ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a

Analysis

max time kernel
163s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe
Size

1.1MB
MD5

1e5ddd9d2cfa3ff2056ef9cec399dab8
SHA1

5cbe3667b0d0c792f042f09acbd683c2c7fa25f2
SHA256

ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a
SHA512

ad67f2718d909a5cc6b1b5f51df1cc9a68d7ebe2db41f14e6c7e57c7158a0299125cc1694bdb1aa31385af0e02e9e6e668e0bb5a58c84efd4555bd5cbe09d000
SSDEEP

24576:Py74PCZY8tSPguB9IOFfer/NfRhFcvmeWDmwI7GlV:ayCZZcIuEOFfuRhi6/Yw

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	222140894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	222140894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	222140894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	222140894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	222140894.exe

Executes dropped EXE 5 IoCs

pid	Process
1412	Do538236.exe
3676	uV206192.exe
4212	EK033356.exe
1780	142253181.exe
2664	222140894.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	142253181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	222140894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	142253181.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Do538236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Do538236.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	uV206192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	uV206192.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	EK033356.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EK033356.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3724	2664	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1780	142253181.exe
1780	142253181.exe
2664	222140894.exe
2664	222140894.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	142253181.exe
Token: SeDebugPrivilege	2664	222140894.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1412	2332	ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe	87
PID 2332 wrote to memory of 1412	2332	ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe	87
PID 2332 wrote to memory of 1412	2332	ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe	87
PID 1412 wrote to memory of 3676	1412	Do538236.exe	88
PID 1412 wrote to memory of 3676	1412	Do538236.exe	88
PID 1412 wrote to memory of 3676	1412	Do538236.exe	88
PID 3676 wrote to memory of 4212	3676	uV206192.exe	89
PID 3676 wrote to memory of 4212	3676	uV206192.exe	89
PID 3676 wrote to memory of 4212	3676	uV206192.exe	89
PID 4212 wrote to memory of 1780	4212	EK033356.exe	90
PID 4212 wrote to memory of 1780	4212	EK033356.exe	90
PID 4212 wrote to memory of 1780	4212	EK033356.exe	90
PID 4212 wrote to memory of 2664	4212	EK033356.exe	92
PID 4212 wrote to memory of 2664	4212	EK033356.exe	92
PID 4212 wrote to memory of 2664	4212	EK033356.exe	92

C:\Users\Admin\AppData\Local\Temp\ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe
"C:\Users\Admin\AppData\Local\Temp\ec7d18bf17c1f731ebe8cb05b1ff0f60d47d3b595cace9e4320a0c3caa82c38a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do538236.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do538236.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uV206192.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uV206192.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK033356.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK033356.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\142253181.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\142253181.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\222140894.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\222140894.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1092
        6⤵
        Program crash
        
        PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2664 -ip 2664
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do538236.exe

Filesize
994KB

MD5
9e5e38835d495ec0ccc0fefc5a3fad6e

SHA1
23fba33b0d81d3e714359c80e1fe1d0efef4ff4d

SHA256
8b7e16cd95ad73e8e7660781e5c64f5c8cfdfb5959c752c5463cdc58f3e602cb

SHA512
0f3a008d46fd6feaac2312bb27a31178207e10a00223f5942ce23aad9f7f4115d087558666fdf1fea7020afb26f8762f16424088e29f87b1638367bcb6462be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Do538236.exe

Filesize
994KB

MD5
9e5e38835d495ec0ccc0fefc5a3fad6e

SHA1
23fba33b0d81d3e714359c80e1fe1d0efef4ff4d

SHA256
8b7e16cd95ad73e8e7660781e5c64f5c8cfdfb5959c752c5463cdc58f3e602cb

SHA512
0f3a008d46fd6feaac2312bb27a31178207e10a00223f5942ce23aad9f7f4115d087558666fdf1fea7020afb26f8762f16424088e29f87b1638367bcb6462be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uV206192.exe

Filesize
610KB

MD5
b60d74f51e3c60f5ef9bf7e056b08333

SHA1
90e610f2d93fb4b6b4c2a7f7c448ab53c56b5873

SHA256
87281e55bd6a03ab29d32cf0ae32cf027e25b6b3d50b953dbb36612a998afbbd

SHA512
dbc11c2b697a99dda2946573ccf109c4ecc3d9a12c43e057cc2d35e05c2ccb566a8b02169d0c0a46ad20960a73f51839125aeb56dbbf76ae40c92300e103edf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uV206192.exe

Filesize
610KB

MD5
b60d74f51e3c60f5ef9bf7e056b08333

SHA1
90e610f2d93fb4b6b4c2a7f7c448ab53c56b5873

SHA256
87281e55bd6a03ab29d32cf0ae32cf027e25b6b3d50b953dbb36612a998afbbd

SHA512
dbc11c2b697a99dda2946573ccf109c4ecc3d9a12c43e057cc2d35e05c2ccb566a8b02169d0c0a46ad20960a73f51839125aeb56dbbf76ae40c92300e103edf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK033356.exe

Filesize
438KB

MD5
e50de89d40410ed9a0f76dcd00bc80f0

SHA1
ea4a8692ae3e3b7f8f5637d6a112324d012b3887

SHA256
259d07f0c652da0e57190d0add6aedd5b90f77504032524b624a3b4b8c55551f

SHA512
04db25ac488937a713962a54953ab8f843aaed713f46c9e111e1fc21a32e760df59608ed1e13ee9c66c7113fa41d30b6e1434cf89ee3cad3c59d39d7ef73c57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EK033356.exe

Filesize
438KB

MD5
e50de89d40410ed9a0f76dcd00bc80f0

SHA1
ea4a8692ae3e3b7f8f5637d6a112324d012b3887

SHA256
259d07f0c652da0e57190d0add6aedd5b90f77504032524b624a3b4b8c55551f

SHA512
04db25ac488937a713962a54953ab8f843aaed713f46c9e111e1fc21a32e760df59608ed1e13ee9c66c7113fa41d30b6e1434cf89ee3cad3c59d39d7ef73c57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\142253181.exe

Filesize
175KB

MD5
63c8a8cdbbbd27e677af039592031dc5

SHA1
fc7faa449ac541056da1fb99616fbd281b688d48

SHA256
18b78b710458e2c8e0519d89be6c118e0ec79f6ec858cb0c989dcb4eba3e762f

SHA512
0ac134ad05c3087bb7a3df75c156c45e31ac4182d6fb2bac84789d13fc8e5c47b4efeae82cb88a3389cba4f4ba2f68278c9aa2824a2a35463fda63cb04def5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\142253181.exe

Filesize
175KB

MD5
63c8a8cdbbbd27e677af039592031dc5

SHA1
fc7faa449ac541056da1fb99616fbd281b688d48

SHA256
18b78b710458e2c8e0519d89be6c118e0ec79f6ec858cb0c989dcb4eba3e762f

SHA512
0ac134ad05c3087bb7a3df75c156c45e31ac4182d6fb2bac84789d13fc8e5c47b4efeae82cb88a3389cba4f4ba2f68278c9aa2824a2a35463fda63cb04def5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\222140894.exe

Filesize
333KB

MD5
537880b5f9ff060d6234a00ac2237fed

SHA1
e980f76fac3863a94b6eaac4110138dbee1ae100

SHA256
183a053244ac25142320b07b26da692630a64c777702e270f0a67fee9ca7ef4d

SHA512
3a9966060989cde77258af65e423bcb291a79681daec0a02aa74a4f294f76367d8955ad49475025a0e31b6780be5753ec160fbb4d6d2527152507139d4bb17ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\222140894.exe

Filesize
333KB

MD5
537880b5f9ff060d6234a00ac2237fed

SHA1
e980f76fac3863a94b6eaac4110138dbee1ae100

SHA256
183a053244ac25142320b07b26da692630a64c777702e270f0a67fee9ca7ef4d

SHA512
3a9966060989cde77258af65e423bcb291a79681daec0a02aa74a4f294f76367d8955ad49475025a0e31b6780be5753ec160fbb4d6d2527152507139d4bb17ca

Download Submit
memory/1780-161-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1780-162-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1780-163-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/1780-164-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1780-165-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1780-166-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-167-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-169-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-171-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-173-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-175-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-177-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-179-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-181-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-183-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-185-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-187-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-189-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-191-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-193-0x0000000002470000-0x0000000002483000-memory.dmp

Filesize
76KB

Download
memory/1780-195-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1780-194-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2664-201-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-202-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-204-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-206-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-207-0x0000000000540000-0x000000000056D000-memory.dmp

Filesize
180KB

Download
memory/2664-209-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2664-210-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-212-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2664-213-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-215-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-217-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-219-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-221-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-223-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-225-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-227-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-229-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-231-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2664-232-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2664-233-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2664-234-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2664-235-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download