5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a

Analysis

max time kernel
150s
max time network
207s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe
Size

490KB
MD5

73c49916deb81bf4fa29e62c91c84af8
SHA1

187f2ac3e960ba224aa9714cd017a6707ec3ad95
SHA256

5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a
SHA512

96488de1bf8dd648ed0341e14225b6e76e1821d5b2f257cfaf50fae21a77528efcb6e01e65244069a3f80f1f5591e9e1f5ad17d946abfa4238c77799282b4a4d
SSDEEP

12288:+Mr4y90e1kBxhzJbWzpRe5YMPr1RdoaAfqr:KyLan3azqGMD1R+avr

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9837952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9837952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9837952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9837952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o9837952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9837952.exe

Executes dropped EXE 3 IoCs

pid	Process
1948	z9272779.exe
320	o9837952.exe
1820	r7684227.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe
1948	z9272779.exe
1948	z9272779.exe
320	o9837952.exe
1948	z9272779.exe
1820	r7684227.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	o9837952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9837952.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9272779.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9272779.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	o9837952.exe
320	o9837952.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	o9837952.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 2032 wrote to memory of 1948	2032	5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe	28
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 320	1948	z9272779.exe	29
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30
PID 1948 wrote to memory of 1820	1948	z9272779.exe	30

C:\Users\Admin\AppData\Local\Temp\5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe
"C:\Users\Admin\AppData\Local\Temp\5e39716cc12de120e2224170b178b13b87cb3991dd1596b844c310784bd72f0a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9272779.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9272779.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9837952.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9837952.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7684227.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7684227.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9272779.exe

Filesize
308KB

MD5
39dff604ee22ed296dc7b871b7670ea0

SHA1
cd144887ed82c8b0cc3b81cbc0ada4fe50de4503

SHA256
2e9e4387ed41f0277ed7b286a5c5b572c62d84ee564e3609fa5fd2fe7444eec0

SHA512
10ba4c7955639ac60ec8d53bcafdf9caed2b3e46d1e00137ed5c6f5e5e66b4b3f44fd19895265108d980fe8db37f968b347fdf7f49c305a527a5cbc6872f3700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9272779.exe

Filesize
308KB

MD5
39dff604ee22ed296dc7b871b7670ea0

SHA1
cd144887ed82c8b0cc3b81cbc0ada4fe50de4503

SHA256
2e9e4387ed41f0277ed7b286a5c5b572c62d84ee564e3609fa5fd2fe7444eec0

SHA512
10ba4c7955639ac60ec8d53bcafdf9caed2b3e46d1e00137ed5c6f5e5e66b4b3f44fd19895265108d980fe8db37f968b347fdf7f49c305a527a5cbc6872f3700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9837952.exe

Filesize
175KB

MD5
68a3a79cf7aa67c73ae77759580855bb

SHA1
f7be3508436fbdea2760f45b3c8db56d62cdd017

SHA256
c48aec0660b078fdbdb082d1ac172c989a3f24779c228dfcde3443d90c242bf7

SHA512
d7972c897970e162b6ac9552d738b63f2b163c34ab8dfd5e94480fe711da715e3f11e9febd53d83995c16cc0806daf37d05c1e3c54f15589624e8b574e546592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9837952.exe

Filesize
175KB

MD5
68a3a79cf7aa67c73ae77759580855bb

SHA1
f7be3508436fbdea2760f45b3c8db56d62cdd017

SHA256
c48aec0660b078fdbdb082d1ac172c989a3f24779c228dfcde3443d90c242bf7

SHA512
d7972c897970e162b6ac9552d738b63f2b163c34ab8dfd5e94480fe711da715e3f11e9febd53d83995c16cc0806daf37d05c1e3c54f15589624e8b574e546592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7684227.exe

Filesize
136KB

MD5
13d3ba2c753c79e029085b64b2a0d5c3

SHA1
79012c48ec394c770cb678ca141a3a2c248ca16f

SHA256
e4e374ea9f023e53d0172aa643eda62d64f90de46793042f2d93931864dd2259

SHA512
c3d29dc9390efaf9e49b265a7c7bd926aeb17dac566caddc1592aa83db56555f5e88af696a30bc3eeb5a41c5ecb666f0d396bca79f6cace52bfbef8ca1c529c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7684227.exe

Filesize
136KB

MD5
13d3ba2c753c79e029085b64b2a0d5c3

SHA1
79012c48ec394c770cb678ca141a3a2c248ca16f

SHA256
e4e374ea9f023e53d0172aa643eda62d64f90de46793042f2d93931864dd2259

SHA512
c3d29dc9390efaf9e49b265a7c7bd926aeb17dac566caddc1592aa83db56555f5e88af696a30bc3eeb5a41c5ecb666f0d396bca79f6cace52bfbef8ca1c529c6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9272779.exe

Filesize
308KB

MD5
39dff604ee22ed296dc7b871b7670ea0

SHA1
cd144887ed82c8b0cc3b81cbc0ada4fe50de4503

SHA256
2e9e4387ed41f0277ed7b286a5c5b572c62d84ee564e3609fa5fd2fe7444eec0

SHA512
10ba4c7955639ac60ec8d53bcafdf9caed2b3e46d1e00137ed5c6f5e5e66b4b3f44fd19895265108d980fe8db37f968b347fdf7f49c305a527a5cbc6872f3700

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9272779.exe

Filesize
308KB

MD5
39dff604ee22ed296dc7b871b7670ea0

SHA1
cd144887ed82c8b0cc3b81cbc0ada4fe50de4503

SHA256
2e9e4387ed41f0277ed7b286a5c5b572c62d84ee564e3609fa5fd2fe7444eec0

SHA512
10ba4c7955639ac60ec8d53bcafdf9caed2b3e46d1e00137ed5c6f5e5e66b4b3f44fd19895265108d980fe8db37f968b347fdf7f49c305a527a5cbc6872f3700

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9837952.exe

Filesize
175KB

MD5
68a3a79cf7aa67c73ae77759580855bb

SHA1
f7be3508436fbdea2760f45b3c8db56d62cdd017

SHA256
c48aec0660b078fdbdb082d1ac172c989a3f24779c228dfcde3443d90c242bf7

SHA512
d7972c897970e162b6ac9552d738b63f2b163c34ab8dfd5e94480fe711da715e3f11e9febd53d83995c16cc0806daf37d05c1e3c54f15589624e8b574e546592

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9837952.exe

Filesize
175KB

MD5
68a3a79cf7aa67c73ae77759580855bb

SHA1
f7be3508436fbdea2760f45b3c8db56d62cdd017

SHA256
c48aec0660b078fdbdb082d1ac172c989a3f24779c228dfcde3443d90c242bf7

SHA512
d7972c897970e162b6ac9552d738b63f2b163c34ab8dfd5e94480fe711da715e3f11e9febd53d83995c16cc0806daf37d05c1e3c54f15589624e8b574e546592

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7684227.exe

Filesize
136KB

MD5
13d3ba2c753c79e029085b64b2a0d5c3

SHA1
79012c48ec394c770cb678ca141a3a2c248ca16f

SHA256
e4e374ea9f023e53d0172aa643eda62d64f90de46793042f2d93931864dd2259

SHA512
c3d29dc9390efaf9e49b265a7c7bd926aeb17dac566caddc1592aa83db56555f5e88af696a30bc3eeb5a41c5ecb666f0d396bca79f6cace52bfbef8ca1c529c6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7684227.exe

Filesize
136KB

MD5
13d3ba2c753c79e029085b64b2a0d5c3

SHA1
79012c48ec394c770cb678ca141a3a2c248ca16f

SHA256
e4e374ea9f023e53d0172aa643eda62d64f90de46793042f2d93931864dd2259

SHA512
c3d29dc9390efaf9e49b265a7c7bd926aeb17dac566caddc1592aa83db56555f5e88af696a30bc3eeb5a41c5ecb666f0d396bca79f6cace52bfbef8ca1c529c6

Download Submit
memory/320-87-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-101-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-83-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-85-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-79-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-89-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-91-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-93-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-95-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-97-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-99-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-81-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-103-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-105-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/320-104-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/320-106-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/320-77-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-76-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/320-75-0x0000000000720000-0x0000000000738000-memory.dmp

Filesize
96KB

Download
memory/320-74-0x00000000006F0000-0x000000000070A000-memory.dmp

Filesize
104KB

Download
memory/1820-113-0x0000000000F70000-0x0000000000F98000-memory.dmp

Filesize
160KB

Download
memory/1820-114-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download
memory/1820-115-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download