62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96

Analysis

max time kernel
151s
max time network
180s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe
Size

612KB
MD5

a4bdc0f62627ab07b3208783af5c4f39
SHA1

9a72092bd310b933ad3ed6aac61c7a1d746749de
SHA256

62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96
SHA512

d8b10b7f9ffc2f0dd27da8545256aae966fabda402c3d418662bb6465b129a365af734092474271505cda0968a5869fefb1ae7969fc105485a44829a85d1cff3
SSDEEP

12288:hy90oDzheLPFFwqi6WJxIwYzAAb3nRqU2:hy7DzheFFfDuVYsAbBqh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	05098627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	05098627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	05098627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	05098627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	05098627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	05098627.exe

Executes dropped EXE 3 IoCs

pid	Process
1304	st774254.exe
912	05098627.exe
596	kp605407.exe

Loads dropped DLL 6 IoCs

pid	Process
1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe
1304	st774254.exe
1304	st774254.exe
1304	st774254.exe
1304	st774254.exe
596	kp605407.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	05098627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	05098627.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st774254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st774254.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	05098627.exe
912	05098627.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	05098627.exe
Token: SeDebugPrivilege	596	kp605407.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1472 wrote to memory of 1304	1472	62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe	28
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 912	1304	st774254.exe	29
PID 1304 wrote to memory of 596	1304	st774254.exe	30
PID 1304 wrote to memory of 596	1304	st774254.exe	30
PID 1304 wrote to memory of 596	1304	st774254.exe	30
PID 1304 wrote to memory of 596	1304	st774254.exe	30
PID 1304 wrote to memory of 596	1304	st774254.exe	30
PID 1304 wrote to memory of 596	1304	st774254.exe	30
PID 1304 wrote to memory of 596	1304	st774254.exe	30

C:\Users\Admin\AppData\Local\Temp\62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe
"C:\Users\Admin\AppData\Local\Temp\62713b51eb2d5b96aafaedd0694a98eeb1c789088d6fafe2413ebf4840713d96.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st774254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st774254.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\05098627.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\05098627.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st774254.exe

Filesize
458KB

MD5
d545ff49b460f93591dd1e0ea1c838c3

SHA1
16c0ba9d1810a82e082ca48164cbb3e31fd8e14d

SHA256
7845dd5801986ab691e77730d752068295d32243ce8f3360ddb95c117f38dc2a

SHA512
5bfe45a8e9518a563b84cce3603468db071309fe50d0ac64df814380fb68bf3bb8eb9dec8cccd750d2ec9f524080b950deb9453a0ce0c4f9c9ab8454d2e32620

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st774254.exe

Filesize
458KB

MD5
d545ff49b460f93591dd1e0ea1c838c3

SHA1
16c0ba9d1810a82e082ca48164cbb3e31fd8e14d

SHA256
7845dd5801986ab691e77730d752068295d32243ce8f3360ddb95c117f38dc2a

SHA512
5bfe45a8e9518a563b84cce3603468db071309fe50d0ac64df814380fb68bf3bb8eb9dec8cccd750d2ec9f524080b950deb9453a0ce0c4f9c9ab8454d2e32620

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\05098627.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\05098627.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe

Filesize
460KB

MD5
a1b4b5e4c11d02692291dd5da62ba1c0

SHA1
56a98c918430f462123b9ce93871bd321eb130b8

SHA256
b0e803cf5deaa1a9a38c23309037be8d31d21c92967a02f792a503024c4b476a

SHA512
38919204c93b31344df2ce2004d1a0e964f6e939f88a6b373d1b6693a6d29ce95aa4e63c6ce01ce13af12210c1903fd629751ed752a97e9ce27288a1a8d82c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe

Filesize
460KB

MD5
a1b4b5e4c11d02692291dd5da62ba1c0

SHA1
56a98c918430f462123b9ce93871bd321eb130b8

SHA256
b0e803cf5deaa1a9a38c23309037be8d31d21c92967a02f792a503024c4b476a

SHA512
38919204c93b31344df2ce2004d1a0e964f6e939f88a6b373d1b6693a6d29ce95aa4e63c6ce01ce13af12210c1903fd629751ed752a97e9ce27288a1a8d82c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe

Filesize
460KB

MD5
a1b4b5e4c11d02692291dd5da62ba1c0

SHA1
56a98c918430f462123b9ce93871bd321eb130b8

SHA256
b0e803cf5deaa1a9a38c23309037be8d31d21c92967a02f792a503024c4b476a

SHA512
38919204c93b31344df2ce2004d1a0e964f6e939f88a6b373d1b6693a6d29ce95aa4e63c6ce01ce13af12210c1903fd629751ed752a97e9ce27288a1a8d82c20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st774254.exe

Filesize
458KB

MD5
d545ff49b460f93591dd1e0ea1c838c3

SHA1
16c0ba9d1810a82e082ca48164cbb3e31fd8e14d

SHA256
7845dd5801986ab691e77730d752068295d32243ce8f3360ddb95c117f38dc2a

SHA512
5bfe45a8e9518a563b84cce3603468db071309fe50d0ac64df814380fb68bf3bb8eb9dec8cccd750d2ec9f524080b950deb9453a0ce0c4f9c9ab8454d2e32620

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st774254.exe

Filesize
458KB

MD5
d545ff49b460f93591dd1e0ea1c838c3

SHA1
16c0ba9d1810a82e082ca48164cbb3e31fd8e14d

SHA256
7845dd5801986ab691e77730d752068295d32243ce8f3360ddb95c117f38dc2a

SHA512
5bfe45a8e9518a563b84cce3603468db071309fe50d0ac64df814380fb68bf3bb8eb9dec8cccd750d2ec9f524080b950deb9453a0ce0c4f9c9ab8454d2e32620

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\05098627.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe

Filesize
460KB

MD5
a1b4b5e4c11d02692291dd5da62ba1c0

SHA1
56a98c918430f462123b9ce93871bd321eb130b8

SHA256
b0e803cf5deaa1a9a38c23309037be8d31d21c92967a02f792a503024c4b476a

SHA512
38919204c93b31344df2ce2004d1a0e964f6e939f88a6b373d1b6693a6d29ce95aa4e63c6ce01ce13af12210c1903fd629751ed752a97e9ce27288a1a8d82c20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe

Filesize
460KB

MD5
a1b4b5e4c11d02692291dd5da62ba1c0

SHA1
56a98c918430f462123b9ce93871bd321eb130b8

SHA256
b0e803cf5deaa1a9a38c23309037be8d31d21c92967a02f792a503024c4b476a

SHA512
38919204c93b31344df2ce2004d1a0e964f6e939f88a6b373d1b6693a6d29ce95aa4e63c6ce01ce13af12210c1903fd629751ed752a97e9ce27288a1a8d82c20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp605407.exe

Filesize
460KB

MD5
a1b4b5e4c11d02692291dd5da62ba1c0

SHA1
56a98c918430f462123b9ce93871bd321eb130b8

SHA256
b0e803cf5deaa1a9a38c23309037be8d31d21c92967a02f792a503024c4b476a

SHA512
38919204c93b31344df2ce2004d1a0e964f6e939f88a6b373d1b6693a6d29ce95aa4e63c6ce01ce13af12210c1903fd629751ed752a97e9ce27288a1a8d82c20

Download Submit
memory/596-104-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-120-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-84-0x0000000002800000-0x000000000283A000-memory.dmp

Filesize
232KB

Download
memory/596-85-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-86-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-88-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-90-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-92-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-94-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-98-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-96-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-100-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-102-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-884-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/596-106-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-108-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-110-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-112-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-114-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-116-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-118-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-83-0x0000000002680000-0x00000000026BC000-memory.dmp

Filesize
240KB

Download
memory/596-122-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-124-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-126-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-128-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-130-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-132-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-134-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-136-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-138-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-140-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-142-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-144-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-146-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-148-0x0000000002800000-0x0000000002835000-memory.dmp

Filesize
212KB

Download
memory/596-375-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/596-377-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/596-379-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/596-880-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/596-882-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/912-72-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download