662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373

Analysis

max time kernel
308s
max time network
402s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
Size

618KB
MD5

51f46d7c3e0643880d6a7ad7f511e5af
SHA1

301e342102fae2537d136b0cb93fe6b332f3ab86
SHA256

662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373
SHA512

00d47cb9308436b9ad017a3894f6c9e41d32d5a44f03a78d7f9a19d31edc30a4688e2275cd1281c31bb201f168e17afc2592a8cf3b46ae8fee52bbe6034f28fe
SSDEEP

12288:1y90ILG7DRQs7RZYagSucZLjTHW5z1WPJ2v+1ZG:1yVoDV2ago165z1WPyQG

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	97711157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	97711157.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	97711157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	97711157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	97711157.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	97711157.exe

Executes dropped EXE 3 IoCs

pid	Process
3584	st316088.exe
5088	97711157.exe
2696	kp809501.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	97711157.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st316088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st316088.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5088	97711157.exe
5088	97711157.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	97711157.exe
Token: SeDebugPrivilege	2696	kp809501.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3584	5108	662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe	80
PID 5108 wrote to memory of 3584	5108	662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe	80
PID 5108 wrote to memory of 3584	5108	662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe	80
PID 3584 wrote to memory of 5088	3584	st316088.exe	81
PID 3584 wrote to memory of 5088	3584	st316088.exe	81
PID 3584 wrote to memory of 2696	3584	st316088.exe	82
PID 3584 wrote to memory of 2696	3584	st316088.exe	82
PID 3584 wrote to memory of 2696	3584	st316088.exe	82

C:\Users\Admin\AppData\Local\Temp\662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
"C:\Users\Admin\AppData\Local\Temp\662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st316088.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st316088.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97711157.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97711157.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp809501.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp809501.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st316088.exe

Filesize
464KB

MD5
74b85911d011d404e1714414ca26c046

SHA1
c991b22db2d7cb15b98de559db26469303ae5211

SHA256
8fb000d4b5ea1e768814203fbe14c6015285dae7e2f31bc6607c973456ef84eb

SHA512
06188b1df6c9e208dbcf2c87babafccfec8563de39ff38315d4b1b9adaba068cbf88c7f4c67af476e418f0a25decc618af05a0910e5f1f0381648f3b070e5036

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st316088.exe

Filesize
464KB

MD5
74b85911d011d404e1714414ca26c046

SHA1
c991b22db2d7cb15b98de559db26469303ae5211

SHA256
8fb000d4b5ea1e768814203fbe14c6015285dae7e2f31bc6607c973456ef84eb

SHA512
06188b1df6c9e208dbcf2c87babafccfec8563de39ff38315d4b1b9adaba068cbf88c7f4c67af476e418f0a25decc618af05a0910e5f1f0381648f3b070e5036

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97711157.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97711157.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp809501.exe

Filesize
478KB

MD5
bfc0d391966cd5259c28a2ad2a0f0f3e

SHA1
edf2be770c81666bfd2410810bb57949f2729219

SHA256
85c63edc2a48594c62d06fd6e80ddc650b3dcde6151241d261514274ce30691c

SHA512
19add3338ca8afc304e0c70f4a3490d7ec48fd55da41ec9938c5721efad53fa1f7028eede43c1ed05f2378e317198a9a8851cb670bdc7a24b99e0dbf3b211ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp809501.exe

Filesize
478KB

MD5
bfc0d391966cd5259c28a2ad2a0f0f3e

SHA1
edf2be770c81666bfd2410810bb57949f2729219

SHA256
85c63edc2a48594c62d06fd6e80ddc650b3dcde6151241d261514274ce30691c

SHA512
19add3338ca8afc304e0c70f4a3490d7ec48fd55da41ec9938c5721efad53fa1f7028eede43c1ed05f2378e317198a9a8851cb670bdc7a24b99e0dbf3b211ed8

Download Submit
memory/2696-181-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-187-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-154-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/2696-155-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2696-156-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2696-157-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2696-158-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-159-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-161-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-163-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-165-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-167-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-169-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-171-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-173-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-175-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-177-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-179-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-957-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2696-183-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-185-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-153-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/2696-189-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-191-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-193-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-195-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-197-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-199-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-201-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-203-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-205-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-207-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-209-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-211-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-213-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-215-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-217-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-219-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-221-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2696-954-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/2696-955-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2696-956-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/5088-147-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download