ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f

Analysis

max time kernel
170s
max time network
172s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
Size

697KB
MD5

54a70ee5d2e97b18cc473dad5fe1a26c
SHA1

fc03856a2b334b32932868d3e234648f4546a178
SHA256

ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f
SHA512

588fe6d2095e6ae6fd7d045890a9302fbd835d8c7c39191d653e2e8e74e046f885b113244d32b599d63a3463c3efb87c0334f5d7028034efdf78e10e300bc70e
SSDEEP

12288:Qy90Yht7YUjvir5uCD0wvAj7cjSunMBe9rd5fO+oE/2il4:Qy8Ujqr5PDYAj3Mgrv5n1C

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	40335334.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	40335334.exe

Executes dropped EXE 3 IoCs

pid	Process
792	un806944.exe
1412	40335334.exe
1220	rk156799.exe

Loads dropped DLL 8 IoCs

pid	Process
928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
792	un806944.exe
792	un806944.exe
792	un806944.exe
1412	40335334.exe
792	un806944.exe
792	un806944.exe
1220	rk156799.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	40335334.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un806944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un806944.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1412	40335334.exe
1412	40335334.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	40335334.exe
Token: SeDebugPrivilege	1220	rk156799.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 928 wrote to memory of 792	928	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	28
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1412	792	un806944.exe	29
PID 792 wrote to memory of 1220	792	un806944.exe	30
PID 792 wrote to memory of 1220	792	un806944.exe	30
PID 792 wrote to memory of 1220	792	un806944.exe	30
PID 792 wrote to memory of 1220	792	un806944.exe	30
PID 792 wrote to memory of 1220	792	un806944.exe	30
PID 792 wrote to memory of 1220	792	un806944.exe	30
PID 792 wrote to memory of 1220	792	un806944.exe	30

C:\Users\Admin\AppData\Local\Temp\ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
"C:\Users\Admin\AppData\Local\Temp\ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe

Filesize
542KB

MD5
d421b51f96bb2cfa314b4c2261677ae8

SHA1
ccf75a9fc4d26f704c6e2d8673f9d6bbca9db9cb

SHA256
7a0d39aa5c26eee67e4c52be07eba9b6327b2ce35a63aef5ebc2ce54c0f23e64

SHA512
94b319afb5dc7b910fe88aa532d1eae70be4e76d57cb98e107a6222b4957512cd96a3c412b99844ade53bb60921611a57cf1850e4e7dfbe47bfcea81b3ab40a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe

Filesize
542KB

MD5
d421b51f96bb2cfa314b4c2261677ae8

SHA1
ccf75a9fc4d26f704c6e2d8673f9d6bbca9db9cb

SHA256
7a0d39aa5c26eee67e4c52be07eba9b6327b2ce35a63aef5ebc2ce54c0f23e64

SHA512
94b319afb5dc7b910fe88aa532d1eae70be4e76d57cb98e107a6222b4957512cd96a3c412b99844ade53bb60921611a57cf1850e4e7dfbe47bfcea81b3ab40a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe

Filesize
542KB

MD5
d421b51f96bb2cfa314b4c2261677ae8

SHA1
ccf75a9fc4d26f704c6e2d8673f9d6bbca9db9cb

SHA256
7a0d39aa5c26eee67e4c52be07eba9b6327b2ce35a63aef5ebc2ce54c0f23e64

SHA512
94b319afb5dc7b910fe88aa532d1eae70be4e76d57cb98e107a6222b4957512cd96a3c412b99844ade53bb60921611a57cf1850e4e7dfbe47bfcea81b3ab40a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe

Filesize
542KB

MD5
d421b51f96bb2cfa314b4c2261677ae8

SHA1
ccf75a9fc4d26f704c6e2d8673f9d6bbca9db9cb

SHA256
7a0d39aa5c26eee67e4c52be07eba9b6327b2ce35a63aef5ebc2ce54c0f23e64

SHA512
94b319afb5dc7b910fe88aa532d1eae70be4e76d57cb98e107a6222b4957512cd96a3c412b99844ade53bb60921611a57cf1850e4e7dfbe47bfcea81b3ab40a7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
memory/1220-140-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-150-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-924-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/1220-923-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/1220-921-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/1220-415-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/1220-413-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/1220-411-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/1220-409-0x0000000003080000-0x00000000030C6000-memory.dmp

Filesize
280KB

Download
memory/1220-158-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-156-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-154-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-152-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-148-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-146-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-144-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-142-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-138-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-136-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-134-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-132-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-126-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-123-0x00000000045A0000-0x00000000045DC000-memory.dmp

Filesize
240KB

Download
memory/1220-124-0x00000000070C0000-0x00000000070FA000-memory.dmp

Filesize
232KB

Download
memory/1220-125-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-128-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1220-130-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/1412-86-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-108-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1412-82-0x00000000031A0000-0x00000000031B8000-memory.dmp

Filesize
96KB

Download
memory/1412-83-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1412-84-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-112-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/1412-111-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/1412-106-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-80-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1412-81-0x0000000007330000-0x0000000007370000-memory.dmp

Filesize
256KB

Download
memory/1412-110-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-104-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-102-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-100-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-98-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-96-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-94-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-92-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-90-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download
memory/1412-88-0x00000000031A0000-0x00000000031B3000-memory.dmp

Filesize
76KB

Download