f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
Size

746KB
MD5

250affbad89fd991d9f9ce3014d4ff18
SHA1

c88cef73509b2981e5a81fdad8c6cced388a89e7
SHA256

f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e
SHA512

a32164d8c1d9361a4987737ff761cd37518317585ac0a2a2c775155ffc2ec4525008fa507fb6df195a50b588919ac071e2b5f2bc73d09e31fe78ba69b351cbb6
SSDEEP

12288:Hy908hLIYMvyInncjo0QgvoZGyOcdeuid2ORi9N8BtjXOxjIfkAPASab+:HyfhLIvyInnN18ylddhxEjXa4YRy

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	47540033.exe

Executes dropped EXE 3 IoCs

pid	Process
1720	un527206.exe
872	47540033.exe
1684	rk938990.exe

Loads dropped DLL 8 IoCs

pid	Process
1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
1720	un527206.exe
1720	un527206.exe
1720	un527206.exe
872	47540033.exe
1720	un527206.exe
1720	un527206.exe
1684	rk938990.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	47540033.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un527206.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un527206.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
872	47540033.exe
872	47540033.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	47540033.exe
Token: SeDebugPrivilege	1684	rk938990.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1332 wrote to memory of 1720	1332	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	28
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 872	1720	un527206.exe	29
PID 1720 wrote to memory of 1684	1720	un527206.exe	30
PID 1720 wrote to memory of 1684	1720	un527206.exe	30
PID 1720 wrote to memory of 1684	1720	un527206.exe	30
PID 1720 wrote to memory of 1684	1720	un527206.exe	30
PID 1720 wrote to memory of 1684	1720	un527206.exe	30
PID 1720 wrote to memory of 1684	1720	un527206.exe	30
PID 1720 wrote to memory of 1684	1720	un527206.exe	30

C:\Users\Admin\AppData\Local\Temp\f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
"C:\Users\Admin\AppData\Local\Temp\f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe

Filesize
592KB

MD5
ba1f2ae963d9e50c277eb66757e8042f

SHA1
833881b4900b89e99a52850bfd63e750bcc48e2f

SHA256
2099cfe93f127463bd7665c40548e0141c9fbd488896c81712cbd139ee2c57c3

SHA512
6e346521cc39bb70fd3c9fef61d06cb19648a6460501d99fdbb12ff57f8df4b05932f95d7e745e2ec16180d06a7f3114f09ae46096ae0780e135954c4a62282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe

Filesize
592KB

MD5
ba1f2ae963d9e50c277eb66757e8042f

SHA1
833881b4900b89e99a52850bfd63e750bcc48e2f

SHA256
2099cfe93f127463bd7665c40548e0141c9fbd488896c81712cbd139ee2c57c3

SHA512
6e346521cc39bb70fd3c9fef61d06cb19648a6460501d99fdbb12ff57f8df4b05932f95d7e745e2ec16180d06a7f3114f09ae46096ae0780e135954c4a62282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe

Filesize
592KB

MD5
ba1f2ae963d9e50c277eb66757e8042f

SHA1
833881b4900b89e99a52850bfd63e750bcc48e2f

SHA256
2099cfe93f127463bd7665c40548e0141c9fbd488896c81712cbd139ee2c57c3

SHA512
6e346521cc39bb70fd3c9fef61d06cb19648a6460501d99fdbb12ff57f8df4b05932f95d7e745e2ec16180d06a7f3114f09ae46096ae0780e135954c4a62282d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe

Filesize
592KB

MD5
ba1f2ae963d9e50c277eb66757e8042f

SHA1
833881b4900b89e99a52850bfd63e750bcc48e2f

SHA256
2099cfe93f127463bd7665c40548e0141c9fbd488896c81712cbd139ee2c57c3

SHA512
6e346521cc39bb70fd3c9fef61d06cb19648a6460501d99fdbb12ff57f8df4b05932f95d7e745e2ec16180d06a7f3114f09ae46096ae0780e135954c4a62282d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
memory/872-111-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/872-79-0x0000000000850000-0x000000000086A000-memory.dmp

Filesize
104KB

Download
memory/872-89-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-91-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-93-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-95-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-97-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-99-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-101-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-103-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-105-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-107-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-109-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-110-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/872-85-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/872-113-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/872-115-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/872-118-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/872-83-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-82-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-81-0x0000000000B30000-0x0000000000B48000-memory.dmp

Filesize
96KB

Download
memory/872-80-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/872-87-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/872-78-0x00000000002D0000-0x00000000002FD000-memory.dmp

Filesize
180KB

Download
memory/1684-145-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-147-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-131-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/1684-132-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-133-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-135-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-137-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-139-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-141-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-143-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-130-0x0000000002610000-0x000000000264A000-memory.dmp

Filesize
232KB

Download
memory/1684-149-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-129-0x00000000025D0000-0x000000000260C000-memory.dmp

Filesize
240KB

Download
memory/1684-151-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-153-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-155-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-157-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-159-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-161-0x0000000002610000-0x0000000002645000-memory.dmp

Filesize
212KB

Download
memory/1684-925-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/1684-927-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download