e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030

Analysis

max time kernel
188s
max time network
189s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe
Size

746KB
MD5

907634c6fe574fbbc8f828aa477e2f7b
SHA1

653be0aa9ead7100b9bcfa91f52bfe30f30e36aa
SHA256

e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030
SHA512

890c8c71b2820ad6858cf6f54c052276a42e84451ec817f603e07c4e265b607659a0ed2bb4494b77f7e24549eebe43778935885034ef2e29d2103f2fd099a5bc
SSDEEP

12288:Gy90edjJkn+BmbHKt80L6hF1c63FqxmWMfKbY5gX37E1oo5XfSYOHG41NAKBNqQw:GyBj6nNKt+PRqxlMV5krE1o0XfSHG4by

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	57565075.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	57565075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	57565075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	57565075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	57565075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	57565075.exe

Executes dropped EXE 3 IoCs

pid	Process
572	un238369.exe
584	57565075.exe
1272	rk221944.exe

Loads dropped DLL 8 IoCs

pid	Process
1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe
572	un238369.exe
572	un238369.exe
572	un238369.exe
584	57565075.exe
572	un238369.exe
572	un238369.exe
1272	rk221944.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	57565075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	57565075.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un238369.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un238369.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
584	57565075.exe
584	57565075.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	57565075.exe
Token: SeDebugPrivilege	1272	rk221944.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 1940 wrote to memory of 572	1940	e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe	28
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 584	572	un238369.exe	29
PID 572 wrote to memory of 1272	572	un238369.exe	30
PID 572 wrote to memory of 1272	572	un238369.exe	30
PID 572 wrote to memory of 1272	572	un238369.exe	30
PID 572 wrote to memory of 1272	572	un238369.exe	30
PID 572 wrote to memory of 1272	572	un238369.exe	30
PID 572 wrote to memory of 1272	572	un238369.exe	30
PID 572 wrote to memory of 1272	572	un238369.exe	30

C:\Users\Admin\AppData\Local\Temp\e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe
"C:\Users\Admin\AppData\Local\Temp\e2e61e0fd9d8513bdbacb9d90204bc2dfdbe9b14655cdea9de97e4c1edc9f030.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un238369.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un238369.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un238369.exe

Filesize
591KB

MD5
1e7be1ddc648dd2938676d8f4788a511

SHA1
a99bb8ed24816d14e9ee4e5ea3ce0e61642f2ba4

SHA256
edd1b95f27cacdcb6aed0d1da1f5afe707bc240e1bc9f351d6ba163fa158e24f

SHA512
1fd06650d8bf52e1151e8ef3734684829de2ae6125a0bc5652042f4801b64ca53b3b298024d06c1dcd63a7279fe55b48a9033fb1a1155ad37afe56dfba0080ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un238369.exe

Filesize
591KB

MD5
1e7be1ddc648dd2938676d8f4788a511

SHA1
a99bb8ed24816d14e9ee4e5ea3ce0e61642f2ba4

SHA256
edd1b95f27cacdcb6aed0d1da1f5afe707bc240e1bc9f351d6ba163fa158e24f

SHA512
1fd06650d8bf52e1151e8ef3734684829de2ae6125a0bc5652042f4801b64ca53b3b298024d06c1dcd63a7279fe55b48a9033fb1a1155ad37afe56dfba0080ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe

Filesize
376KB

MD5
7787f8a7b6022f1a3348f1b5f902f513

SHA1
cc249d31484d1c169ccb0cf9c1c859cc38f3603d

SHA256
a92f45f82f7ec023cbdd50ca1be3ada5eef88b6879f6a5e334eac26435c7b828

SHA512
dc835454ade40166d2af1880a4cacdfcb8825a96add86101fe632eed9e0357c7b7080c22f7adcad34f2b2b69b20eeac88bc0cca10ec86aaa382e7d2720c87778

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe

Filesize
376KB

MD5
7787f8a7b6022f1a3348f1b5f902f513

SHA1
cc249d31484d1c169ccb0cf9c1c859cc38f3603d

SHA256
a92f45f82f7ec023cbdd50ca1be3ada5eef88b6879f6a5e334eac26435c7b828

SHA512
dc835454ade40166d2af1880a4cacdfcb8825a96add86101fe632eed9e0357c7b7080c22f7adcad34f2b2b69b20eeac88bc0cca10ec86aaa382e7d2720c87778

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe

Filesize
376KB

MD5
7787f8a7b6022f1a3348f1b5f902f513

SHA1
cc249d31484d1c169ccb0cf9c1c859cc38f3603d

SHA256
a92f45f82f7ec023cbdd50ca1be3ada5eef88b6879f6a5e334eac26435c7b828

SHA512
dc835454ade40166d2af1880a4cacdfcb8825a96add86101fe632eed9e0357c7b7080c22f7adcad34f2b2b69b20eeac88bc0cca10ec86aaa382e7d2720c87778

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe

Filesize
459KB

MD5
7801b27d0af68efd46260c7821204d7c

SHA1
97cf76fcaeca86c9ba24e82c156506c9f4bd189b

SHA256
2954532cf5c4585cfd2ee5efdf12509d3aa87765c68261d38889eeeda6746be6

SHA512
cff4fa9d49c5dd5e5f274995bd41415ec0e290bedb771a310f8dc3da69b138f5abc2a3005d78a8a5d34dd27ac526c46b9cee65d947dde1ee0651c0ab86723e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe

Filesize
459KB

MD5
7801b27d0af68efd46260c7821204d7c

SHA1
97cf76fcaeca86c9ba24e82c156506c9f4bd189b

SHA256
2954532cf5c4585cfd2ee5efdf12509d3aa87765c68261d38889eeeda6746be6

SHA512
cff4fa9d49c5dd5e5f274995bd41415ec0e290bedb771a310f8dc3da69b138f5abc2a3005d78a8a5d34dd27ac526c46b9cee65d947dde1ee0651c0ab86723e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe

Filesize
459KB

MD5
7801b27d0af68efd46260c7821204d7c

SHA1
97cf76fcaeca86c9ba24e82c156506c9f4bd189b

SHA256
2954532cf5c4585cfd2ee5efdf12509d3aa87765c68261d38889eeeda6746be6

SHA512
cff4fa9d49c5dd5e5f274995bd41415ec0e290bedb771a310f8dc3da69b138f5abc2a3005d78a8a5d34dd27ac526c46b9cee65d947dde1ee0651c0ab86723e37

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un238369.exe

Filesize
591KB

MD5
1e7be1ddc648dd2938676d8f4788a511

SHA1
a99bb8ed24816d14e9ee4e5ea3ce0e61642f2ba4

SHA256
edd1b95f27cacdcb6aed0d1da1f5afe707bc240e1bc9f351d6ba163fa158e24f

SHA512
1fd06650d8bf52e1151e8ef3734684829de2ae6125a0bc5652042f4801b64ca53b3b298024d06c1dcd63a7279fe55b48a9033fb1a1155ad37afe56dfba0080ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un238369.exe

Filesize
591KB

MD5
1e7be1ddc648dd2938676d8f4788a511

SHA1
a99bb8ed24816d14e9ee4e5ea3ce0e61642f2ba4

SHA256
edd1b95f27cacdcb6aed0d1da1f5afe707bc240e1bc9f351d6ba163fa158e24f

SHA512
1fd06650d8bf52e1151e8ef3734684829de2ae6125a0bc5652042f4801b64ca53b3b298024d06c1dcd63a7279fe55b48a9033fb1a1155ad37afe56dfba0080ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe

Filesize
376KB

MD5
7787f8a7b6022f1a3348f1b5f902f513

SHA1
cc249d31484d1c169ccb0cf9c1c859cc38f3603d

SHA256
a92f45f82f7ec023cbdd50ca1be3ada5eef88b6879f6a5e334eac26435c7b828

SHA512
dc835454ade40166d2af1880a4cacdfcb8825a96add86101fe632eed9e0357c7b7080c22f7adcad34f2b2b69b20eeac88bc0cca10ec86aaa382e7d2720c87778

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe

Filesize
376KB

MD5
7787f8a7b6022f1a3348f1b5f902f513

SHA1
cc249d31484d1c169ccb0cf9c1c859cc38f3603d

SHA256
a92f45f82f7ec023cbdd50ca1be3ada5eef88b6879f6a5e334eac26435c7b828

SHA512
dc835454ade40166d2af1880a4cacdfcb8825a96add86101fe632eed9e0357c7b7080c22f7adcad34f2b2b69b20eeac88bc0cca10ec86aaa382e7d2720c87778

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\57565075.exe

Filesize
376KB

MD5
7787f8a7b6022f1a3348f1b5f902f513

SHA1
cc249d31484d1c169ccb0cf9c1c859cc38f3603d

SHA256
a92f45f82f7ec023cbdd50ca1be3ada5eef88b6879f6a5e334eac26435c7b828

SHA512
dc835454ade40166d2af1880a4cacdfcb8825a96add86101fe632eed9e0357c7b7080c22f7adcad34f2b2b69b20eeac88bc0cca10ec86aaa382e7d2720c87778

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe

Filesize
459KB

MD5
7801b27d0af68efd46260c7821204d7c

SHA1
97cf76fcaeca86c9ba24e82c156506c9f4bd189b

SHA256
2954532cf5c4585cfd2ee5efdf12509d3aa87765c68261d38889eeeda6746be6

SHA512
cff4fa9d49c5dd5e5f274995bd41415ec0e290bedb771a310f8dc3da69b138f5abc2a3005d78a8a5d34dd27ac526c46b9cee65d947dde1ee0651c0ab86723e37

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe

Filesize
459KB

MD5
7801b27d0af68efd46260c7821204d7c

SHA1
97cf76fcaeca86c9ba24e82c156506c9f4bd189b

SHA256
2954532cf5c4585cfd2ee5efdf12509d3aa87765c68261d38889eeeda6746be6

SHA512
cff4fa9d49c5dd5e5f274995bd41415ec0e290bedb771a310f8dc3da69b138f5abc2a3005d78a8a5d34dd27ac526c46b9cee65d947dde1ee0651c0ab86723e37

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk221944.exe

Filesize
459KB

MD5
7801b27d0af68efd46260c7821204d7c

SHA1
97cf76fcaeca86c9ba24e82c156506c9f4bd189b

SHA256
2954532cf5c4585cfd2ee5efdf12509d3aa87765c68261d38889eeeda6746be6

SHA512
cff4fa9d49c5dd5e5f274995bd41415ec0e290bedb771a310f8dc3da69b138f5abc2a3005d78a8a5d34dd27ac526c46b9cee65d947dde1ee0651c0ab86723e37

Download Submit
memory/584-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/584-86-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-90-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-88-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-92-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-94-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-98-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-96-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-100-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-102-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-104-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-110-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-108-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-106-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-84-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-112-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/584-115-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/584-83-0x0000000002100000-0x0000000002112000-memory.dmp

Filesize
72KB

Download
memory/584-82-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/584-81-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/584-80-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/584-79-0x0000000002100000-0x0000000002118000-memory.dmp

Filesize
96KB

Download
memory/584-78-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/1272-126-0x0000000000FC0000-0x0000000000FFC000-memory.dmp

Filesize
240KB

Download
memory/1272-127-0x0000000002550000-0x000000000258A000-memory.dmp

Filesize
232KB

Download
memory/1272-128-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-129-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-131-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-133-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-135-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-137-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-139-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-141-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-143-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-145-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-147-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-149-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-151-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-153-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-155-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-157-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-159-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/1272-603-0x00000000002E0000-0x0000000000326000-memory.dmp

Filesize
280KB

Download
memory/1272-605-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/1272-922-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download