d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53

Analysis

max time kernel
325s
max time network
403s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe
Size

1.1MB
MD5

20adca7b56f8c64bce0c5fd2129b094b
SHA1

2b49318734d332741844b574bf9874c698a5e434
SHA256

d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53
SHA512

ea4a123e1c0f5d58d5c75eb6bbe9c183f7b25f6bc817202b07982051afcca66738d9e1c2260eb47542b1f174a768140093680c4a4872e311af3bdf8aedbc5018
SSDEEP

24576:YyEhegQc/YdfIK9kPRnDUuo9KSSJSSnu2+NNDe4gy:fcegQc/YOK9kPB+SJSpRTi4

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	214665566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	214665566.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	214665566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	214665566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	214665566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	179773419.exe

Executes dropped EXE 5 IoCs

pid	Process
3076	GN857650.exe
1612	pw359453.exe
4932	hk703046.exe
3800	179773419.exe
3524	214665566.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	179773419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	214665566.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	GN857650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	GN857650.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pw359453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pw359453.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hk703046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hk703046.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3800	179773419.exe
3800	179773419.exe
3524	214665566.exe
3524	214665566.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	179773419.exe
Token: SeDebugPrivilege	3524	214665566.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3076	3176	d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe	81
PID 3176 wrote to memory of 3076	3176	d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe	81
PID 3176 wrote to memory of 3076	3176	d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe	81
PID 3076 wrote to memory of 1612	3076	GN857650.exe	82
PID 3076 wrote to memory of 1612	3076	GN857650.exe	82
PID 3076 wrote to memory of 1612	3076	GN857650.exe	82
PID 1612 wrote to memory of 4932	1612	pw359453.exe	83
PID 1612 wrote to memory of 4932	1612	pw359453.exe	83
PID 1612 wrote to memory of 4932	1612	pw359453.exe	83
PID 4932 wrote to memory of 3800	4932	hk703046.exe	84
PID 4932 wrote to memory of 3800	4932	hk703046.exe	84
PID 4932 wrote to memory of 3800	4932	hk703046.exe	84
PID 4932 wrote to memory of 3524	4932	hk703046.exe	86
PID 4932 wrote to memory of 3524	4932	hk703046.exe	86
PID 4932 wrote to memory of 3524	4932	hk703046.exe	86

C:\Users\Admin\AppData\Local\Temp\d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe
"C:\Users\Admin\AppData\Local\Temp\d084cb77412687c2928b5e238d349f1fc4823cabe769c5fbbac7fb44c7780e53.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GN857650.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GN857650.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pw359453.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pw359453.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hk703046.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hk703046.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\179773419.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\179773419.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\214665566.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\214665566.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GN857650.exe

Filesize
940KB

MD5
81871e9a2d33cc6431e45b7119d34814

SHA1
6e754a027f199f6779af743633194731cd3d1dea

SHA256
0bffa29b0724975889b54adc774b5f1b38e366cf9ac9c425bc2e8b9a04d9a3c2

SHA512
0d3ebf7fde700fe3f7d8295da81fe17ac1ba004b3ad06b1f74a3edf363bdc4a88b9257515fa12c5f8c940071d99c929b4589908986114c5b2918a6f4efb532e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GN857650.exe

Filesize
940KB

MD5
81871e9a2d33cc6431e45b7119d34814

SHA1
6e754a027f199f6779af743633194731cd3d1dea

SHA256
0bffa29b0724975889b54adc774b5f1b38e366cf9ac9c425bc2e8b9a04d9a3c2

SHA512
0d3ebf7fde700fe3f7d8295da81fe17ac1ba004b3ad06b1f74a3edf363bdc4a88b9257515fa12c5f8c940071d99c929b4589908986114c5b2918a6f4efb532e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pw359453.exe

Filesize
585KB

MD5
71f38abfad3d7f0d7b34078031cd2adc

SHA1
013de74965bf1e7320b1cf62a7595b1c25fda5e0

SHA256
2f40e6de630e11f1dd296de90904cdbd561fc6c9eb576967d6697f095fd3d39c

SHA512
df32b65383e13a34377cefbc2db33424409c4729d214ccc854b16a243682860c8eb296426912c940380555b52dd90f8e323fab20da36a0f9ab5a157674f00b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pw359453.exe

Filesize
585KB

MD5
71f38abfad3d7f0d7b34078031cd2adc

SHA1
013de74965bf1e7320b1cf62a7595b1c25fda5e0

SHA256
2f40e6de630e11f1dd296de90904cdbd561fc6c9eb576967d6697f095fd3d39c

SHA512
df32b65383e13a34377cefbc2db33424409c4729d214ccc854b16a243682860c8eb296426912c940380555b52dd90f8e323fab20da36a0f9ab5a157674f00b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hk703046.exe

Filesize
414KB

MD5
cb97828135b7d9bd7c0d4fe15da4d776

SHA1
837d40e8d281312968708bdd07fd960c9c24856b

SHA256
1d089167eca5114808880180d43084c0cd7cf3000e6b57a027a5aebc72b0f269

SHA512
99fe738be737515d2afc6182ab3fcad1ebed55211576be49d1b8e72abb9b7b909a4f324d73d9ac0646efd561e58616168a2ea3a31b489335423723f789f7a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hk703046.exe

Filesize
414KB

MD5
cb97828135b7d9bd7c0d4fe15da4d776

SHA1
837d40e8d281312968708bdd07fd960c9c24856b

SHA256
1d089167eca5114808880180d43084c0cd7cf3000e6b57a027a5aebc72b0f269

SHA512
99fe738be737515d2afc6182ab3fcad1ebed55211576be49d1b8e72abb9b7b909a4f324d73d9ac0646efd561e58616168a2ea3a31b489335423723f789f7a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\179773419.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\179773419.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\214665566.exe

Filesize
259KB

MD5
bd7ea62f3ae49bc90d7df013e415fe69

SHA1
4b15f8369a4b08727109288a3ffe0c6a7d81c7fd

SHA256
f6fbb776dbc3b88170edc9ba8aeb6ca9f43dabc0f78d5a7ee895c813a5c5afd6

SHA512
ef1f6f708a17fa4bebadfb3adad858302bf90999a85f7172ce475f3185c7e57a3d71f25ac218c38ec004ab7f6c00a617b837d27de81dfc7d667a20e9df216767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\214665566.exe

Filesize
259KB

MD5
bd7ea62f3ae49bc90d7df013e415fe69

SHA1
4b15f8369a4b08727109288a3ffe0c6a7d81c7fd

SHA256
f6fbb776dbc3b88170edc9ba8aeb6ca9f43dabc0f78d5a7ee895c813a5c5afd6

SHA512
ef1f6f708a17fa4bebadfb3adad858302bf90999a85f7172ce475f3185c7e57a3d71f25ac218c38ec004ab7f6c00a617b837d27de81dfc7d667a20e9df216767

Download Submit
memory/3524-236-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3524-235-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3524-233-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3524-232-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3524-231-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3524-230-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3524-229-0x00000000020D0000-0x00000000020FD000-memory.dmp

Filesize
180KB

Download
memory/3524-228-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3524-234-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3800-163-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-179-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-185-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-188-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-189-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3800-187-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3800-191-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-192-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3800-193-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3800-194-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3800-181-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-183-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-177-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-175-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-173-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-171-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-169-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-167-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-165-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-162-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3800-161-0x0000000004A90000-0x0000000005034000-memory.dmp

Filesize
5.6MB

Download