db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825

Analysis

max time kernel
235s
max time network
313s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe
Size

564KB
MD5

722c2de706adc6d989dbe09982c3f62a
SHA1

92400654831d2d9ade105faa4585d72679b04edd
SHA256

db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825
SHA512

c3566f838a147b6077f2eeab97844bce98a28a79f21dfe4c1bfd740b044315ca11dc293e2b8cf47f8b5bba8fbef74dd15abf75ce9e60d1b5ea0d33ec9fc00ab6
SSDEEP

12288:Ry9042hevNAz5WwuAX8cpyDXbccrzjIlBzr01qJnMLG84yFmV:RyQwvOzuAXBMDLcSepI1qNQzsV

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it171528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it171528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it171528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it171528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it171528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it171528.exe

Executes dropped EXE 3 IoCs

pid	Process
1144	ziTj4619.exe
2020	it171528.exe
632	kp410977.exe

Loads dropped DLL 6 IoCs

pid	Process
892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe
1144	ziTj4619.exe
1144	ziTj4619.exe
1144	ziTj4619.exe
1144	ziTj4619.exe
632	kp410977.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	it171528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it171528.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziTj4619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziTj4619.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	it171528.exe
2020	it171528.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	it171528.exe
Token: SeDebugPrivilege	632	kp410977.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 892 wrote to memory of 1144	892	db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe	28
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 2020	1144	ziTj4619.exe	29
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30
PID 1144 wrote to memory of 632	1144	ziTj4619.exe	30

C:\Users\Admin\AppData\Local\Temp\db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe
"C:\Users\Admin\AppData\Local\Temp\db74d6349395de3cbecd04292b7a9e136d1158981a8e472b13c9154612eac825.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTj4619.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTj4619.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it171528.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it171528.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTj4619.exe

Filesize
409KB

MD5
3839da63ac4b90fda3cf052820cdf8e0

SHA1
3d184f8162aa0888ca789eec33fcaf8f7078b0dc

SHA256
3100e2c4dd85e0743a332cca5e24a61d204469d97aca1a83e9e6c2204e82535f

SHA512
4e5b2931a92b4f6025173332be82b850955d836dbe84782f36ff98ece289018a0674f9b428f4caf719989854f5a102df2d1c1601b3014c1b014d0c50e2446fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTj4619.exe

Filesize
409KB

MD5
3839da63ac4b90fda3cf052820cdf8e0

SHA1
3d184f8162aa0888ca789eec33fcaf8f7078b0dc

SHA256
3100e2c4dd85e0743a332cca5e24a61d204469d97aca1a83e9e6c2204e82535f

SHA512
4e5b2931a92b4f6025173332be82b850955d836dbe84782f36ff98ece289018a0674f9b428f4caf719989854f5a102df2d1c1601b3014c1b014d0c50e2446fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it171528.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it171528.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe

Filesize
361KB

MD5
e68bec8c968c4abaf5a2dd336e1b6959

SHA1
879223f26fed38fa354b7478f3dcb7b93f05753a

SHA256
88c47d67c08bc655ad9a371ce8cdfdd848f1a3225d9cc479440d3d4e7cbe20be

SHA512
efd5a2e26b5ef1ed7e0ea2fbd7246ed97c23d5c7eacd16adfbea37bf6e43ed53e72af45adfb538200e2a7bb84ea0d58ddd564f0240254adb1038263db890e99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe

Filesize
361KB

MD5
e68bec8c968c4abaf5a2dd336e1b6959

SHA1
879223f26fed38fa354b7478f3dcb7b93f05753a

SHA256
88c47d67c08bc655ad9a371ce8cdfdd848f1a3225d9cc479440d3d4e7cbe20be

SHA512
efd5a2e26b5ef1ed7e0ea2fbd7246ed97c23d5c7eacd16adfbea37bf6e43ed53e72af45adfb538200e2a7bb84ea0d58ddd564f0240254adb1038263db890e99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe

Filesize
361KB

MD5
e68bec8c968c4abaf5a2dd336e1b6959

SHA1
879223f26fed38fa354b7478f3dcb7b93f05753a

SHA256
88c47d67c08bc655ad9a371ce8cdfdd848f1a3225d9cc479440d3d4e7cbe20be

SHA512
efd5a2e26b5ef1ed7e0ea2fbd7246ed97c23d5c7eacd16adfbea37bf6e43ed53e72af45adfb538200e2a7bb84ea0d58ddd564f0240254adb1038263db890e99f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTj4619.exe

Filesize
409KB

MD5
3839da63ac4b90fda3cf052820cdf8e0

SHA1
3d184f8162aa0888ca789eec33fcaf8f7078b0dc

SHA256
3100e2c4dd85e0743a332cca5e24a61d204469d97aca1a83e9e6c2204e82535f

SHA512
4e5b2931a92b4f6025173332be82b850955d836dbe84782f36ff98ece289018a0674f9b428f4caf719989854f5a102df2d1c1601b3014c1b014d0c50e2446fb3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTj4619.exe

Filesize
409KB

MD5
3839da63ac4b90fda3cf052820cdf8e0

SHA1
3d184f8162aa0888ca789eec33fcaf8f7078b0dc

SHA256
3100e2c4dd85e0743a332cca5e24a61d204469d97aca1a83e9e6c2204e82535f

SHA512
4e5b2931a92b4f6025173332be82b850955d836dbe84782f36ff98ece289018a0674f9b428f4caf719989854f5a102df2d1c1601b3014c1b014d0c50e2446fb3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\it171528.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe

Filesize
361KB

MD5
e68bec8c968c4abaf5a2dd336e1b6959

SHA1
879223f26fed38fa354b7478f3dcb7b93f05753a

SHA256
88c47d67c08bc655ad9a371ce8cdfdd848f1a3225d9cc479440d3d4e7cbe20be

SHA512
efd5a2e26b5ef1ed7e0ea2fbd7246ed97c23d5c7eacd16adfbea37bf6e43ed53e72af45adfb538200e2a7bb84ea0d58ddd564f0240254adb1038263db890e99f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe

Filesize
361KB

MD5
e68bec8c968c4abaf5a2dd336e1b6959

SHA1
879223f26fed38fa354b7478f3dcb7b93f05753a

SHA256
88c47d67c08bc655ad9a371ce8cdfdd848f1a3225d9cc479440d3d4e7cbe20be

SHA512
efd5a2e26b5ef1ed7e0ea2fbd7246ed97c23d5c7eacd16adfbea37bf6e43ed53e72af45adfb538200e2a7bb84ea0d58ddd564f0240254adb1038263db890e99f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp410977.exe

Filesize
361KB

MD5
e68bec8c968c4abaf5a2dd336e1b6959

SHA1
879223f26fed38fa354b7478f3dcb7b93f05753a

SHA256
88c47d67c08bc655ad9a371ce8cdfdd848f1a3225d9cc479440d3d4e7cbe20be

SHA512
efd5a2e26b5ef1ed7e0ea2fbd7246ed97c23d5c7eacd16adfbea37bf6e43ed53e72af45adfb538200e2a7bb84ea0d58ddd564f0240254adb1038263db890e99f

Download Submit
memory/632-111-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-123-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-85-0x0000000000400000-0x0000000002BC3000-memory.dmp

Filesize
39.8MB

Download
memory/632-86-0x0000000004970000-0x00000000049AC000-memory.dmp

Filesize
240KB

Download
memory/632-87-0x00000000049B0000-0x00000000049EA000-memory.dmp

Filesize
232KB

Download
memory/632-88-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-89-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-91-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-93-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-95-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-97-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-99-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-101-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-103-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-105-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-107-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-109-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-83-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/632-113-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-115-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-117-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-119-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-121-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-84-0x0000000000400000-0x0000000002BC3000-memory.dmp

Filesize
39.8MB

Download
memory/632-125-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-127-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-129-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-131-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-133-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-135-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-139-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-141-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-137-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-143-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-145-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-147-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-149-0x00000000049B0000-0x00000000049E5000-memory.dmp

Filesize
212KB

Download
memory/632-222-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/632-224-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-226-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-228-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-884-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-887-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-888-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-889-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/632-890-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/2020-72-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download