ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe
Size

695KB
MD5

636db1c6e7b29ffe3c8c17a57154b303
SHA1

04b4432446991895de51fc9a8195a5df97fe9285
SHA256

ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7
SHA512

eec61497dcd4de83e0d28c3fa5cea6ac15456a28484df435459303fab3b1bbfb009993a02ed03dad4959b27acbbf5a6139ec06c854b9eac7071dfad08ba76db8
SSDEEP

12288:0y90vLbFTVSuki8SfqFlnDPqi9e9gBKgjy2OV1u0hWb2hYtoCzjkp:0yiBVSLgqFl2iaEKTz1PW8Ytof

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36322525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36322525.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	36322525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36322525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36322525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36322525.exe

Executes dropped EXE 3 IoCs

pid	Process
1324	un089579.exe
540	36322525.exe
808	rk094664.exe

Loads dropped DLL 8 IoCs

pid	Process
2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe
1324	un089579.exe
1324	un089579.exe
1324	un089579.exe
540	36322525.exe
1324	un089579.exe
1324	un089579.exe
808	rk094664.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	36322525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36322525.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un089579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un089579.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
540	36322525.exe
540	36322525.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	36322525.exe
Token: SeDebugPrivilege	808	rk094664.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 2020 wrote to memory of 1324	2020	ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe	27
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 540	1324	un089579.exe	28
PID 1324 wrote to memory of 808	1324	un089579.exe	29
PID 1324 wrote to memory of 808	1324	un089579.exe	29
PID 1324 wrote to memory of 808	1324	un089579.exe	29
PID 1324 wrote to memory of 808	1324	un089579.exe	29
PID 1324 wrote to memory of 808	1324	un089579.exe	29
PID 1324 wrote to memory of 808	1324	un089579.exe	29
PID 1324 wrote to memory of 808	1324	un089579.exe	29

C:\Users\Admin\AppData\Local\Temp\ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe
"C:\Users\Admin\AppData\Local\Temp\ce896f13c0fa9a6417750b6fc7ed13a34d2f5c5cca50d37e96fb3deb0c129ca7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089579.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089579.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089579.exe

Filesize
541KB

MD5
3e2c7e7a08a947d9d2608d4323b65dfa

SHA1
b8edef0017dc75cedd6431ca0bdd0503f5c2dfe2

SHA256
79fc04ef53ab6c5b6963dad1d7f286bdad51e5bab94615f29eebe0403bfb0bc2

SHA512
ebe0a532a9858beb27597c5f07753edfeb994167b8435bede9434181c8126b7939550a711d8cdf8f964c4d87faeb27f41877a82b4a3215fd7ed9949d3d63bd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089579.exe

Filesize
541KB

MD5
3e2c7e7a08a947d9d2608d4323b65dfa

SHA1
b8edef0017dc75cedd6431ca0bdd0503f5c2dfe2

SHA256
79fc04ef53ab6c5b6963dad1d7f286bdad51e5bab94615f29eebe0403bfb0bc2

SHA512
ebe0a532a9858beb27597c5f07753edfeb994167b8435bede9434181c8126b7939550a711d8cdf8f964c4d87faeb27f41877a82b4a3215fd7ed9949d3d63bd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe

Filesize
258KB

MD5
4b56a40002e6f93870952c72e7ff12a6

SHA1
92d2c592016c73ad805fbc8cdce51fb197113c81

SHA256
e8fabfc69eeffa657726377fd8ea2c6d25a0116fef10211377767bd18657f772

SHA512
67e11d62812f5b9614c75c8995755a345cfe7c2eca0346fa407d23930239f1761bf84873cb40d171c2d8dc2fe4120c96b75047fb2c5225e58d1e8092b38e0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe

Filesize
258KB

MD5
4b56a40002e6f93870952c72e7ff12a6

SHA1
92d2c592016c73ad805fbc8cdce51fb197113c81

SHA256
e8fabfc69eeffa657726377fd8ea2c6d25a0116fef10211377767bd18657f772

SHA512
67e11d62812f5b9614c75c8995755a345cfe7c2eca0346fa407d23930239f1761bf84873cb40d171c2d8dc2fe4120c96b75047fb2c5225e58d1e8092b38e0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe

Filesize
258KB

MD5
4b56a40002e6f93870952c72e7ff12a6

SHA1
92d2c592016c73ad805fbc8cdce51fb197113c81

SHA256
e8fabfc69eeffa657726377fd8ea2c6d25a0116fef10211377767bd18657f772

SHA512
67e11d62812f5b9614c75c8995755a345cfe7c2eca0346fa407d23930239f1761bf84873cb40d171c2d8dc2fe4120c96b75047fb2c5225e58d1e8092b38e0c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe

Filesize
341KB

MD5
fd905968cacee6875a1b565dd6a1b3be

SHA1
705ac62027fc8ebfaf0895566e849b3fbf3164d2

SHA256
d93ccd3690919893ed0ec1e939a7e91c81975a668d3cd5ccbdfd91db98454b11

SHA512
ec7d5ed71ccc9faf5d516d70cfa89bbb8008ac29e03ba54bf513f904c8b09a6ad090f0d3702d19ad967140cf863a4c6a60c86b7a353c886376db14fb7d613e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe

Filesize
341KB

MD5
fd905968cacee6875a1b565dd6a1b3be

SHA1
705ac62027fc8ebfaf0895566e849b3fbf3164d2

SHA256
d93ccd3690919893ed0ec1e939a7e91c81975a668d3cd5ccbdfd91db98454b11

SHA512
ec7d5ed71ccc9faf5d516d70cfa89bbb8008ac29e03ba54bf513f904c8b09a6ad090f0d3702d19ad967140cf863a4c6a60c86b7a353c886376db14fb7d613e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe

Filesize
341KB

MD5
fd905968cacee6875a1b565dd6a1b3be

SHA1
705ac62027fc8ebfaf0895566e849b3fbf3164d2

SHA256
d93ccd3690919893ed0ec1e939a7e91c81975a668d3cd5ccbdfd91db98454b11

SHA512
ec7d5ed71ccc9faf5d516d70cfa89bbb8008ac29e03ba54bf513f904c8b09a6ad090f0d3702d19ad967140cf863a4c6a60c86b7a353c886376db14fb7d613e10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089579.exe

Filesize
541KB

MD5
3e2c7e7a08a947d9d2608d4323b65dfa

SHA1
b8edef0017dc75cedd6431ca0bdd0503f5c2dfe2

SHA256
79fc04ef53ab6c5b6963dad1d7f286bdad51e5bab94615f29eebe0403bfb0bc2

SHA512
ebe0a532a9858beb27597c5f07753edfeb994167b8435bede9434181c8126b7939550a711d8cdf8f964c4d87faeb27f41877a82b4a3215fd7ed9949d3d63bd55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un089579.exe

Filesize
541KB

MD5
3e2c7e7a08a947d9d2608d4323b65dfa

SHA1
b8edef0017dc75cedd6431ca0bdd0503f5c2dfe2

SHA256
79fc04ef53ab6c5b6963dad1d7f286bdad51e5bab94615f29eebe0403bfb0bc2

SHA512
ebe0a532a9858beb27597c5f07753edfeb994167b8435bede9434181c8126b7939550a711d8cdf8f964c4d87faeb27f41877a82b4a3215fd7ed9949d3d63bd55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe

Filesize
258KB

MD5
4b56a40002e6f93870952c72e7ff12a6

SHA1
92d2c592016c73ad805fbc8cdce51fb197113c81

SHA256
e8fabfc69eeffa657726377fd8ea2c6d25a0116fef10211377767bd18657f772

SHA512
67e11d62812f5b9614c75c8995755a345cfe7c2eca0346fa407d23930239f1761bf84873cb40d171c2d8dc2fe4120c96b75047fb2c5225e58d1e8092b38e0c5a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe

Filesize
258KB

MD5
4b56a40002e6f93870952c72e7ff12a6

SHA1
92d2c592016c73ad805fbc8cdce51fb197113c81

SHA256
e8fabfc69eeffa657726377fd8ea2c6d25a0116fef10211377767bd18657f772

SHA512
67e11d62812f5b9614c75c8995755a345cfe7c2eca0346fa407d23930239f1761bf84873cb40d171c2d8dc2fe4120c96b75047fb2c5225e58d1e8092b38e0c5a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36322525.exe

Filesize
258KB

MD5
4b56a40002e6f93870952c72e7ff12a6

SHA1
92d2c592016c73ad805fbc8cdce51fb197113c81

SHA256
e8fabfc69eeffa657726377fd8ea2c6d25a0116fef10211377767bd18657f772

SHA512
67e11d62812f5b9614c75c8995755a345cfe7c2eca0346fa407d23930239f1761bf84873cb40d171c2d8dc2fe4120c96b75047fb2c5225e58d1e8092b38e0c5a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe

Filesize
341KB

MD5
fd905968cacee6875a1b565dd6a1b3be

SHA1
705ac62027fc8ebfaf0895566e849b3fbf3164d2

SHA256
d93ccd3690919893ed0ec1e939a7e91c81975a668d3cd5ccbdfd91db98454b11

SHA512
ec7d5ed71ccc9faf5d516d70cfa89bbb8008ac29e03ba54bf513f904c8b09a6ad090f0d3702d19ad967140cf863a4c6a60c86b7a353c886376db14fb7d613e10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe

Filesize
341KB

MD5
fd905968cacee6875a1b565dd6a1b3be

SHA1
705ac62027fc8ebfaf0895566e849b3fbf3164d2

SHA256
d93ccd3690919893ed0ec1e939a7e91c81975a668d3cd5ccbdfd91db98454b11

SHA512
ec7d5ed71ccc9faf5d516d70cfa89bbb8008ac29e03ba54bf513f904c8b09a6ad090f0d3702d19ad967140cf863a4c6a60c86b7a353c886376db14fb7d613e10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk094664.exe

Filesize
341KB

MD5
fd905968cacee6875a1b565dd6a1b3be

SHA1
705ac62027fc8ebfaf0895566e849b3fbf3164d2

SHA256
d93ccd3690919893ed0ec1e939a7e91c81975a668d3cd5ccbdfd91db98454b11

SHA512
ec7d5ed71ccc9faf5d516d70cfa89bbb8008ac29e03ba54bf513f904c8b09a6ad090f0d3702d19ad967140cf863a4c6a60c86b7a353c886376db14fb7d613e10

Download Submit
memory/540-110-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/540-89-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-91-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/540-92-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-93-0x00000000032E0000-0x0000000003320000-memory.dmp

Filesize
256KB

Download
memory/540-95-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-97-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-101-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-99-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-103-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-107-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-109-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-105-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-87-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/540-85-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-83-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-81-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-80-0x0000000002F20000-0x0000000002F33000-memory.dmp

Filesize
76KB

Download
memory/540-79-0x0000000002F20000-0x0000000002F38000-memory.dmp

Filesize
96KB

Download
memory/540-78-0x0000000002C40000-0x0000000002C5A000-memory.dmp

Filesize
104KB

Download
memory/808-123-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/808-142-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-122-0x0000000002D20000-0x0000000002D5C000-memory.dmp

Filesize
240KB

Download
memory/808-125-0x0000000007180000-0x00000000071C0000-memory.dmp

Filesize
256KB

Download
memory/808-126-0x0000000007180000-0x00000000071C0000-memory.dmp

Filesize
256KB

Download
memory/808-127-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-128-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-130-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-132-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-134-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-138-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-136-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-140-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-124-0x0000000004880000-0x00000000048BA000-memory.dmp

Filesize
232KB

Download
memory/808-144-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-146-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-148-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-150-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-152-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-154-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-156-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-158-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-160-0x0000000004880000-0x00000000048B5000-memory.dmp

Filesize
212KB

Download
memory/808-919-0x0000000007180000-0x00000000071C0000-memory.dmp

Filesize
256KB

Download
memory/808-922-0x0000000007180000-0x00000000071C0000-memory.dmp

Filesize
256KB

Download