d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3

Analysis

max time kernel
171s
max time network
188s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe
Size

685KB
MD5

a60093e312aa09f8b38184916c8bbfae
SHA1

9f0a859329ab36078da17c4acaf873bbe81eac56
SHA256

d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3
SHA512

df3f863d0c006a8246d1fea32a11cfb82840eac296e0f6f3ae6caf9641527d5958901407409274051a44a1e06003c7b0177cec37e15eab9b2dd2b12fb05da1ae
SSDEEP

12288:6y90p9dudWKU5T4+znlFPyCSW+vgG0lG+bqNPzYSHh5Bpj3WYEOKukz:6y/dNUKKFSk3Wz7HXB7Ku+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	83737006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	83737006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	83737006.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	83737006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	83737006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	83737006.exe

Executes dropped EXE 3 IoCs

pid	Process
1508	un773964.exe
748	83737006.exe
1884	rk473360.exe

Loads dropped DLL 8 IoCs

pid	Process
1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe
1508	un773964.exe
1508	un773964.exe
1508	un773964.exe
748	83737006.exe
1508	un773964.exe
1508	un773964.exe
1884	rk473360.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	83737006.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	83737006.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un773964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un773964.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	83737006.exe
748	83737006.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	83737006.exe
Token: SeDebugPrivilege	1884	rk473360.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1608 wrote to memory of 1508	1608	d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe	28
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 748	1508	un773964.exe	29
PID 1508 wrote to memory of 1884	1508	un773964.exe	30
PID 1508 wrote to memory of 1884	1508	un773964.exe	30
PID 1508 wrote to memory of 1884	1508	un773964.exe	30
PID 1508 wrote to memory of 1884	1508	un773964.exe	30
PID 1508 wrote to memory of 1884	1508	un773964.exe	30
PID 1508 wrote to memory of 1884	1508	un773964.exe	30
PID 1508 wrote to memory of 1884	1508	un773964.exe	30

C:\Users\Admin\AppData\Local\Temp\d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe
"C:\Users\Admin\AppData\Local\Temp\d796b14165fee87c1bd477a15f43cc17f37cc7c0e5f36cf54e78c97d21c0fbb3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773964.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773964.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773964.exe

Filesize
531KB

MD5
f06d0131075e33dcf390cb5fd9ed32cd

SHA1
fa3488671c24226bd6323d9fc5408cfecf4ed24a

SHA256
b5072091df29e8c8e9e09d669ec3f07c9444a3780f9c75a77ce1170aa123a4e7

SHA512
03b75c3c47959a1f36263624e1c1925ad03bed9dc27a68f871d45d00508fd317af9009c6e166243826a3d3783d1c50a6d77215f8d64f4b5e829b2e8e6577e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773964.exe

Filesize
531KB

MD5
f06d0131075e33dcf390cb5fd9ed32cd

SHA1
fa3488671c24226bd6323d9fc5408cfecf4ed24a

SHA256
b5072091df29e8c8e9e09d669ec3f07c9444a3780f9c75a77ce1170aa123a4e7

SHA512
03b75c3c47959a1f36263624e1c1925ad03bed9dc27a68f871d45d00508fd317af9009c6e166243826a3d3783d1c50a6d77215f8d64f4b5e829b2e8e6577e121

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe

Filesize
249KB

MD5
a72ed29a7df5e0122676dd30a4c7b529

SHA1
529e90725c3449a3bb9d1da0201a4c9f2f732866

SHA256
f484090c5206871e3d5db84f2af7105452cd0f465108288b753808972ab1361e

SHA512
54cc923d0829c389f684f0857c607c42ae335cc99fed56834ce0ff914f608d599faff8c49a110bfb1970c319fcc941cd2d5b30220120281ea9fae0d9e7b8d091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe

Filesize
249KB

MD5
a72ed29a7df5e0122676dd30a4c7b529

SHA1
529e90725c3449a3bb9d1da0201a4c9f2f732866

SHA256
f484090c5206871e3d5db84f2af7105452cd0f465108288b753808972ab1361e

SHA512
54cc923d0829c389f684f0857c607c42ae335cc99fed56834ce0ff914f608d599faff8c49a110bfb1970c319fcc941cd2d5b30220120281ea9fae0d9e7b8d091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe

Filesize
249KB

MD5
a72ed29a7df5e0122676dd30a4c7b529

SHA1
529e90725c3449a3bb9d1da0201a4c9f2f732866

SHA256
f484090c5206871e3d5db84f2af7105452cd0f465108288b753808972ab1361e

SHA512
54cc923d0829c389f684f0857c607c42ae335cc99fed56834ce0ff914f608d599faff8c49a110bfb1970c319fcc941cd2d5b30220120281ea9fae0d9e7b8d091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe

Filesize
332KB

MD5
0fc79764319f37f3393fb6e99ec1584c

SHA1
81a3feb93d3f49b87f250f3c28d2b75d347aed8a

SHA256
0aef5cd6dd1bef393854c00db4dac48a168bdc4845158bcd1a0d56c6540857c6

SHA512
b0114a286598f1ce6cebcef3342e1993abb14e95375aed02671a0d416e1296a375997763a51a882b21eb390b560b094131acae682f73b245fb983cf65f78752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe

Filesize
332KB

MD5
0fc79764319f37f3393fb6e99ec1584c

SHA1
81a3feb93d3f49b87f250f3c28d2b75d347aed8a

SHA256
0aef5cd6dd1bef393854c00db4dac48a168bdc4845158bcd1a0d56c6540857c6

SHA512
b0114a286598f1ce6cebcef3342e1993abb14e95375aed02671a0d416e1296a375997763a51a882b21eb390b560b094131acae682f73b245fb983cf65f78752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe

Filesize
332KB

MD5
0fc79764319f37f3393fb6e99ec1584c

SHA1
81a3feb93d3f49b87f250f3c28d2b75d347aed8a

SHA256
0aef5cd6dd1bef393854c00db4dac48a168bdc4845158bcd1a0d56c6540857c6

SHA512
b0114a286598f1ce6cebcef3342e1993abb14e95375aed02671a0d416e1296a375997763a51a882b21eb390b560b094131acae682f73b245fb983cf65f78752b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773964.exe

Filesize
531KB

MD5
f06d0131075e33dcf390cb5fd9ed32cd

SHA1
fa3488671c24226bd6323d9fc5408cfecf4ed24a

SHA256
b5072091df29e8c8e9e09d669ec3f07c9444a3780f9c75a77ce1170aa123a4e7

SHA512
03b75c3c47959a1f36263624e1c1925ad03bed9dc27a68f871d45d00508fd317af9009c6e166243826a3d3783d1c50a6d77215f8d64f4b5e829b2e8e6577e121

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773964.exe

Filesize
531KB

MD5
f06d0131075e33dcf390cb5fd9ed32cd

SHA1
fa3488671c24226bd6323d9fc5408cfecf4ed24a

SHA256
b5072091df29e8c8e9e09d669ec3f07c9444a3780f9c75a77ce1170aa123a4e7

SHA512
03b75c3c47959a1f36263624e1c1925ad03bed9dc27a68f871d45d00508fd317af9009c6e166243826a3d3783d1c50a6d77215f8d64f4b5e829b2e8e6577e121

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe

Filesize
249KB

MD5
a72ed29a7df5e0122676dd30a4c7b529

SHA1
529e90725c3449a3bb9d1da0201a4c9f2f732866

SHA256
f484090c5206871e3d5db84f2af7105452cd0f465108288b753808972ab1361e

SHA512
54cc923d0829c389f684f0857c607c42ae335cc99fed56834ce0ff914f608d599faff8c49a110bfb1970c319fcc941cd2d5b30220120281ea9fae0d9e7b8d091

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe

Filesize
249KB

MD5
a72ed29a7df5e0122676dd30a4c7b529

SHA1
529e90725c3449a3bb9d1da0201a4c9f2f732866

SHA256
f484090c5206871e3d5db84f2af7105452cd0f465108288b753808972ab1361e

SHA512
54cc923d0829c389f684f0857c607c42ae335cc99fed56834ce0ff914f608d599faff8c49a110bfb1970c319fcc941cd2d5b30220120281ea9fae0d9e7b8d091

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\83737006.exe

Filesize
249KB

MD5
a72ed29a7df5e0122676dd30a4c7b529

SHA1
529e90725c3449a3bb9d1da0201a4c9f2f732866

SHA256
f484090c5206871e3d5db84f2af7105452cd0f465108288b753808972ab1361e

SHA512
54cc923d0829c389f684f0857c607c42ae335cc99fed56834ce0ff914f608d599faff8c49a110bfb1970c319fcc941cd2d5b30220120281ea9fae0d9e7b8d091

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe

Filesize
332KB

MD5
0fc79764319f37f3393fb6e99ec1584c

SHA1
81a3feb93d3f49b87f250f3c28d2b75d347aed8a

SHA256
0aef5cd6dd1bef393854c00db4dac48a168bdc4845158bcd1a0d56c6540857c6

SHA512
b0114a286598f1ce6cebcef3342e1993abb14e95375aed02671a0d416e1296a375997763a51a882b21eb390b560b094131acae682f73b245fb983cf65f78752b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe

Filesize
332KB

MD5
0fc79764319f37f3393fb6e99ec1584c

SHA1
81a3feb93d3f49b87f250f3c28d2b75d347aed8a

SHA256
0aef5cd6dd1bef393854c00db4dac48a168bdc4845158bcd1a0d56c6540857c6

SHA512
b0114a286598f1ce6cebcef3342e1993abb14e95375aed02671a0d416e1296a375997763a51a882b21eb390b560b094131acae682f73b245fb983cf65f78752b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk473360.exe

Filesize
332KB

MD5
0fc79764319f37f3393fb6e99ec1584c

SHA1
81a3feb93d3f49b87f250f3c28d2b75d347aed8a

SHA256
0aef5cd6dd1bef393854c00db4dac48a168bdc4845158bcd1a0d56c6540857c6

SHA512
b0114a286598f1ce6cebcef3342e1993abb14e95375aed02671a0d416e1296a375997763a51a882b21eb390b560b094131acae682f73b245fb983cf65f78752b

Download Submit
memory/748-111-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/748-86-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-88-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-92-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-90-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-96-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-94-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-100-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-98-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-104-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-102-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-108-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-106-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-110-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-84-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-115-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/748-83-0x0000000002D40000-0x0000000002D53000-memory.dmp

Filesize
76KB

Download
memory/748-82-0x0000000002D40000-0x0000000002D58000-memory.dmp

Filesize
96KB

Download
memory/748-81-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/748-80-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/748-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/748-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1884-127-0x00000000034F0000-0x000000000352A000-memory.dmp

Filesize
232KB

Download
memory/1884-145-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-128-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-129-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-131-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-133-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-135-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-137-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-139-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-141-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-143-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-126-0x0000000003420000-0x000000000345C000-memory.dmp

Filesize
240KB

Download
memory/1884-147-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-149-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-151-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-153-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-155-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-157-0x00000000034F0000-0x0000000003525000-memory.dmp

Filesize
212KB

Download
memory/1884-406-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1884-407-0x0000000003460000-0x00000000034A0000-memory.dmp

Filesize
256KB

Download
memory/1884-409-0x0000000003460000-0x00000000034A0000-memory.dmp

Filesize
256KB

Download
memory/1884-923-0x0000000003460000-0x00000000034A0000-memory.dmp

Filesize
256KB

Download
memory/1884-926-0x0000000003460000-0x00000000034A0000-memory.dmp

Filesize
256KB

Download