ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1

Analysis

max time kernel
150s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
Size

694KB
MD5

596c660def1a7e6df555c1966dc7bc89
SHA1

1a40868b4009ecc22041397333307979cf0384de
SHA256

ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1
SHA512

0d0e71d4f9d30ff263fcfd75e9b13355a808a28a9bae0b640ad48a159f0e7f73abcd16cbc1b82c27f0165124699e5771bd2dd9d4bf13cfde6ad2327a2a16ca8c
SSDEEP

12288:Wy90byBu1UQeU4ab+6BC8rgHRyKzbqLDZLS+WmjXrwQey59UZ0ysw5MJT7o+:Wy901QmK6wCYQKCsojbwQYPslo+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	29477359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	29477359.exe

Executes dropped EXE 3 IoCs

pid	Process
820	un561800.exe
1420	29477359.exe
1524	rk628985.exe

Loads dropped DLL 8 IoCs

pid	Process
1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
820	un561800.exe
820	un561800.exe
820	un561800.exe
1420	29477359.exe
820	un561800.exe
820	un561800.exe
1524	rk628985.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	29477359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	29477359.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un561800.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un561800.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	29477359.exe
1420	29477359.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	29477359.exe
Token: SeDebugPrivilege	1524	rk628985.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 1740 wrote to memory of 820	1740	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	28
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1420	820	un561800.exe	29
PID 820 wrote to memory of 1524	820	un561800.exe	30
PID 820 wrote to memory of 1524	820	un561800.exe	30
PID 820 wrote to memory of 1524	820	un561800.exe	30
PID 820 wrote to memory of 1524	820	un561800.exe	30
PID 820 wrote to memory of 1524	820	un561800.exe	30
PID 820 wrote to memory of 1524	820	un561800.exe	30
PID 820 wrote to memory of 1524	820	un561800.exe	30

C:\Users\Admin\AppData\Local\Temp\ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
"C:\Users\Admin\AppData\Local\Temp\ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe

Filesize
540KB

MD5
9ec7ee85a41fb168de72a4c7dff6be76

SHA1
83ff05ab4d9236d082d8a8dfc579f6fd56bd43de

SHA256
1760e6199394e1c0756988c0f983c7a4dfaeb13a050fa7f3f50122e08d41e008

SHA512
f455fb2cfcbc1de29f3ea0def87dc84a467618504c73ea41a4faaff2b28d63f14988a40e5295259b3f5a79313ecc7a88116b11b562399ca99dfdb54df6adf480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe

Filesize
540KB

MD5
9ec7ee85a41fb168de72a4c7dff6be76

SHA1
83ff05ab4d9236d082d8a8dfc579f6fd56bd43de

SHA256
1760e6199394e1c0756988c0f983c7a4dfaeb13a050fa7f3f50122e08d41e008

SHA512
f455fb2cfcbc1de29f3ea0def87dc84a467618504c73ea41a4faaff2b28d63f14988a40e5295259b3f5a79313ecc7a88116b11b562399ca99dfdb54df6adf480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe

Filesize
540KB

MD5
9ec7ee85a41fb168de72a4c7dff6be76

SHA1
83ff05ab4d9236d082d8a8dfc579f6fd56bd43de

SHA256
1760e6199394e1c0756988c0f983c7a4dfaeb13a050fa7f3f50122e08d41e008

SHA512
f455fb2cfcbc1de29f3ea0def87dc84a467618504c73ea41a4faaff2b28d63f14988a40e5295259b3f5a79313ecc7a88116b11b562399ca99dfdb54df6adf480

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe

Filesize
540KB

MD5
9ec7ee85a41fb168de72a4c7dff6be76

SHA1
83ff05ab4d9236d082d8a8dfc579f6fd56bd43de

SHA256
1760e6199394e1c0756988c0f983c7a4dfaeb13a050fa7f3f50122e08d41e008

SHA512
f455fb2cfcbc1de29f3ea0def87dc84a467618504c73ea41a4faaff2b28d63f14988a40e5295259b3f5a79313ecc7a88116b11b562399ca99dfdb54df6adf480

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
memory/1420-110-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1420-87-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-89-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-91-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-93-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-95-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-97-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-99-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-101-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-103-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-105-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-107-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-109-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-85-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-113-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1420-83-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-82-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/1420-81-0x00000000048F0000-0x0000000004908000-memory.dmp

Filesize
96KB

Download
memory/1420-79-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/1420-80-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download
memory/1420-78-0x00000000031F0000-0x000000000320A000-memory.dmp

Filesize
104KB

Download
memory/1524-126-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1524-144-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-124-0x0000000002F90000-0x0000000002FCC000-memory.dmp

Filesize
240KB

Download
memory/1524-128-0x0000000003200000-0x0000000003240000-memory.dmp

Filesize
256KB

Download
memory/1524-127-0x0000000003200000-0x0000000003240000-memory.dmp

Filesize
256KB

Download
memory/1524-129-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-130-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-132-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-134-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-136-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-138-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-140-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-142-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-125-0x0000000003470000-0x00000000034AA000-memory.dmp

Filesize
232KB

Download
memory/1524-146-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-148-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-150-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-152-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-154-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-156-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-158-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-160-0x0000000003470000-0x00000000034A5000-memory.dmp

Filesize
212KB

Download
memory/1524-922-0x0000000003200000-0x0000000003240000-memory.dmp

Filesize
256KB

Download
memory/1524-923-0x0000000003200000-0x0000000003240000-memory.dmp

Filesize
256KB

Download
memory/1524-924-0x0000000003200000-0x0000000003240000-memory.dmp

Filesize
256KB

Download
memory/1524-926-0x0000000003200000-0x0000000003240000-memory.dmp

Filesize
256KB

Download