f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec

Analysis

max time kernel
153s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
Size

695KB
MD5

48fd845cfc42eb2c4dc4cb03c23b27c8
SHA1

3dc94ca3d3de1979949d0440cdc8103cff8064c6
SHA256

f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec
SHA512

fe3ee9eae6f79dbedea2d4ad6796d678bdae181a6be06c92876d7fc29de6359d907ae330d48727575ae26ea6129f83b5fc3996b04b000e38509f5a64a440af4d
SSDEEP

12288:cy90kUn4MnLH7mFrehcUXUdun1Jr2Kix3xTHQq8sXowQDySyUdJOvmxQAE:cyBUnlnTaVehc23nqBxhTHQ1s4wQ7Aog

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	62353108.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	62353108.exe

Executes dropped EXE 3 IoCs

pid	Process
1212	un624240.exe
468	62353108.exe
1672	rk268966.exe

Loads dropped DLL 8 IoCs

pid	Process
1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
1212	un624240.exe
1212	un624240.exe
1212	un624240.exe
468	62353108.exe
1212	un624240.exe
1212	un624240.exe
1672	rk268966.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	62353108.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un624240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un624240.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	62353108.exe
468	62353108.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	62353108.exe
Token: SeDebugPrivilege	1672	rk268966.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1772 wrote to memory of 1212	1772	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	28
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 468	1212	un624240.exe	29
PID 1212 wrote to memory of 1672	1212	un624240.exe	30
PID 1212 wrote to memory of 1672	1212	un624240.exe	30
PID 1212 wrote to memory of 1672	1212	un624240.exe	30
PID 1212 wrote to memory of 1672	1212	un624240.exe	30
PID 1212 wrote to memory of 1672	1212	un624240.exe	30
PID 1212 wrote to memory of 1672	1212	un624240.exe	30
PID 1212 wrote to memory of 1672	1212	un624240.exe	30

C:\Users\Admin\AppData\Local\Temp\f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
"C:\Users\Admin\AppData\Local\Temp\f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe

Filesize
541KB

MD5
8164882881ededdf303d24ac9bb0324e

SHA1
d0d4beffc960cdc16706f8702597a7979794d0c4

SHA256
70a4131cd81bf886f1c34d81ab8c61197bc6b38017145cd584c412da74c78d2b

SHA512
aaad4fa2ad278f66d1aba044ab1e0dc852c1fadf99f93dfb32f63072ffb1594ff4351dbe9a87e0194705675a81312a08c50e2dc5c6c00851b3f5cfb1e1f19a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe

Filesize
541KB

MD5
8164882881ededdf303d24ac9bb0324e

SHA1
d0d4beffc960cdc16706f8702597a7979794d0c4

SHA256
70a4131cd81bf886f1c34d81ab8c61197bc6b38017145cd584c412da74c78d2b

SHA512
aaad4fa2ad278f66d1aba044ab1e0dc852c1fadf99f93dfb32f63072ffb1594ff4351dbe9a87e0194705675a81312a08c50e2dc5c6c00851b3f5cfb1e1f19a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe

Filesize
541KB

MD5
8164882881ededdf303d24ac9bb0324e

SHA1
d0d4beffc960cdc16706f8702597a7979794d0c4

SHA256
70a4131cd81bf886f1c34d81ab8c61197bc6b38017145cd584c412da74c78d2b

SHA512
aaad4fa2ad278f66d1aba044ab1e0dc852c1fadf99f93dfb32f63072ffb1594ff4351dbe9a87e0194705675a81312a08c50e2dc5c6c00851b3f5cfb1e1f19a54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe

Filesize
541KB

MD5
8164882881ededdf303d24ac9bb0324e

SHA1
d0d4beffc960cdc16706f8702597a7979794d0c4

SHA256
70a4131cd81bf886f1c34d81ab8c61197bc6b38017145cd584c412da74c78d2b

SHA512
aaad4fa2ad278f66d1aba044ab1e0dc852c1fadf99f93dfb32f63072ffb1594ff4351dbe9a87e0194705675a81312a08c50e2dc5c6c00851b3f5cfb1e1f19a54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
memory/468-110-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/468-87-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-89-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-91-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-93-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-95-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-97-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-99-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-101-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-105-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-103-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-109-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-107-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-85-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-114-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/468-83-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-82-0x00000000032E0000-0x00000000032F3000-memory.dmp

Filesize
76KB

Download
memory/468-80-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/468-81-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/468-79-0x00000000032E0000-0x00000000032F8000-memory.dmp

Filesize
96KB

Download
memory/468-78-0x0000000002C20000-0x0000000002C3A000-memory.dmp

Filesize
104KB

Download
memory/1672-127-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-150-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-125-0x0000000004660000-0x000000000469C000-memory.dmp

Filesize
240KB

Download
memory/1672-128-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-130-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-132-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-134-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-136-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-138-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-140-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-142-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-144-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-146-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-126-0x00000000046A0000-0x00000000046DA000-memory.dmp

Filesize
232KB

Download
memory/1672-148-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-152-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-156-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-154-0x00000000046A0000-0x00000000046D5000-memory.dmp

Filesize
212KB

Download
memory/1672-526-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1672-528-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1672-530-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1672-532-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1672-923-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1672-925-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1672-926-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1672-928-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download