5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38

Analysis

max time kernel
287s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
Size

1.5MB
MD5

3810e4d620629e89095d2024a5dd8f91
SHA1

b14697dadf5bf56dad70d8bc3bd5ef6c1e35a63d
SHA256

5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38
SHA512

2280c3fd9da69c1d24e75a7460bb4df9377d693e9c8e368e45f01b2fc40bb594c58b4f0fb54ec17a853e3c46bdded390b78dcc32e74ac96b1d077a7f9c392399
SSDEEP

49152:aEj3GmxrubgyTCBNRYr62Q5il/do5dGal:F9qbgmCKrnV/S5dxl

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a80614746.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a80614746.exe

Executes dropped EXE 5 IoCs

pid	Process
3964	i04415049.exe
4580	i10286750.exe
3152	i08852433.exe
1932	i50244322.exe
4348	a80614746.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a80614746.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i04415049.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08852433.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i50244322.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i50244322.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i04415049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i10286750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i08852433.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10286750.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3336	4348	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4348	a80614746.exe
4348	a80614746.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	a80614746.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 3964	60	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe	79
PID 60 wrote to memory of 3964	60	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe	79
PID 60 wrote to memory of 3964	60	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe	79
PID 3964 wrote to memory of 4580	3964	i04415049.exe	80
PID 3964 wrote to memory of 4580	3964	i04415049.exe	80
PID 3964 wrote to memory of 4580	3964	i04415049.exe	80
PID 4580 wrote to memory of 3152	4580	i10286750.exe	81
PID 4580 wrote to memory of 3152	4580	i10286750.exe	81
PID 4580 wrote to memory of 3152	4580	i10286750.exe	81
PID 3152 wrote to memory of 1932	3152	i08852433.exe	82
PID 3152 wrote to memory of 1932	3152	i08852433.exe	82
PID 3152 wrote to memory of 1932	3152	i08852433.exe	82
PID 1932 wrote to memory of 4348	1932	i50244322.exe	83
PID 1932 wrote to memory of 4348	1932	i50244322.exe	83
PID 1932 wrote to memory of 4348	1932	i50244322.exe	83

C:\Users\Admin\AppData\Local\Temp\5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
"C:\Users\Admin\AppData\Local\Temp\5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1096
        7⤵
        Program crash
        
        PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4348 -ip 4348
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe

Filesize
1.3MB

MD5
da9291527dfdaab551693a783065cf1e

SHA1
deea25b69cb569a4e0b9e0d7cd80b94518a0ecfa

SHA256
8e9694e53a439d0dde140ecda293ab2e25ac7e00e2ffc7d0b1e7eaf9f81037b2

SHA512
e385d48fe141fe7db8c0da32e87ae89e3b8bf71a371b9ca673d0c1288970d0d6b7fd095d8757134036275d03fe3deabb63f65afc5cd8ed46def4e8d6889d56f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe

Filesize
1.3MB

MD5
da9291527dfdaab551693a783065cf1e

SHA1
deea25b69cb569a4e0b9e0d7cd80b94518a0ecfa

SHA256
8e9694e53a439d0dde140ecda293ab2e25ac7e00e2ffc7d0b1e7eaf9f81037b2

SHA512
e385d48fe141fe7db8c0da32e87ae89e3b8bf71a371b9ca673d0c1288970d0d6b7fd095d8757134036275d03fe3deabb63f65afc5cd8ed46def4e8d6889d56f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe

Filesize
1.1MB

MD5
c88369738627119921756e4d100b92be

SHA1
4c96636a972f6eece28af689e9392f0cae5e2e19

SHA256
228e9b9e1311fcbe70b127a25529e1b7b768ad2c772f2466e669e9c4b05eb71f

SHA512
f99f26f6afa5d03748ee30c924fb47dee07d5fd772cd2535c246f6133db30a9dabf4970249ab423b3e7df5b5e892130805d28b588d341159916682db599c6a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe

Filesize
1.1MB

MD5
c88369738627119921756e4d100b92be

SHA1
4c96636a972f6eece28af689e9392f0cae5e2e19

SHA256
228e9b9e1311fcbe70b127a25529e1b7b768ad2c772f2466e669e9c4b05eb71f

SHA512
f99f26f6afa5d03748ee30c924fb47dee07d5fd772cd2535c246f6133db30a9dabf4970249ab423b3e7df5b5e892130805d28b588d341159916682db599c6a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe

Filesize
685KB

MD5
8ec1015040d537731aaccd6927869814

SHA1
6e1e254a1150c2e5d42783724215cd44bb298f99

SHA256
3a7e871b88cec1256c643422f2fe4bff19a4bf98f82b3798428932fc7e9e1d5d

SHA512
bd4d8abf1d101b3a1fbe82bba15ca78bc91374d538f712c4703df4aa22d125ee2307b1ea90999d0e927affaf70c423aca120226999f87dde99d459ad742efd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe

Filesize
685KB

MD5
8ec1015040d537731aaccd6927869814

SHA1
6e1e254a1150c2e5d42783724215cd44bb298f99

SHA256
3a7e871b88cec1256c643422f2fe4bff19a4bf98f82b3798428932fc7e9e1d5d

SHA512
bd4d8abf1d101b3a1fbe82bba15ca78bc91374d538f712c4703df4aa22d125ee2307b1ea90999d0e927affaf70c423aca120226999f87dde99d459ad742efd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe

Filesize
405KB

MD5
fb68a545c47bef8d86fc7fae244cb745

SHA1
78c00e4aa63d42f0c9f88a16a766072bc01ef64f

SHA256
40dab0ca74c5946c8ab487a234fec1ef46555e93d1d01e9200458b8736601d79

SHA512
5d31fc637870809e2183a61c4f4897ad32ebdf68dc941852efc0c694d6034450bf59028e30fdee0452538ea428482b1718e8670db3b696e38df2319fcc7599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe

Filesize
405KB

MD5
fb68a545c47bef8d86fc7fae244cb745

SHA1
78c00e4aa63d42f0c9f88a16a766072bc01ef64f

SHA256
40dab0ca74c5946c8ab487a234fec1ef46555e93d1d01e9200458b8736601d79

SHA512
5d31fc637870809e2183a61c4f4897ad32ebdf68dc941852efc0c694d6034450bf59028e30fdee0452538ea428482b1718e8670db3b696e38df2319fcc7599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe

Filesize
345KB

MD5
4f51b141bd80fd27490866eacbbd1b9d

SHA1
7a8538e072de6a9135bee8e2385699e076c8cdfa

SHA256
74d5e0fd12beef64f224ac393fb04abe498742acabfdea572d33f532156ac05c

SHA512
e2f476a944b8108114c337cb77adbc92557975ac14a8c1ecc5745011d40d08c48a1b2b70027d51580d44429c4280b432ce70c73087e1a517b5f148a8e52415dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe

Filesize
345KB

MD5
4f51b141bd80fd27490866eacbbd1b9d

SHA1
7a8538e072de6a9135bee8e2385699e076c8cdfa

SHA256
74d5e0fd12beef64f224ac393fb04abe498742acabfdea572d33f532156ac05c

SHA512
e2f476a944b8108114c337cb77adbc92557975ac14a8c1ecc5745011d40d08c48a1b2b70027d51580d44429c4280b432ce70c73087e1a517b5f148a8e52415dc

Download Submit
memory/4348-178-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-188-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-171-0x0000000000CF0000-0x0000000000D1D000-memory.dmp

Filesize
180KB

Download
memory/4348-173-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4348-174-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/4348-175-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4348-176-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4348-177-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-169-0x0000000000CF0000-0x0000000000D1D000-memory.dmp

Filesize
180KB

Download
memory/4348-180-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-182-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-184-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-186-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-170-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4348-190-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-192-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-194-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-196-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-198-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-200-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-202-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-204-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4348-205-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4348-206-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4348-207-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4348-208-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4348-213-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download