e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38

Analysis

max time kernel
143s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Size

694KB
MD5

323bf2284b64ea6435a12f51e09d57ea
SHA1

944ffac2f8a682ea209d3d4f48e6a7379cf36fc9
SHA256

e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38
SHA512

f08b599e19aabc4f6c47f6e860866b36136ce4a4bab291a178794b52ef36bd2c384d34073a8b6dcfbba1b4a660ecec129b505d992384d79bab78e80d8a4127b5
SSDEEP

12288:Uy90diNrF0XOt6eRlanHwpFT4WcIePBy+DPuWA6Fl18byKrA+FB1:Uy5NrFccjCHoFRcIeJk6Fl18byUf

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	04247859.exe

Executes dropped EXE 3 IoCs

pid	Process
1296	un354758.exe
1768	04247859.exe
912	rk790284.exe

Loads dropped DLL 8 IoCs

pid	Process
1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
1296	un354758.exe
1296	un354758.exe
1296	un354758.exe
1768	04247859.exe
1296	un354758.exe
1296	un354758.exe
912	rk790284.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	04247859.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un354758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un354758.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	04247859.exe
1768	04247859.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	04247859.exe
Token: SeDebugPrivilege	912	rk790284.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1352 wrote to memory of 1296	1352	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	28
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 1768	1296	un354758.exe	29
PID 1296 wrote to memory of 912	1296	un354758.exe	30
PID 1296 wrote to memory of 912	1296	un354758.exe	30
PID 1296 wrote to memory of 912	1296	un354758.exe	30
PID 1296 wrote to memory of 912	1296	un354758.exe	30
PID 1296 wrote to memory of 912	1296	un354758.exe	30
PID 1296 wrote to memory of 912	1296	un354758.exe	30
PID 1296 wrote to memory of 912	1296	un354758.exe	30

C:\Users\Admin\AppData\Local\Temp\e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
"C:\Users\Admin\AppData\Local\Temp\e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe

Filesize
540KB

MD5
a627f1e8e57fcb834b80cb818ee3008a

SHA1
7d773a11c79a61fa0bc09bc2e61f00d5f0dd89db

SHA256
67216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1

SHA512
77937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe

Filesize
540KB

MD5
a627f1e8e57fcb834b80cb818ee3008a

SHA1
7d773a11c79a61fa0bc09bc2e61f00d5f0dd89db

SHA256
67216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1

SHA512
77937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe

Filesize
540KB

MD5
a627f1e8e57fcb834b80cb818ee3008a

SHA1
7d773a11c79a61fa0bc09bc2e61f00d5f0dd89db

SHA256
67216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1

SHA512
77937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe

Filesize
540KB

MD5
a627f1e8e57fcb834b80cb818ee3008a

SHA1
7d773a11c79a61fa0bc09bc2e61f00d5f0dd89db

SHA256
67216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1

SHA512
77937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
memory/912-157-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-139-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-283-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/912-159-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-130-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-155-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-153-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-151-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-149-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-147-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-145-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-143-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-141-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-284-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-137-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-135-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-133-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-131-0x0000000003300000-0x0000000003335000-memory.dmp

Filesize
212KB

Download
memory/912-286-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-925-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-928-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-929-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-930-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-931-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/912-128-0x0000000003180000-0x00000000031BC000-memory.dmp

Filesize
240KB

Download
memory/912-129-0x0000000003300000-0x000000000333A000-memory.dmp

Filesize
232KB

Download
memory/1768-88-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-117-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1768-113-0x0000000007260000-0x00000000072A0000-memory.dmp

Filesize
256KB

Download
memory/1768-112-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1768-111-0x0000000007260000-0x00000000072A0000-memory.dmp

Filesize
256KB

Download
memory/1768-110-0x0000000007260000-0x00000000072A0000-memory.dmp

Filesize
256KB

Download
memory/1768-109-0x0000000007260000-0x00000000072A0000-memory.dmp

Filesize
256KB

Download
memory/1768-108-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-104-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-106-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-94-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-96-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-98-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-102-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-100-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-90-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-92-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-86-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-82-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-84-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-81-0x0000000003270000-0x0000000003283000-memory.dmp

Filesize
76KB

Download
memory/1768-80-0x0000000003270000-0x0000000003288000-memory.dmp

Filesize
96KB

Download
memory/1768-79-0x0000000002F80000-0x0000000002F9A000-memory.dmp

Filesize
104KB

Download
memory/1768-78-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download