bf68e4528c4b0bf0a275fc827ad0111dbf6fcec5185b9e4639af3e2813314c985354b34314cf9d2531b7e962b24bb76ec16fe21c32150b1be08093579fb8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st659731.exe

Filesize
458KB

MD5
41148b723e735c9105ac97c518b9b55e

SHA1
33877fe6bf4c650cf640d2c664feff2d554c439d

SHA256
f5dcb28be9ed5999dc058fad517ce4d57f0fe352e530465e242e1a2a07502aa4

SHA512
e340d9566272d69e1bee9879c3eaf835dc10405230f53e3866bd4f7d9615e57dcb4076a190ff37c9bc6376d069311f64108af2df7755a335ce827c058d4b4091

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st659731.exe

Filesize
458KB

MD5
41148b723e735c9105ac97c518b9b55e

SHA1
33877fe6bf4c650cf640d2c664feff2d554c439d

SHA256
f5dcb28be9ed5999dc058fad517ce4d57f0fe352e530465e242e1a2a07502aa4

SHA512
e340d9566272d69e1bee9879c3eaf835dc10405230f53e3866bd4f7d9615e57dcb4076a190ff37c9bc6376d069311f64108af2df7755a335ce827c058d4b4091

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\17534350.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe

Filesize
459KB

MD5
3b98b0ea168a6300618f8dedef6a7b16

SHA1
82446468d9ce7820de388a1b222aa0d96083dfe5

SHA256
decac5d17ca93855205781b9719c841e23028a0d663ac2b5ee47521f1c1b8d91

SHA512
8f60bf68e4528c4b0bf0a275fc827ad0111dbf6fcec5185b9e4639af3e2813314c985354b34314cf9d2531b7e962b24bb76ec16fe21c32150b1be08093579fb8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe

Filesize
459KB

MD5
3b98b0ea168a6300618f8dedef6a7b16

SHA1
82446468d9ce7820de388a1b222aa0d96083dfe5

SHA256
decac5d17ca93855205781b9719c841e23028a0d663ac2b5ee47521f1c1b8d91

SHA512
8f60bf68e4528c4b0bf0a275fc827ad0111dbf6fcec5185b9e4639af3e2813314c985354b34314cf9d2531b7e962b24bb76ec16fe21c32150b1be08093579fb8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp584470.exe

Filesize
459KB

MD5
3b98b0ea168a6300618f8dedef6a7b16

SHA1
82446468d9ce7820de388a1b222aa0d96083dfe5

SHA256
decac5d17ca93855205781b9719c841e23028a0d663ac2b5ee47521f1c1b8d91

SHA512
8f60bf68e4528c4b0bf0a275fc827ad0111dbf6fcec5185b9e4639af3e2813314c985354b34314cf9d2531b7e962b24bb76ec16fe21c32150b1be08093579fb8

Download Submit
memory/900-104-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-120-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-84-0x0000000004D30000-0x0000000004D6A000-memory.dmp

Filesize
232KB

Download
memory/900-85-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-86-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-88-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-90-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-92-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-94-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-96-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-98-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-100-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-102-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-883-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/900-106-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-108-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-110-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-112-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-114-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-116-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-118-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-83-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/900-122-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-124-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-126-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-128-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-130-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-132-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-134-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-136-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-138-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-140-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-142-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-144-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-146-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-148-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/900-510-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download
memory/900-512-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/900-514-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/900-880-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/1496-72-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download