e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a

Analysis

max time kernel
148s
max time network
171s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe
Size

745KB
MD5

35d30806086cefb5707b4ae1d9b0475f
SHA1

147ac6092966a623e77ddd992eaac3c418024b30
SHA256

e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a
SHA512

b89ca6e6e2b826599dd026ad3fd0651fe87986ebc54c0451054c27685b7c60671cbc45ba258c68fa9b2306369f036054226fd7b24a8783005fda08b8330dce5c
SSDEEP

12288:8y90rXLtuNvCLf+pSdSXhgRsqUMjiLldqsK7zW8V9XFWSvZbtQwcpGOyOYgOARYc:8yU78CLf+pS8hg21XasK7d9V9BbtB2G8

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	68529744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	68529744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	68529744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	68529744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	68529744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	68529744.exe

Executes dropped EXE 3 IoCs

pid	Process
2044	un461733.exe
980	68529744.exe
972	rk251095.exe

Loads dropped DLL 8 IoCs

pid	Process
1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe
2044	un461733.exe
2044	un461733.exe
2044	un461733.exe
980	68529744.exe
2044	un461733.exe
2044	un461733.exe
972	rk251095.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	68529744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	68529744.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un461733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un461733.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
980	68529744.exe
980	68529744.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	68529744.exe
Token: SeDebugPrivilege	972	rk251095.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 1216 wrote to memory of 2044	1216	e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe	28
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 980	2044	un461733.exe	29
PID 2044 wrote to memory of 972	2044	un461733.exe	30
PID 2044 wrote to memory of 972	2044	un461733.exe	30
PID 2044 wrote to memory of 972	2044	un461733.exe	30
PID 2044 wrote to memory of 972	2044	un461733.exe	30
PID 2044 wrote to memory of 972	2044	un461733.exe	30
PID 2044 wrote to memory of 972	2044	un461733.exe	30
PID 2044 wrote to memory of 972	2044	un461733.exe	30

C:\Users\Admin\AppData\Local\Temp\e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe
"C:\Users\Admin\AppData\Local\Temp\e88490a65e46c39e2dbcbda4d2818f5f681357f8b2b0d23c3a1d695b4dd7e55a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461733.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461733.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461733.exe

Filesize
591KB

MD5
dd85960f22320bbc540a78a3be38bc84

SHA1
5402c6167c620b2e7be895ae4b9a6495c6ec63a9

SHA256
ef7e056cfdc871dbb8b306ef38bfc35f47faadf1eeb63c27036f12226ab7e093

SHA512
8f85dc6fe2e9a6544bebb0aaf584cb8b383042822be29bd49b288faf2d84a76e8030f2b51d3b0029e4bb926d63a00e36aa0b52a3194dac137739de86ed13e994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461733.exe

Filesize
591KB

MD5
dd85960f22320bbc540a78a3be38bc84

SHA1
5402c6167c620b2e7be895ae4b9a6495c6ec63a9

SHA256
ef7e056cfdc871dbb8b306ef38bfc35f47faadf1eeb63c27036f12226ab7e093

SHA512
8f85dc6fe2e9a6544bebb0aaf584cb8b383042822be29bd49b288faf2d84a76e8030f2b51d3b0029e4bb926d63a00e36aa0b52a3194dac137739de86ed13e994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe

Filesize
377KB

MD5
8c7b959932ba60dac9f2e088a1bdde86

SHA1
ccab81dfac066f30fccd7f4f17a9cc8f5bd4cfeb

SHA256
1eefc225dc4bdc6275272b2946b622c4a030ca57b31b994f800be1e5875cb776

SHA512
4322c0c986b295eb62f6e4e764d12e5f40d25a115f58cf7a67291054a02758ef425a0dabd490b774a1f4fcc71fe1d9a52378e6371adcad92f2613db143494933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe

Filesize
377KB

MD5
8c7b959932ba60dac9f2e088a1bdde86

SHA1
ccab81dfac066f30fccd7f4f17a9cc8f5bd4cfeb

SHA256
1eefc225dc4bdc6275272b2946b622c4a030ca57b31b994f800be1e5875cb776

SHA512
4322c0c986b295eb62f6e4e764d12e5f40d25a115f58cf7a67291054a02758ef425a0dabd490b774a1f4fcc71fe1d9a52378e6371adcad92f2613db143494933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe

Filesize
377KB

MD5
8c7b959932ba60dac9f2e088a1bdde86

SHA1
ccab81dfac066f30fccd7f4f17a9cc8f5bd4cfeb

SHA256
1eefc225dc4bdc6275272b2946b622c4a030ca57b31b994f800be1e5875cb776

SHA512
4322c0c986b295eb62f6e4e764d12e5f40d25a115f58cf7a67291054a02758ef425a0dabd490b774a1f4fcc71fe1d9a52378e6371adcad92f2613db143494933

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe

Filesize
459KB

MD5
321d460c84aa80858443b0694e28a1da

SHA1
7bfe9570745db960818e654d7549650f4f493f8c

SHA256
1c746d17285e0c4d749db7f28b723b30508292384d52a9ce8a4390790a126def

SHA512
9ee3589ce1a7c8f6d6294a19ad15c1a93af119860468dff3729174cfa8a1e3c4cce51f5f5108d86262c1193436b2e5ac67402a54d30fd76ae4eb5a5afd59e8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe

Filesize
459KB

MD5
321d460c84aa80858443b0694e28a1da

SHA1
7bfe9570745db960818e654d7549650f4f493f8c

SHA256
1c746d17285e0c4d749db7f28b723b30508292384d52a9ce8a4390790a126def

SHA512
9ee3589ce1a7c8f6d6294a19ad15c1a93af119860468dff3729174cfa8a1e3c4cce51f5f5108d86262c1193436b2e5ac67402a54d30fd76ae4eb5a5afd59e8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe

Filesize
459KB

MD5
321d460c84aa80858443b0694e28a1da

SHA1
7bfe9570745db960818e654d7549650f4f493f8c

SHA256
1c746d17285e0c4d749db7f28b723b30508292384d52a9ce8a4390790a126def

SHA512
9ee3589ce1a7c8f6d6294a19ad15c1a93af119860468dff3729174cfa8a1e3c4cce51f5f5108d86262c1193436b2e5ac67402a54d30fd76ae4eb5a5afd59e8c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461733.exe

Filesize
591KB

MD5
dd85960f22320bbc540a78a3be38bc84

SHA1
5402c6167c620b2e7be895ae4b9a6495c6ec63a9

SHA256
ef7e056cfdc871dbb8b306ef38bfc35f47faadf1eeb63c27036f12226ab7e093

SHA512
8f85dc6fe2e9a6544bebb0aaf584cb8b383042822be29bd49b288faf2d84a76e8030f2b51d3b0029e4bb926d63a00e36aa0b52a3194dac137739de86ed13e994

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461733.exe

Filesize
591KB

MD5
dd85960f22320bbc540a78a3be38bc84

SHA1
5402c6167c620b2e7be895ae4b9a6495c6ec63a9

SHA256
ef7e056cfdc871dbb8b306ef38bfc35f47faadf1eeb63c27036f12226ab7e093

SHA512
8f85dc6fe2e9a6544bebb0aaf584cb8b383042822be29bd49b288faf2d84a76e8030f2b51d3b0029e4bb926d63a00e36aa0b52a3194dac137739de86ed13e994

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe

Filesize
377KB

MD5
8c7b959932ba60dac9f2e088a1bdde86

SHA1
ccab81dfac066f30fccd7f4f17a9cc8f5bd4cfeb

SHA256
1eefc225dc4bdc6275272b2946b622c4a030ca57b31b994f800be1e5875cb776

SHA512
4322c0c986b295eb62f6e4e764d12e5f40d25a115f58cf7a67291054a02758ef425a0dabd490b774a1f4fcc71fe1d9a52378e6371adcad92f2613db143494933

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe

Filesize
377KB

MD5
8c7b959932ba60dac9f2e088a1bdde86

SHA1
ccab81dfac066f30fccd7f4f17a9cc8f5bd4cfeb

SHA256
1eefc225dc4bdc6275272b2946b622c4a030ca57b31b994f800be1e5875cb776

SHA512
4322c0c986b295eb62f6e4e764d12e5f40d25a115f58cf7a67291054a02758ef425a0dabd490b774a1f4fcc71fe1d9a52378e6371adcad92f2613db143494933

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\68529744.exe

Filesize
377KB

MD5
8c7b959932ba60dac9f2e088a1bdde86

SHA1
ccab81dfac066f30fccd7f4f17a9cc8f5bd4cfeb

SHA256
1eefc225dc4bdc6275272b2946b622c4a030ca57b31b994f800be1e5875cb776

SHA512
4322c0c986b295eb62f6e4e764d12e5f40d25a115f58cf7a67291054a02758ef425a0dabd490b774a1f4fcc71fe1d9a52378e6371adcad92f2613db143494933

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe

Filesize
459KB

MD5
321d460c84aa80858443b0694e28a1da

SHA1
7bfe9570745db960818e654d7549650f4f493f8c

SHA256
1c746d17285e0c4d749db7f28b723b30508292384d52a9ce8a4390790a126def

SHA512
9ee3589ce1a7c8f6d6294a19ad15c1a93af119860468dff3729174cfa8a1e3c4cce51f5f5108d86262c1193436b2e5ac67402a54d30fd76ae4eb5a5afd59e8c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe

Filesize
459KB

MD5
321d460c84aa80858443b0694e28a1da

SHA1
7bfe9570745db960818e654d7549650f4f493f8c

SHA256
1c746d17285e0c4d749db7f28b723b30508292384d52a9ce8a4390790a126def

SHA512
9ee3589ce1a7c8f6d6294a19ad15c1a93af119860468dff3729174cfa8a1e3c4cce51f5f5108d86262c1193436b2e5ac67402a54d30fd76ae4eb5a5afd59e8c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk251095.exe

Filesize
459KB

MD5
321d460c84aa80858443b0694e28a1da

SHA1
7bfe9570745db960818e654d7549650f4f493f8c

SHA256
1c746d17285e0c4d749db7f28b723b30508292384d52a9ce8a4390790a126def

SHA512
9ee3589ce1a7c8f6d6294a19ad15c1a93af119860468dff3729174cfa8a1e3c4cce51f5f5108d86262c1193436b2e5ac67402a54d30fd76ae4eb5a5afd59e8c0

Download Submit
memory/972-136-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-150-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-924-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/972-923-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/972-922-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/972-920-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/972-919-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/972-918-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/972-917-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/972-158-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-156-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-154-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-152-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-148-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-146-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-144-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-142-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-138-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-140-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-134-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-132-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-130-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-123-0x0000000002810000-0x000000000284C000-memory.dmp

Filesize
240KB

Download
memory/972-124-0x00000000028A0000-0x00000000028DA000-memory.dmp

Filesize
232KB

Download
memory/972-125-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-126-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/972-128-0x00000000028A0000-0x00000000028D5000-memory.dmp

Filesize
212KB

Download
memory/980-86-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-82-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/980-108-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-80-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/980-83-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-78-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/980-84-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/980-106-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-110-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-88-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-81-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/980-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/980-104-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-102-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-100-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-98-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-96-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-94-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-92-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-90-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/980-79-0x00000000009E0000-0x00000000009F8000-memory.dmp

Filesize
96KB

Download