5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839

Analysis

max time kernel
150s
max time network
173s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe
Size

611KB
MD5

7d9d236eb33cb77f511a575ea745c030
SHA1

e0b6f192bf5e74b87c6c1bbeceff741aed640179
SHA256

5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839
SHA512

bf7f304d9497647f4f84d150f398e19e595c921d0838dd76807d95946aa18e077754d2b7c202ccbebfef74fde27bdd5636d3996c136ef79d6be6f045e506ca0d
SSDEEP

12288:ty90sWh0mKfC3qgSYyIiBZ/TUXLOXDBERM:typWemK6mYXi/ygDGM

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	17297624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	17297624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	17297624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	17297624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	17297624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	17297624.exe

Executes dropped EXE 3 IoCs

pid	Process
1204	st117722.exe
580	17297624.exe
1772	kp831857.exe

Loads dropped DLL 6 IoCs

pid	Process
1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe
1204	st117722.exe
1204	st117722.exe
1204	st117722.exe
1204	st117722.exe
1772	kp831857.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	17297624.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	17297624.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st117722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st117722.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	17297624.exe
580	17297624.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	17297624.exe
Token: SeDebugPrivilege	1772	kp831857.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1360 wrote to memory of 1204	1360	5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe	28
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 580	1204	st117722.exe	29
PID 1204 wrote to memory of 1772	1204	st117722.exe	30
PID 1204 wrote to memory of 1772	1204	st117722.exe	30
PID 1204 wrote to memory of 1772	1204	st117722.exe	30
PID 1204 wrote to memory of 1772	1204	st117722.exe	30
PID 1204 wrote to memory of 1772	1204	st117722.exe	30
PID 1204 wrote to memory of 1772	1204	st117722.exe	30
PID 1204 wrote to memory of 1772	1204	st117722.exe	30

C:\Users\Admin\AppData\Local\Temp\5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe
"C:\Users\Admin\AppData\Local\Temp\5f95931e1cac51d7cd666a2e50b32ceabcf6016c93edf59313fc69eb8251f839.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st117722.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st117722.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17297624.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17297624.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st117722.exe

Filesize
457KB

MD5
cc6f9599fb0ed93f10abf8ef839a06b2

SHA1
4d42b8b84a8f4bfab137dec35e1f36f4aa110ba8

SHA256
b6a602384214a03cd1ca0d7264f8c3e732f32656838dabc880d43900cc6026de

SHA512
8c4da4d6a26711654676a60eb3ba124775cc41e4828317ea1ccb55d4ecbe108623dc99c789e242c374c47afa1b7735534529a06c552e3c6d519ee7b2f61189b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st117722.exe

Filesize
457KB

MD5
cc6f9599fb0ed93f10abf8ef839a06b2

SHA1
4d42b8b84a8f4bfab137dec35e1f36f4aa110ba8

SHA256
b6a602384214a03cd1ca0d7264f8c3e732f32656838dabc880d43900cc6026de

SHA512
8c4da4d6a26711654676a60eb3ba124775cc41e4828317ea1ccb55d4ecbe108623dc99c789e242c374c47afa1b7735534529a06c552e3c6d519ee7b2f61189b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17297624.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\17297624.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe

Filesize
459KB

MD5
dfd86a1d20a8b65ba66145fb8756ca0f

SHA1
4ea2c2f74d046ad502b51f7d6b7dda64a0c47cad

SHA256
dedf58d5bf31ebc09dc30081086c3f2a3c56f5e94c6830d251bef0b4cbe197f8

SHA512
8ac03f3c837132160acba8f1c3e34e0098813b58e59ee92429bc204b6d71ca989fbe8cea58f0de776f52391a7c0f9fa070790158b683a80d10524fae66619b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe

Filesize
459KB

MD5
dfd86a1d20a8b65ba66145fb8756ca0f

SHA1
4ea2c2f74d046ad502b51f7d6b7dda64a0c47cad

SHA256
dedf58d5bf31ebc09dc30081086c3f2a3c56f5e94c6830d251bef0b4cbe197f8

SHA512
8ac03f3c837132160acba8f1c3e34e0098813b58e59ee92429bc204b6d71ca989fbe8cea58f0de776f52391a7c0f9fa070790158b683a80d10524fae66619b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe

Filesize
459KB

MD5
dfd86a1d20a8b65ba66145fb8756ca0f

SHA1
4ea2c2f74d046ad502b51f7d6b7dda64a0c47cad

SHA256
dedf58d5bf31ebc09dc30081086c3f2a3c56f5e94c6830d251bef0b4cbe197f8

SHA512
8ac03f3c837132160acba8f1c3e34e0098813b58e59ee92429bc204b6d71ca989fbe8cea58f0de776f52391a7c0f9fa070790158b683a80d10524fae66619b59

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st117722.exe

Filesize
457KB

MD5
cc6f9599fb0ed93f10abf8ef839a06b2

SHA1
4d42b8b84a8f4bfab137dec35e1f36f4aa110ba8

SHA256
b6a602384214a03cd1ca0d7264f8c3e732f32656838dabc880d43900cc6026de

SHA512
8c4da4d6a26711654676a60eb3ba124775cc41e4828317ea1ccb55d4ecbe108623dc99c789e242c374c47afa1b7735534529a06c552e3c6d519ee7b2f61189b6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st117722.exe

Filesize
457KB

MD5
cc6f9599fb0ed93f10abf8ef839a06b2

SHA1
4d42b8b84a8f4bfab137dec35e1f36f4aa110ba8

SHA256
b6a602384214a03cd1ca0d7264f8c3e732f32656838dabc880d43900cc6026de

SHA512
8c4da4d6a26711654676a60eb3ba124775cc41e4828317ea1ccb55d4ecbe108623dc99c789e242c374c47afa1b7735534529a06c552e3c6d519ee7b2f61189b6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\17297624.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe

Filesize
459KB

MD5
dfd86a1d20a8b65ba66145fb8756ca0f

SHA1
4ea2c2f74d046ad502b51f7d6b7dda64a0c47cad

SHA256
dedf58d5bf31ebc09dc30081086c3f2a3c56f5e94c6830d251bef0b4cbe197f8

SHA512
8ac03f3c837132160acba8f1c3e34e0098813b58e59ee92429bc204b6d71ca989fbe8cea58f0de776f52391a7c0f9fa070790158b683a80d10524fae66619b59

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe

Filesize
459KB

MD5
dfd86a1d20a8b65ba66145fb8756ca0f

SHA1
4ea2c2f74d046ad502b51f7d6b7dda64a0c47cad

SHA256
dedf58d5bf31ebc09dc30081086c3f2a3c56f5e94c6830d251bef0b4cbe197f8

SHA512
8ac03f3c837132160acba8f1c3e34e0098813b58e59ee92429bc204b6d71ca989fbe8cea58f0de776f52391a7c0f9fa070790158b683a80d10524fae66619b59

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp831857.exe

Filesize
459KB

MD5
dfd86a1d20a8b65ba66145fb8756ca0f

SHA1
4ea2c2f74d046ad502b51f7d6b7dda64a0c47cad

SHA256
dedf58d5bf31ebc09dc30081086c3f2a3c56f5e94c6830d251bef0b4cbe197f8

SHA512
8ac03f3c837132160acba8f1c3e34e0098813b58e59ee92429bc204b6d71ca989fbe8cea58f0de776f52391a7c0f9fa070790158b683a80d10524fae66619b59

Download Submit
memory/580-72-0x00000000013C0000-0x00000000013CA000-memory.dmp

Filesize
40KB

Download
memory/1772-107-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-121-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-85-0x00000000025F0000-0x000000000262A000-memory.dmp

Filesize
232KB

Download
memory/1772-86-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-87-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-93-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-95-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-91-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-89-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-97-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-99-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-101-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-103-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-105-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-83-0x00000000002A0000-0x00000000002E6000-memory.dmp

Filesize
280KB

Download
memory/1772-109-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-111-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-117-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-115-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-113-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-119-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-84-0x00000000025B0000-0x00000000025EC000-memory.dmp

Filesize
240KB

Download
memory/1772-123-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-125-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-127-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-129-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-131-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-133-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-135-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-137-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-139-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-141-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-143-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-145-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-147-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-149-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/1772-250-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1772-252-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1772-254-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1772-882-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1772-883-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1772-884-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1772-886-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download