6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe
Size

479KB
MD5

ccfee014ff9b49a62f990f6e2196f9ce
SHA1

b4fbaa30a98c272d26d5f1e68e2dd6d99d57c0d0
SHA256

6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead
SHA512

86c56f71f466eb8f8339a185850d08ba30d9337b54e346ed23e2881777f30682186d624b4fa9f8f8b1a295d56f9c4997b05daa759c6aeebafec37294c6ba7fbf
SSDEEP

12288:uMryy90BXy08bpFiXpqvCW2fQbFjTPHzaKt:QycIpWm2w5PTft

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3725173.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3725173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3725173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3725173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3725173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3725173.exe

Executes dropped EXE 3 IoCs

pid	Process
928	y2868330.exe
868	k3725173.exe
1280	l5468744.exe

Loads dropped DLL 6 IoCs

pid	Process
748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe
928	y2868330.exe
928	y2868330.exe
868	k3725173.exe
928	y2868330.exe
1280	l5468744.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k3725173.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3725173.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2868330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2868330.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	k3725173.exe
868	k3725173.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	k3725173.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 748 wrote to memory of 928	748	6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe	26
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 868	928	y2868330.exe	27
PID 928 wrote to memory of 1280	928	y2868330.exe	28
PID 928 wrote to memory of 1280	928	y2868330.exe	28
PID 928 wrote to memory of 1280	928	y2868330.exe	28
PID 928 wrote to memory of 1280	928	y2868330.exe	28
PID 928 wrote to memory of 1280	928	y2868330.exe	28
PID 928 wrote to memory of 1280	928	y2868330.exe	28
PID 928 wrote to memory of 1280	928	y2868330.exe	28

C:\Users\Admin\AppData\Local\Temp\6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe
"C:\Users\Admin\AppData\Local\Temp\6100e5a3792b1902505e979f6e1da44200f121d330fe6002f32034e68aeb5ead.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2868330.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2868330.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3725173.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3725173.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5468744.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5468744.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2868330.exe

Filesize
307KB

MD5
d5899a8b13ded6a7e0257df840444f69

SHA1
0d5bfe9edef459f9bc33930c8f9ef130bdefd424

SHA256
08695c480bd09de89648ab837f6e6bad34b39565e0d89a659456113db1d148e4

SHA512
0f8ecd0bff71aa6d60d7eaed0a103126ca6609548576807867c77806c40837965f53ce0866f1f7c10fd5e1e2104e3c99af5faab8e9d898018f7c8a88c4045be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2868330.exe

Filesize
307KB

MD5
d5899a8b13ded6a7e0257df840444f69

SHA1
0d5bfe9edef459f9bc33930c8f9ef130bdefd424

SHA256
08695c480bd09de89648ab837f6e6bad34b39565e0d89a659456113db1d148e4

SHA512
0f8ecd0bff71aa6d60d7eaed0a103126ca6609548576807867c77806c40837965f53ce0866f1f7c10fd5e1e2104e3c99af5faab8e9d898018f7c8a88c4045be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3725173.exe

Filesize
175KB

MD5
81d8e0822cd84309d6b3233d00730923

SHA1
4c57c2635e4ddd7b06233b2f82cb5499680d29e8

SHA256
7bb994b3762467a81b712a65a62b64329b374d03149a0e65a0228a50021a32f9

SHA512
6e1f6633507137b05f0a7e50ae94efc6559c0f516b61f6acb3997de290462685eafcad2d12d95b679f77aadf97bcfe6662339cb5d22266d2ad510e9dd3f8f267

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3725173.exe

Filesize
175KB

MD5
81d8e0822cd84309d6b3233d00730923

SHA1
4c57c2635e4ddd7b06233b2f82cb5499680d29e8

SHA256
7bb994b3762467a81b712a65a62b64329b374d03149a0e65a0228a50021a32f9

SHA512
6e1f6633507137b05f0a7e50ae94efc6559c0f516b61f6acb3997de290462685eafcad2d12d95b679f77aadf97bcfe6662339cb5d22266d2ad510e9dd3f8f267

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5468744.exe

Filesize
136KB

MD5
39a7bd63ce9b770e395b034ef887b79c

SHA1
786767f2254bea4e4c50779dca2e2fe4366208aa

SHA256
5f58f58a43da02d7fbbeea6923b5967c0907064391e8f6abcceee4130e39a8ca

SHA512
f27e567a451b03fa470a2e4740150d102bc96498cbbff95d84e88b56bc8797c8a40cedf29d174383747e1f91dee8319de517ad7c221209f255f801636a6f2ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5468744.exe

Filesize
136KB

MD5
39a7bd63ce9b770e395b034ef887b79c

SHA1
786767f2254bea4e4c50779dca2e2fe4366208aa

SHA256
5f58f58a43da02d7fbbeea6923b5967c0907064391e8f6abcceee4130e39a8ca

SHA512
f27e567a451b03fa470a2e4740150d102bc96498cbbff95d84e88b56bc8797c8a40cedf29d174383747e1f91dee8319de517ad7c221209f255f801636a6f2ca4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2868330.exe

Filesize
307KB

MD5
d5899a8b13ded6a7e0257df840444f69

SHA1
0d5bfe9edef459f9bc33930c8f9ef130bdefd424

SHA256
08695c480bd09de89648ab837f6e6bad34b39565e0d89a659456113db1d148e4

SHA512
0f8ecd0bff71aa6d60d7eaed0a103126ca6609548576807867c77806c40837965f53ce0866f1f7c10fd5e1e2104e3c99af5faab8e9d898018f7c8a88c4045be3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2868330.exe

Filesize
307KB

MD5
d5899a8b13ded6a7e0257df840444f69

SHA1
0d5bfe9edef459f9bc33930c8f9ef130bdefd424

SHA256
08695c480bd09de89648ab837f6e6bad34b39565e0d89a659456113db1d148e4

SHA512
0f8ecd0bff71aa6d60d7eaed0a103126ca6609548576807867c77806c40837965f53ce0866f1f7c10fd5e1e2104e3c99af5faab8e9d898018f7c8a88c4045be3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3725173.exe

Filesize
175KB

MD5
81d8e0822cd84309d6b3233d00730923

SHA1
4c57c2635e4ddd7b06233b2f82cb5499680d29e8

SHA256
7bb994b3762467a81b712a65a62b64329b374d03149a0e65a0228a50021a32f9

SHA512
6e1f6633507137b05f0a7e50ae94efc6559c0f516b61f6acb3997de290462685eafcad2d12d95b679f77aadf97bcfe6662339cb5d22266d2ad510e9dd3f8f267

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3725173.exe

Filesize
175KB

MD5
81d8e0822cd84309d6b3233d00730923

SHA1
4c57c2635e4ddd7b06233b2f82cb5499680d29e8

SHA256
7bb994b3762467a81b712a65a62b64329b374d03149a0e65a0228a50021a32f9

SHA512
6e1f6633507137b05f0a7e50ae94efc6559c0f516b61f6acb3997de290462685eafcad2d12d95b679f77aadf97bcfe6662339cb5d22266d2ad510e9dd3f8f267

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5468744.exe

Filesize
136KB

MD5
39a7bd63ce9b770e395b034ef887b79c

SHA1
786767f2254bea4e4c50779dca2e2fe4366208aa

SHA256
5f58f58a43da02d7fbbeea6923b5967c0907064391e8f6abcceee4130e39a8ca

SHA512
f27e567a451b03fa470a2e4740150d102bc96498cbbff95d84e88b56bc8797c8a40cedf29d174383747e1f91dee8319de517ad7c221209f255f801636a6f2ca4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5468744.exe

Filesize
136KB

MD5
39a7bd63ce9b770e395b034ef887b79c

SHA1
786767f2254bea4e4c50779dca2e2fe4366208aa

SHA256
5f58f58a43da02d7fbbeea6923b5967c0907064391e8f6abcceee4130e39a8ca

SHA512
f27e567a451b03fa470a2e4740150d102bc96498cbbff95d84e88b56bc8797c8a40cedf29d174383747e1f91dee8319de517ad7c221209f255f801636a6f2ca4

Download Submit
memory/868-87-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-99-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-83-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-85-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-79-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-89-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-95-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-93-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-91-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-103-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-101-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-81-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-97-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-104-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/868-105-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/868-77-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-76-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/868-75-0x0000000002150000-0x0000000002168000-memory.dmp

Filesize
96KB

Download
memory/868-74-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1280-112-0x0000000000D10000-0x0000000000D38000-memory.dmp

Filesize
160KB

Download
memory/1280-113-0x0000000007210000-0x0000000007250000-memory.dmp

Filesize
256KB

Download
memory/1280-114-0x0000000007210000-0x0000000007250000-memory.dmp

Filesize
256KB

Download