dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e

Analysis

max time kernel
150s
max time network
161s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe
Size

611KB
MD5

bf21b05ee3ffd000985dce9268d2b5a6
SHA1

11b76443e915d530356b1742c28a2588b0c31d69
SHA256

dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e
SHA512

ad29ec2a5b171dc865a7588b9e801641cbc3c20a3f942d333dd3bf1ca06e4f4a6b579cf6de6e875ff42d22114770110da66fb0473f3889cb6028aaad462ba45b
SSDEEP

12288:0y90t1jhAoX8bg8FJMiLplVF9CrGfj92iBtHXfd+O4G0/f5tkr3GNQgpAxHB7:0y0tAs83W6F9UxWHX1+OUf43GNQgpAxh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	94445377.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	94445377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	94445377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	94445377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	94445377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	94445377.exe

Executes dropped EXE 3 IoCs

pid	Process
884	st032794.exe
1432	94445377.exe
1916	kp259919.exe

Loads dropped DLL 6 IoCs

pid	Process
932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe
884	st032794.exe
884	st032794.exe
884	st032794.exe
884	st032794.exe
1916	kp259919.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	94445377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	94445377.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st032794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st032794.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1432	94445377.exe
1432	94445377.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	94445377.exe
Token: SeDebugPrivilege	1916	kp259919.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 932 wrote to memory of 884	932	dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe	27
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1432	884	st032794.exe	28
PID 884 wrote to memory of 1916	884	st032794.exe	29
PID 884 wrote to memory of 1916	884	st032794.exe	29
PID 884 wrote to memory of 1916	884	st032794.exe	29
PID 884 wrote to memory of 1916	884	st032794.exe	29
PID 884 wrote to memory of 1916	884	st032794.exe	29
PID 884 wrote to memory of 1916	884	st032794.exe	29
PID 884 wrote to memory of 1916	884	st032794.exe	29

C:\Users\Admin\AppData\Local\Temp\dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe
"C:\Users\Admin\AppData\Local\Temp\dad139bc4038c33a981caa73df8647f41b13b2e58606cffc239adf2fb0adc32e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st032794.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st032794.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94445377.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94445377.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st032794.exe

Filesize
457KB

MD5
c87c0fe12a4b09e75ca32ad4b1c0b01a

SHA1
d4c26d26de346b06132ca7b07d0e306644176cbf

SHA256
00ed2bdfba6e2b07972935c364a3e7823653bd8fd657014537ea7dcae83965c1

SHA512
d576ff564e0119d425df960b073bd1a90d87d5010083cbba4a7b97d48fd5edb11a6bab20ccc0602d7064568afcb85b3d67c46bced5c3399cb827b334066c1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st032794.exe

Filesize
457KB

MD5
c87c0fe12a4b09e75ca32ad4b1c0b01a

SHA1
d4c26d26de346b06132ca7b07d0e306644176cbf

SHA256
00ed2bdfba6e2b07972935c364a3e7823653bd8fd657014537ea7dcae83965c1

SHA512
d576ff564e0119d425df960b073bd1a90d87d5010083cbba4a7b97d48fd5edb11a6bab20ccc0602d7064568afcb85b3d67c46bced5c3399cb827b334066c1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94445377.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94445377.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe

Filesize
459KB

MD5
8f36240c8e299863e34dfb47e182d858

SHA1
634104d34c988edb35e9350425e982baebfbc5b9

SHA256
9e294c2524608ee317b3c34d990a0b3ef72dc75eef22da9017c6f578ec4f01bf

SHA512
683ff6ac4f691d3151e13cbb4fb9488c55b7a3d164cc84d8c388dcfb10c50729337a7504c34b9864bc961e4cb8a590de6648831dcd2921b160824dee2d3b1b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe

Filesize
459KB

MD5
8f36240c8e299863e34dfb47e182d858

SHA1
634104d34c988edb35e9350425e982baebfbc5b9

SHA256
9e294c2524608ee317b3c34d990a0b3ef72dc75eef22da9017c6f578ec4f01bf

SHA512
683ff6ac4f691d3151e13cbb4fb9488c55b7a3d164cc84d8c388dcfb10c50729337a7504c34b9864bc961e4cb8a590de6648831dcd2921b160824dee2d3b1b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe

Filesize
459KB

MD5
8f36240c8e299863e34dfb47e182d858

SHA1
634104d34c988edb35e9350425e982baebfbc5b9

SHA256
9e294c2524608ee317b3c34d990a0b3ef72dc75eef22da9017c6f578ec4f01bf

SHA512
683ff6ac4f691d3151e13cbb4fb9488c55b7a3d164cc84d8c388dcfb10c50729337a7504c34b9864bc961e4cb8a590de6648831dcd2921b160824dee2d3b1b65

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st032794.exe

Filesize
457KB

MD5
c87c0fe12a4b09e75ca32ad4b1c0b01a

SHA1
d4c26d26de346b06132ca7b07d0e306644176cbf

SHA256
00ed2bdfba6e2b07972935c364a3e7823653bd8fd657014537ea7dcae83965c1

SHA512
d576ff564e0119d425df960b073bd1a90d87d5010083cbba4a7b97d48fd5edb11a6bab20ccc0602d7064568afcb85b3d67c46bced5c3399cb827b334066c1b14

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st032794.exe

Filesize
457KB

MD5
c87c0fe12a4b09e75ca32ad4b1c0b01a

SHA1
d4c26d26de346b06132ca7b07d0e306644176cbf

SHA256
00ed2bdfba6e2b07972935c364a3e7823653bd8fd657014537ea7dcae83965c1

SHA512
d576ff564e0119d425df960b073bd1a90d87d5010083cbba4a7b97d48fd5edb11a6bab20ccc0602d7064568afcb85b3d67c46bced5c3399cb827b334066c1b14

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\94445377.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe

Filesize
459KB

MD5
8f36240c8e299863e34dfb47e182d858

SHA1
634104d34c988edb35e9350425e982baebfbc5b9

SHA256
9e294c2524608ee317b3c34d990a0b3ef72dc75eef22da9017c6f578ec4f01bf

SHA512
683ff6ac4f691d3151e13cbb4fb9488c55b7a3d164cc84d8c388dcfb10c50729337a7504c34b9864bc961e4cb8a590de6648831dcd2921b160824dee2d3b1b65

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe

Filesize
459KB

MD5
8f36240c8e299863e34dfb47e182d858

SHA1
634104d34c988edb35e9350425e982baebfbc5b9

SHA256
9e294c2524608ee317b3c34d990a0b3ef72dc75eef22da9017c6f578ec4f01bf

SHA512
683ff6ac4f691d3151e13cbb4fb9488c55b7a3d164cc84d8c388dcfb10c50729337a7504c34b9864bc961e4cb8a590de6648831dcd2921b160824dee2d3b1b65

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp259919.exe

Filesize
459KB

MD5
8f36240c8e299863e34dfb47e182d858

SHA1
634104d34c988edb35e9350425e982baebfbc5b9

SHA256
9e294c2524608ee317b3c34d990a0b3ef72dc75eef22da9017c6f578ec4f01bf

SHA512
683ff6ac4f691d3151e13cbb4fb9488c55b7a3d164cc84d8c388dcfb10c50729337a7504c34b9864bc961e4cb8a590de6648831dcd2921b160824dee2d3b1b65

Download Submit
memory/1432-72-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/1916-108-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-124-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-85-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-86-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-88-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-90-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-92-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-94-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-96-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-98-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-100-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-102-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-83-0x0000000002830000-0x000000000286C000-memory.dmp

Filesize
240KB

Download
memory/1916-106-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-104-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-110-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-112-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-114-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-116-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-118-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-120-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-84-0x0000000002870000-0x00000000028AA000-memory.dmp

Filesize
232KB

Download
memory/1916-122-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-126-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-128-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-130-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-132-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-135-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1916-134-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-137-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1916-139-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1916-138-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-141-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-143-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-145-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-147-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-149-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-151-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1916-880-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1916-883-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1916-884-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download