3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a

Analysis

max time kernel
147s
max time network
164s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe
Size

701KB
MD5

b662c299994703ccd49b4c032f0de1f4
SHA1

2303bb48e94f7896f10cfc1db26f7ab74bb79471
SHA256

3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a
SHA512

742832add53ac134b1e07a99b31dc23a3b2e8da478d788f402e7753653142bed19d7d13e649bfe04d27df3b97cf76405d4b836009a40a880562363f3ada4d3af
SSDEEP

12288:qy90JiVhz2WItgXBKUIB3MTf5U5maLc3pxGxjkfRiRteAObiUfgX:qyg82MhI9sjlpISRiRteAylfgX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	63842440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	63842440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	63842440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	63842440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	63842440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	63842440.exe

Executes dropped EXE 3 IoCs

pid	Process
2016	un402569.exe
1344	63842440.exe
1536	rk578276.exe

Loads dropped DLL 8 IoCs

pid	Process
836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe
2016	un402569.exe
2016	un402569.exe
2016	un402569.exe
1344	63842440.exe
2016	un402569.exe
2016	un402569.exe
1536	rk578276.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	63842440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	63842440.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un402569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un402569.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	63842440.exe
1344	63842440.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	63842440.exe
Token: SeDebugPrivilege	1536	rk578276.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 836 wrote to memory of 2016	836	3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe	27
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1344	2016	un402569.exe	28
PID 2016 wrote to memory of 1536	2016	un402569.exe	29
PID 2016 wrote to memory of 1536	2016	un402569.exe	29
PID 2016 wrote to memory of 1536	2016	un402569.exe	29
PID 2016 wrote to memory of 1536	2016	un402569.exe	29
PID 2016 wrote to memory of 1536	2016	un402569.exe	29
PID 2016 wrote to memory of 1536	2016	un402569.exe	29
PID 2016 wrote to memory of 1536	2016	un402569.exe	29

C:\Users\Admin\AppData\Local\Temp\3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe
"C:\Users\Admin\AppData\Local\Temp\3f9a721fb23dfc2cab22a51c8504242df4c4d4d9d3d959f70ad6e74daaa8481a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402569.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402569.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402569.exe

Filesize
547KB

MD5
94f33a5ace4ee1622a7bbc2dc8593384

SHA1
971414c18b1f3610cf660b46f1d0387e72b3d8de

SHA256
7fc90e44ec7078a544c0f82437b872d69cd571d71b8827f6031c66430352a95e

SHA512
3fd1b0fcd0512324195d5ea06c108c3b1932e1148a624d86cf29d414259266fc5fb6d7582a2b83311165a6db14d0d5b9b761b8b92f4c82d3afbacba95ab27379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402569.exe

Filesize
547KB

MD5
94f33a5ace4ee1622a7bbc2dc8593384

SHA1
971414c18b1f3610cf660b46f1d0387e72b3d8de

SHA256
7fc90e44ec7078a544c0f82437b872d69cd571d71b8827f6031c66430352a95e

SHA512
3fd1b0fcd0512324195d5ea06c108c3b1932e1148a624d86cf29d414259266fc5fb6d7582a2b83311165a6db14d0d5b9b761b8b92f4c82d3afbacba95ab27379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe

Filesize
270KB

MD5
e32954da5fadcbc27cbaf354162f7c47

SHA1
e33410ca07f244fbfd3bff2bbfc52bae49529c50

SHA256
d8a1d2420af20fcaa7ad3d285024506dbb803db18e3eab50aa32beb7760eb813

SHA512
3175bbde71428979576f818c8d2e089192802cb2b81b57d1ddacb627355888526aba8b56c34e83474f6a5d8af954ded672cc51d4730811ad959ae2316ed589de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe

Filesize
270KB

MD5
e32954da5fadcbc27cbaf354162f7c47

SHA1
e33410ca07f244fbfd3bff2bbfc52bae49529c50

SHA256
d8a1d2420af20fcaa7ad3d285024506dbb803db18e3eab50aa32beb7760eb813

SHA512
3175bbde71428979576f818c8d2e089192802cb2b81b57d1ddacb627355888526aba8b56c34e83474f6a5d8af954ded672cc51d4730811ad959ae2316ed589de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe

Filesize
270KB

MD5
e32954da5fadcbc27cbaf354162f7c47

SHA1
e33410ca07f244fbfd3bff2bbfc52bae49529c50

SHA256
d8a1d2420af20fcaa7ad3d285024506dbb803db18e3eab50aa32beb7760eb813

SHA512
3175bbde71428979576f818c8d2e089192802cb2b81b57d1ddacb627355888526aba8b56c34e83474f6a5d8af954ded672cc51d4730811ad959ae2316ed589de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe

Filesize
353KB

MD5
6cd196e2fce2a69001d3599ea9d80e8a

SHA1
2cda9072ebbce4f363215486453cde464f8f4e13

SHA256
7ca530e2c31f48ca8309c0731e538d043cf51bc5bc347086327f620f2be11928

SHA512
4b907325c3feb8657c9b23b9cdfa030e826a676d1759ae05ebd956aa6545e32a9d4f87c2400d6f1f0d440136db5706fa82192ff6a1225afb524fcd12dd9fdba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe

Filesize
353KB

MD5
6cd196e2fce2a69001d3599ea9d80e8a

SHA1
2cda9072ebbce4f363215486453cde464f8f4e13

SHA256
7ca530e2c31f48ca8309c0731e538d043cf51bc5bc347086327f620f2be11928

SHA512
4b907325c3feb8657c9b23b9cdfa030e826a676d1759ae05ebd956aa6545e32a9d4f87c2400d6f1f0d440136db5706fa82192ff6a1225afb524fcd12dd9fdba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe

Filesize
353KB

MD5
6cd196e2fce2a69001d3599ea9d80e8a

SHA1
2cda9072ebbce4f363215486453cde464f8f4e13

SHA256
7ca530e2c31f48ca8309c0731e538d043cf51bc5bc347086327f620f2be11928

SHA512
4b907325c3feb8657c9b23b9cdfa030e826a676d1759ae05ebd956aa6545e32a9d4f87c2400d6f1f0d440136db5706fa82192ff6a1225afb524fcd12dd9fdba1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402569.exe

Filesize
547KB

MD5
94f33a5ace4ee1622a7bbc2dc8593384

SHA1
971414c18b1f3610cf660b46f1d0387e72b3d8de

SHA256
7fc90e44ec7078a544c0f82437b872d69cd571d71b8827f6031c66430352a95e

SHA512
3fd1b0fcd0512324195d5ea06c108c3b1932e1148a624d86cf29d414259266fc5fb6d7582a2b83311165a6db14d0d5b9b761b8b92f4c82d3afbacba95ab27379

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un402569.exe

Filesize
547KB

MD5
94f33a5ace4ee1622a7bbc2dc8593384

SHA1
971414c18b1f3610cf660b46f1d0387e72b3d8de

SHA256
7fc90e44ec7078a544c0f82437b872d69cd571d71b8827f6031c66430352a95e

SHA512
3fd1b0fcd0512324195d5ea06c108c3b1932e1148a624d86cf29d414259266fc5fb6d7582a2b83311165a6db14d0d5b9b761b8b92f4c82d3afbacba95ab27379

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe

Filesize
270KB

MD5
e32954da5fadcbc27cbaf354162f7c47

SHA1
e33410ca07f244fbfd3bff2bbfc52bae49529c50

SHA256
d8a1d2420af20fcaa7ad3d285024506dbb803db18e3eab50aa32beb7760eb813

SHA512
3175bbde71428979576f818c8d2e089192802cb2b81b57d1ddacb627355888526aba8b56c34e83474f6a5d8af954ded672cc51d4730811ad959ae2316ed589de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe

Filesize
270KB

MD5
e32954da5fadcbc27cbaf354162f7c47

SHA1
e33410ca07f244fbfd3bff2bbfc52bae49529c50

SHA256
d8a1d2420af20fcaa7ad3d285024506dbb803db18e3eab50aa32beb7760eb813

SHA512
3175bbde71428979576f818c8d2e089192802cb2b81b57d1ddacb627355888526aba8b56c34e83474f6a5d8af954ded672cc51d4730811ad959ae2316ed589de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\63842440.exe

Filesize
270KB

MD5
e32954da5fadcbc27cbaf354162f7c47

SHA1
e33410ca07f244fbfd3bff2bbfc52bae49529c50

SHA256
d8a1d2420af20fcaa7ad3d285024506dbb803db18e3eab50aa32beb7760eb813

SHA512
3175bbde71428979576f818c8d2e089192802cb2b81b57d1ddacb627355888526aba8b56c34e83474f6a5d8af954ded672cc51d4730811ad959ae2316ed589de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe

Filesize
353KB

MD5
6cd196e2fce2a69001d3599ea9d80e8a

SHA1
2cda9072ebbce4f363215486453cde464f8f4e13

SHA256
7ca530e2c31f48ca8309c0731e538d043cf51bc5bc347086327f620f2be11928

SHA512
4b907325c3feb8657c9b23b9cdfa030e826a676d1759ae05ebd956aa6545e32a9d4f87c2400d6f1f0d440136db5706fa82192ff6a1225afb524fcd12dd9fdba1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe

Filesize
353KB

MD5
6cd196e2fce2a69001d3599ea9d80e8a

SHA1
2cda9072ebbce4f363215486453cde464f8f4e13

SHA256
7ca530e2c31f48ca8309c0731e538d043cf51bc5bc347086327f620f2be11928

SHA512
4b907325c3feb8657c9b23b9cdfa030e826a676d1759ae05ebd956aa6545e32a9d4f87c2400d6f1f0d440136db5706fa82192ff6a1225afb524fcd12dd9fdba1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk578276.exe

Filesize
353KB

MD5
6cd196e2fce2a69001d3599ea9d80e8a

SHA1
2cda9072ebbce4f363215486453cde464f8f4e13

SHA256
7ca530e2c31f48ca8309c0731e538d043cf51bc5bc347086327f620f2be11928

SHA512
4b907325c3feb8657c9b23b9cdfa030e826a676d1759ae05ebd956aa6545e32a9d4f87c2400d6f1f0d440136db5706fa82192ff6a1225afb524fcd12dd9fdba1

Download Submit
memory/1344-110-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-84-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-86-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-88-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-90-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-92-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-94-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-98-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-96-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-102-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-100-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-106-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-104-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-108-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-83-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/1344-111-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/1344-82-0x0000000003100000-0x0000000003118000-memory.dmp

Filesize
96KB

Download
memory/1344-81-0x0000000007210000-0x0000000007250000-memory.dmp

Filesize
256KB

Download
memory/1344-80-0x0000000007210000-0x0000000007250000-memory.dmp

Filesize
256KB

Download
memory/1344-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1344-78-0x0000000002C20000-0x0000000002C3A000-memory.dmp

Filesize
104KB

Download
memory/1344-115-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/1536-127-0x0000000003270000-0x00000000032AA000-memory.dmp

Filesize
232KB

Download
memory/1536-145-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-128-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-129-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-131-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-133-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-135-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-137-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-139-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-141-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-143-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-126-0x00000000031F0000-0x000000000322C000-memory.dmp

Filesize
240KB

Download
memory/1536-147-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-149-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-151-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-153-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-155-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-157-0x0000000003270000-0x00000000032A5000-memory.dmp

Filesize
212KB

Download
memory/1536-470-0x0000000000270000-0x00000000002B6000-memory.dmp

Filesize
280KB

Download
memory/1536-472-0x00000000072D0000-0x0000000007310000-memory.dmp

Filesize
256KB

Download
memory/1536-922-0x00000000072D0000-0x0000000007310000-memory.dmp

Filesize
256KB

Download
memory/1536-924-0x00000000072D0000-0x0000000007310000-memory.dmp

Filesize
256KB

Download
memory/1536-926-0x00000000072D0000-0x0000000007310000-memory.dmp

Filesize
256KB

Download