e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b

Analysis

max time kernel
184s
max time network
195s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe
Size

695KB
MD5

0a165bde47c860bdafe90c515fb9728d
SHA1

9d16f761606376c50968ff57206c5534cacd0a39
SHA256

e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b
SHA512

f822e3391885b34a063ad104b2d27311a77eb0a842c662eeecb6608fdae8f17a9959f485cf87353136ea28d119d34e428316c6acba8ebc8358db64358efbbfd5
SSDEEP

12288:by90HkvA7lDH4g/mn/+tZ9CO+BrxpwwWk6rv18bAKGA+pqc5u0d2e:byIUA7lMjn/+tXCDYS6rv18bAV1uQd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	92662986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	92662986.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	92662986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	92662986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	92662986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	92662986.exe

Executes dropped EXE 3 IoCs

pid	Process
436	un298237.exe
1852	92662986.exe
1888	rk735704.exe

Loads dropped DLL 8 IoCs

pid	Process
1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe
436	un298237.exe
436	un298237.exe
436	un298237.exe
1852	92662986.exe
436	un298237.exe
436	un298237.exe
1888	rk735704.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	92662986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	92662986.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un298237.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un298237.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	92662986.exe
1852	92662986.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	92662986.exe
Token: SeDebugPrivilege	1888	rk735704.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 1244 wrote to memory of 436	1244	e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe	27
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1852	436	un298237.exe	28
PID 436 wrote to memory of 1888	436	un298237.exe	29
PID 436 wrote to memory of 1888	436	un298237.exe	29
PID 436 wrote to memory of 1888	436	un298237.exe	29
PID 436 wrote to memory of 1888	436	un298237.exe	29
PID 436 wrote to memory of 1888	436	un298237.exe	29
PID 436 wrote to memory of 1888	436	un298237.exe	29
PID 436 wrote to memory of 1888	436	un298237.exe	29

C:\Users\Admin\AppData\Local\Temp\e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe
"C:\Users\Admin\AppData\Local\Temp\e87440c368a11f32023864fc29508c9a5c99993fd136438d997426e47fd3589b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298237.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298237.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298237.exe

Filesize
541KB

MD5
8e74f09be0b7986f7954143f4eebbcb6

SHA1
ae80f09a2ed5bb097876c66dcba6c1a8bc3aadf0

SHA256
84c09eccb440f902a151b638ea896bf1c719ff0a86adcd441a844b394507a6b8

SHA512
02f6495135d2b327344bf43db7a6f6a4276a3bb475a93cfe2a124d828c0f24f3699c7da6978eba1413998b4a20d9b6234002ff91bd16f7dad4ef27be20a5cb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298237.exe

Filesize
541KB

MD5
8e74f09be0b7986f7954143f4eebbcb6

SHA1
ae80f09a2ed5bb097876c66dcba6c1a8bc3aadf0

SHA256
84c09eccb440f902a151b638ea896bf1c719ff0a86adcd441a844b394507a6b8

SHA512
02f6495135d2b327344bf43db7a6f6a4276a3bb475a93cfe2a124d828c0f24f3699c7da6978eba1413998b4a20d9b6234002ff91bd16f7dad4ef27be20a5cb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe

Filesize
258KB

MD5
1fee014404c756bbeb2125bf477cfdf0

SHA1
961609e206bf7b74f36bb6ba0681905982945840

SHA256
a0e63e1c6039b23f11f17ab6449d2562aef66b6ef72b3056680da1d4199d41af

SHA512
63232b8f12d9afd626d9a8c17f59c77244e34e524c9b2c700629e7ca63facb52e5d5b5a91e4a67e3eed887458f5903b89bc6d8e27243f61651fbe412a11c2276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe

Filesize
258KB

MD5
1fee014404c756bbeb2125bf477cfdf0

SHA1
961609e206bf7b74f36bb6ba0681905982945840

SHA256
a0e63e1c6039b23f11f17ab6449d2562aef66b6ef72b3056680da1d4199d41af

SHA512
63232b8f12d9afd626d9a8c17f59c77244e34e524c9b2c700629e7ca63facb52e5d5b5a91e4a67e3eed887458f5903b89bc6d8e27243f61651fbe412a11c2276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe

Filesize
258KB

MD5
1fee014404c756bbeb2125bf477cfdf0

SHA1
961609e206bf7b74f36bb6ba0681905982945840

SHA256
a0e63e1c6039b23f11f17ab6449d2562aef66b6ef72b3056680da1d4199d41af

SHA512
63232b8f12d9afd626d9a8c17f59c77244e34e524c9b2c700629e7ca63facb52e5d5b5a91e4a67e3eed887458f5903b89bc6d8e27243f61651fbe412a11c2276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe

Filesize
340KB

MD5
7f6728bbb21516f5bebd11b02dffd5c4

SHA1
b7d3867b05e9782ddb172ea8798d08c6a363a2c2

SHA256
0fcbe84388414b11773d23f8d9e62674a742b48d6703f974c8a2dad516c0617a

SHA512
e41084c048a87a60216a5ccb44dbab51fc738194bafdc655bf84a303342f5203dfb002af679609ae86ff60820528c8a0cf77c447f7d671da857cb1bd5e6756fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe

Filesize
340KB

MD5
7f6728bbb21516f5bebd11b02dffd5c4

SHA1
b7d3867b05e9782ddb172ea8798d08c6a363a2c2

SHA256
0fcbe84388414b11773d23f8d9e62674a742b48d6703f974c8a2dad516c0617a

SHA512
e41084c048a87a60216a5ccb44dbab51fc738194bafdc655bf84a303342f5203dfb002af679609ae86ff60820528c8a0cf77c447f7d671da857cb1bd5e6756fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe

Filesize
340KB

MD5
7f6728bbb21516f5bebd11b02dffd5c4

SHA1
b7d3867b05e9782ddb172ea8798d08c6a363a2c2

SHA256
0fcbe84388414b11773d23f8d9e62674a742b48d6703f974c8a2dad516c0617a

SHA512
e41084c048a87a60216a5ccb44dbab51fc738194bafdc655bf84a303342f5203dfb002af679609ae86ff60820528c8a0cf77c447f7d671da857cb1bd5e6756fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298237.exe

Filesize
541KB

MD5
8e74f09be0b7986f7954143f4eebbcb6

SHA1
ae80f09a2ed5bb097876c66dcba6c1a8bc3aadf0

SHA256
84c09eccb440f902a151b638ea896bf1c719ff0a86adcd441a844b394507a6b8

SHA512
02f6495135d2b327344bf43db7a6f6a4276a3bb475a93cfe2a124d828c0f24f3699c7da6978eba1413998b4a20d9b6234002ff91bd16f7dad4ef27be20a5cb4b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298237.exe

Filesize
541KB

MD5
8e74f09be0b7986f7954143f4eebbcb6

SHA1
ae80f09a2ed5bb097876c66dcba6c1a8bc3aadf0

SHA256
84c09eccb440f902a151b638ea896bf1c719ff0a86adcd441a844b394507a6b8

SHA512
02f6495135d2b327344bf43db7a6f6a4276a3bb475a93cfe2a124d828c0f24f3699c7da6978eba1413998b4a20d9b6234002ff91bd16f7dad4ef27be20a5cb4b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe

Filesize
258KB

MD5
1fee014404c756bbeb2125bf477cfdf0

SHA1
961609e206bf7b74f36bb6ba0681905982945840

SHA256
a0e63e1c6039b23f11f17ab6449d2562aef66b6ef72b3056680da1d4199d41af

SHA512
63232b8f12d9afd626d9a8c17f59c77244e34e524c9b2c700629e7ca63facb52e5d5b5a91e4a67e3eed887458f5903b89bc6d8e27243f61651fbe412a11c2276

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe

Filesize
258KB

MD5
1fee014404c756bbeb2125bf477cfdf0

SHA1
961609e206bf7b74f36bb6ba0681905982945840

SHA256
a0e63e1c6039b23f11f17ab6449d2562aef66b6ef72b3056680da1d4199d41af

SHA512
63232b8f12d9afd626d9a8c17f59c77244e34e524c9b2c700629e7ca63facb52e5d5b5a91e4a67e3eed887458f5903b89bc6d8e27243f61651fbe412a11c2276

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92662986.exe

Filesize
258KB

MD5
1fee014404c756bbeb2125bf477cfdf0

SHA1
961609e206bf7b74f36bb6ba0681905982945840

SHA256
a0e63e1c6039b23f11f17ab6449d2562aef66b6ef72b3056680da1d4199d41af

SHA512
63232b8f12d9afd626d9a8c17f59c77244e34e524c9b2c700629e7ca63facb52e5d5b5a91e4a67e3eed887458f5903b89bc6d8e27243f61651fbe412a11c2276

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe

Filesize
340KB

MD5
7f6728bbb21516f5bebd11b02dffd5c4

SHA1
b7d3867b05e9782ddb172ea8798d08c6a363a2c2

SHA256
0fcbe84388414b11773d23f8d9e62674a742b48d6703f974c8a2dad516c0617a

SHA512
e41084c048a87a60216a5ccb44dbab51fc738194bafdc655bf84a303342f5203dfb002af679609ae86ff60820528c8a0cf77c447f7d671da857cb1bd5e6756fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe

Filesize
340KB

MD5
7f6728bbb21516f5bebd11b02dffd5c4

SHA1
b7d3867b05e9782ddb172ea8798d08c6a363a2c2

SHA256
0fcbe84388414b11773d23f8d9e62674a742b48d6703f974c8a2dad516c0617a

SHA512
e41084c048a87a60216a5ccb44dbab51fc738194bafdc655bf84a303342f5203dfb002af679609ae86ff60820528c8a0cf77c447f7d671da857cb1bd5e6756fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk735704.exe

Filesize
340KB

MD5
7f6728bbb21516f5bebd11b02dffd5c4

SHA1
b7d3867b05e9782ddb172ea8798d08c6a363a2c2

SHA256
0fcbe84388414b11773d23f8d9e62674a742b48d6703f974c8a2dad516c0617a

SHA512
e41084c048a87a60216a5ccb44dbab51fc738194bafdc655bf84a303342f5203dfb002af679609ae86ff60820528c8a0cf77c447f7d671da857cb1bd5e6756fe

Download Submit
memory/1852-114-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/1852-78-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/1852-90-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-92-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-94-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-96-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-98-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-100-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-104-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-102-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-106-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-108-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-110-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/1852-109-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/1852-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1852-112-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/1852-86-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-117-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1852-84-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-82-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-81-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1852-80-0x00000000047C0000-0x00000000047D8000-memory.dmp

Filesize
96KB

Download
memory/1852-79-0x0000000003260000-0x000000000327A000-memory.dmp

Filesize
104KB

Download
memory/1852-88-0x00000000047C0000-0x00000000047D3000-memory.dmp

Filesize
76KB

Download
memory/1888-146-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-134-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-130-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1888-132-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1888-129-0x0000000004860000-0x000000000489A000-memory.dmp

Filesize
232KB

Download
memory/1888-133-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-144-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-136-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-138-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-140-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-131-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1888-142-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-154-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-148-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-150-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-152-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-128-0x0000000002FA0000-0x0000000002FDC000-memory.dmp

Filesize
240KB

Download
memory/1888-156-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-158-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-160-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-162-0x0000000004860000-0x0000000004895000-memory.dmp

Filesize
212KB

Download
memory/1888-925-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1888-927-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1888-929-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download