fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200

Analysis

max time kernel
150s
max time network
173s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe
Size

748KB
MD5

c97514116a69765df5072985d3a46a1b
SHA1

86c217471b89b5db318c2abe6c501c3aba971b35
SHA256

fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200
SHA512

faba189317801ef000749edd7ddf1e40497a6f5722f60289f86cdcfbb8b31fa27c6fd2b7cafc4572e0521bdb0487b76489f4cca454db385afa10fb2f2f76fab2
SSDEEP

12288:Iy90DCLKLAO5SukDY77MtmaPe3XtJwQiOWWSwqdPrde7qt3Seu0:IyfLKcYHMZPe39JwQLWWSw6EI3F9

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	77510220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	77510220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	77510220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	77510220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	77510220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	77510220.exe

Executes dropped EXE 3 IoCs

pid	Process
2016	un649886.exe
560	77510220.exe
1516	rk823212.exe

Loads dropped DLL 8 IoCs

pid	Process
1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe
2016	un649886.exe
2016	un649886.exe
2016	un649886.exe
560	77510220.exe
2016	un649886.exe
2016	un649886.exe
1516	rk823212.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	77510220.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77510220.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un649886.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un649886.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
560	77510220.exe
560	77510220.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	77510220.exe
Token: SeDebugPrivilege	1516	rk823212.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 1460 wrote to memory of 2016	1460	fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe	28
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 560	2016	un649886.exe	29
PID 2016 wrote to memory of 1516	2016	un649886.exe	30
PID 2016 wrote to memory of 1516	2016	un649886.exe	30
PID 2016 wrote to memory of 1516	2016	un649886.exe	30
PID 2016 wrote to memory of 1516	2016	un649886.exe	30
PID 2016 wrote to memory of 1516	2016	un649886.exe	30
PID 2016 wrote to memory of 1516	2016	un649886.exe	30
PID 2016 wrote to memory of 1516	2016	un649886.exe	30

C:\Users\Admin\AppData\Local\Temp\fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe
"C:\Users\Admin\AppData\Local\Temp\fb8a965ee60baf98528788f6bbe120813ba45f44a1f528fb8d6377d86c22e200.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un649886.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un649886.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un649886.exe

Filesize
594KB

MD5
e19656315901314b56e030c862e2917c

SHA1
546a3f04a1f762b53957291270da862ede2550aa

SHA256
cc7d56b040b5618264450ba9c4d2249b20a173d2ada79458acd612e62498415a

SHA512
69692636ff5e50f6a0dcb1a6d517aa0cb06d30e4e6693aa62c043fbc05d9d2182b989693c33a7e0a89867d05e51d6e3dba912a1b4cfefc37e5b9d1393e57ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un649886.exe

Filesize
594KB

MD5
e19656315901314b56e030c862e2917c

SHA1
546a3f04a1f762b53957291270da862ede2550aa

SHA256
cc7d56b040b5618264450ba9c4d2249b20a173d2ada79458acd612e62498415a

SHA512
69692636ff5e50f6a0dcb1a6d517aa0cb06d30e4e6693aa62c043fbc05d9d2182b989693c33a7e0a89867d05e51d6e3dba912a1b4cfefc37e5b9d1393e57ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe

Filesize
378KB

MD5
2d548f0c159d083fd4d50e4e85f78e47

SHA1
a6154159a48d93787b240c20e9190e94ce780d1e

SHA256
84ca9f1e935915a387a13abc175149681a9e3ee20bf4f0001cd4ceb51bd69a9d

SHA512
457a734e9347f00dbf03da8db4651e942420e382c65acef70b05f9871eb421cccdc0ea527a177940ba80d0d0507280c6ed67cbac052693a05df9ea61a00120fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe

Filesize
378KB

MD5
2d548f0c159d083fd4d50e4e85f78e47

SHA1
a6154159a48d93787b240c20e9190e94ce780d1e

SHA256
84ca9f1e935915a387a13abc175149681a9e3ee20bf4f0001cd4ceb51bd69a9d

SHA512
457a734e9347f00dbf03da8db4651e942420e382c65acef70b05f9871eb421cccdc0ea527a177940ba80d0d0507280c6ed67cbac052693a05df9ea61a00120fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe

Filesize
378KB

MD5
2d548f0c159d083fd4d50e4e85f78e47

SHA1
a6154159a48d93787b240c20e9190e94ce780d1e

SHA256
84ca9f1e935915a387a13abc175149681a9e3ee20bf4f0001cd4ceb51bd69a9d

SHA512
457a734e9347f00dbf03da8db4651e942420e382c65acef70b05f9871eb421cccdc0ea527a177940ba80d0d0507280c6ed67cbac052693a05df9ea61a00120fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe

Filesize
460KB

MD5
cd1e31c09345935711324f22ffba653c

SHA1
f7775b7b09418b67d838ffa3db269227c19cab06

SHA256
142431060a12ca4f8b3c8bd25db4d233a91e474c8cf17594a03e9209002e688e

SHA512
f525f3a46753cd0df257a1803b031a75f1957ee16fb9c1fba77e467b52b55c26fd949170d92c835af7f9a199d1a71b6e7b64eab6f38e33f75aa32ef4caec4cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe

Filesize
460KB

MD5
cd1e31c09345935711324f22ffba653c

SHA1
f7775b7b09418b67d838ffa3db269227c19cab06

SHA256
142431060a12ca4f8b3c8bd25db4d233a91e474c8cf17594a03e9209002e688e

SHA512
f525f3a46753cd0df257a1803b031a75f1957ee16fb9c1fba77e467b52b55c26fd949170d92c835af7f9a199d1a71b6e7b64eab6f38e33f75aa32ef4caec4cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe

Filesize
460KB

MD5
cd1e31c09345935711324f22ffba653c

SHA1
f7775b7b09418b67d838ffa3db269227c19cab06

SHA256
142431060a12ca4f8b3c8bd25db4d233a91e474c8cf17594a03e9209002e688e

SHA512
f525f3a46753cd0df257a1803b031a75f1957ee16fb9c1fba77e467b52b55c26fd949170d92c835af7f9a199d1a71b6e7b64eab6f38e33f75aa32ef4caec4cee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un649886.exe

Filesize
594KB

MD5
e19656315901314b56e030c862e2917c

SHA1
546a3f04a1f762b53957291270da862ede2550aa

SHA256
cc7d56b040b5618264450ba9c4d2249b20a173d2ada79458acd612e62498415a

SHA512
69692636ff5e50f6a0dcb1a6d517aa0cb06d30e4e6693aa62c043fbc05d9d2182b989693c33a7e0a89867d05e51d6e3dba912a1b4cfefc37e5b9d1393e57ed79

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un649886.exe

Filesize
594KB

MD5
e19656315901314b56e030c862e2917c

SHA1
546a3f04a1f762b53957291270da862ede2550aa

SHA256
cc7d56b040b5618264450ba9c4d2249b20a173d2ada79458acd612e62498415a

SHA512
69692636ff5e50f6a0dcb1a6d517aa0cb06d30e4e6693aa62c043fbc05d9d2182b989693c33a7e0a89867d05e51d6e3dba912a1b4cfefc37e5b9d1393e57ed79

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe

Filesize
378KB

MD5
2d548f0c159d083fd4d50e4e85f78e47

SHA1
a6154159a48d93787b240c20e9190e94ce780d1e

SHA256
84ca9f1e935915a387a13abc175149681a9e3ee20bf4f0001cd4ceb51bd69a9d

SHA512
457a734e9347f00dbf03da8db4651e942420e382c65acef70b05f9871eb421cccdc0ea527a177940ba80d0d0507280c6ed67cbac052693a05df9ea61a00120fc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe

Filesize
378KB

MD5
2d548f0c159d083fd4d50e4e85f78e47

SHA1
a6154159a48d93787b240c20e9190e94ce780d1e

SHA256
84ca9f1e935915a387a13abc175149681a9e3ee20bf4f0001cd4ceb51bd69a9d

SHA512
457a734e9347f00dbf03da8db4651e942420e382c65acef70b05f9871eb421cccdc0ea527a177940ba80d0d0507280c6ed67cbac052693a05df9ea61a00120fc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\77510220.exe

Filesize
378KB

MD5
2d548f0c159d083fd4d50e4e85f78e47

SHA1
a6154159a48d93787b240c20e9190e94ce780d1e

SHA256
84ca9f1e935915a387a13abc175149681a9e3ee20bf4f0001cd4ceb51bd69a9d

SHA512
457a734e9347f00dbf03da8db4651e942420e382c65acef70b05f9871eb421cccdc0ea527a177940ba80d0d0507280c6ed67cbac052693a05df9ea61a00120fc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe

Filesize
460KB

MD5
cd1e31c09345935711324f22ffba653c

SHA1
f7775b7b09418b67d838ffa3db269227c19cab06

SHA256
142431060a12ca4f8b3c8bd25db4d233a91e474c8cf17594a03e9209002e688e

SHA512
f525f3a46753cd0df257a1803b031a75f1957ee16fb9c1fba77e467b52b55c26fd949170d92c835af7f9a199d1a71b6e7b64eab6f38e33f75aa32ef4caec4cee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe

Filesize
460KB

MD5
cd1e31c09345935711324f22ffba653c

SHA1
f7775b7b09418b67d838ffa3db269227c19cab06

SHA256
142431060a12ca4f8b3c8bd25db4d233a91e474c8cf17594a03e9209002e688e

SHA512
f525f3a46753cd0df257a1803b031a75f1957ee16fb9c1fba77e467b52b55c26fd949170d92c835af7f9a199d1a71b6e7b64eab6f38e33f75aa32ef4caec4cee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823212.exe

Filesize
460KB

MD5
cd1e31c09345935711324f22ffba653c

SHA1
f7775b7b09418b67d838ffa3db269227c19cab06

SHA256
142431060a12ca4f8b3c8bd25db4d233a91e474c8cf17594a03e9209002e688e

SHA512
f525f3a46753cd0df257a1803b031a75f1957ee16fb9c1fba77e467b52b55c26fd949170d92c835af7f9a199d1a71b6e7b64eab6f38e33f75aa32ef4caec4cee

Download Submit
memory/560-89-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-87-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-93-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-91-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-97-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-99-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-95-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-103-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-101-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-107-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-105-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-108-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/560-109-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/560-110-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/560-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/560-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/560-85-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-83-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-81-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-80-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/560-79-0x0000000000C10000-0x0000000000C28000-memory.dmp

Filesize
96KB

Download
memory/560-78-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

Filesize
104KB

Download
memory/1516-124-0x0000000001070000-0x00000000010AA000-memory.dmp

Filesize
232KB

Download
memory/1516-146-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-125-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-126-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-128-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-130-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-132-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-134-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-136-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-138-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-140-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-142-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-144-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-123-0x0000000000EE0000-0x0000000000F1C000-memory.dmp

Filesize
240KB

Download
memory/1516-148-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-150-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-152-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-154-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-156-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-158-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1516-204-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1516-206-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1516-919-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1516-921-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1516-922-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/1516-924-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download