3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7

General

Target

3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe
Size

1.2MB
MD5

9cf7f51516771e62d4560302dfd9fed4
SHA1

402f81d97740636dbd8e9d04d5e8d9a59ecd44f1
SHA256

3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7
SHA512

9235f7b74e7d3f6d1e8e7906ad66fd623dc9bc82f27a005ee63d8f55f0158cb95480ff99376ae711cd131d15b60a99e1b2b6a97e9afb147483a2723cbb77d8d6
SSDEEP

24576:ky0NGasfqF5mdhzjdXLyTfokn98YoLSgBHIxmhUsmmsNMRf:zLasfLhzjFq2X9BuOUsCN

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n0551794.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n0551794.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n0551794.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n0551794.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n0551794.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n0551794.exe

Executes dropped EXE 4 IoCs

pid	Process
320	z6056680.exe
4972	z0509872.exe
4996	z0623982.exe
3544	n0551794.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n0551794.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n0551794.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6056680.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0509872.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0509872.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0623982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0623982.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6056680.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3184	3544	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3544	n0551794.exe
3544	n0551794.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	n0551794.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 320	1404	3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe	80
PID 1404 wrote to memory of 320	1404	3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe	80
PID 1404 wrote to memory of 320	1404	3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe	80
PID 320 wrote to memory of 4972	320	z6056680.exe	81
PID 320 wrote to memory of 4972	320	z6056680.exe	81
PID 320 wrote to memory of 4972	320	z6056680.exe	81
PID 4972 wrote to memory of 4996	4972	z0509872.exe	82
PID 4972 wrote to memory of 4996	4972	z0509872.exe	82
PID 4972 wrote to memory of 4996	4972	z0509872.exe	82
PID 4996 wrote to memory of 3544	4996	z0623982.exe	83
PID 4996 wrote to memory of 3544	4996	z0623982.exe	83
PID 4996 wrote to memory of 3544	4996	z0623982.exe	83

C:\Users\Admin\AppData\Local\Temp\3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe
"C:\Users\Admin\AppData\Local\Temp\3fceb187d5a1e155c96e225fbf5d511271f3c5c513276a86e341a9ed0cdb6bd7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6056680.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6056680.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0509872.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0509872.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0623982.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0623982.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0551794.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0551794.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1084
        6⤵
        Program crash
        
        PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3544 -ip 3544
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6056680.exe

Filesize
1.0MB

MD5
3e70ce9b7d13c3bf017d0c7535942549

SHA1
5e0f52b45a45a560d0172bdb5fb46b5794f843f3

SHA256
6bcd2349bf5fce02215f505c74769e2e42223dd5b466427e9d6f8fb2d1d33270

SHA512
6132d54ee053cc3bbf9f568eb65a9c1050a4c6bbe1c6966eaacc896977a802f6a69c80fe683fcb96acd4e9e94b116048cdbaae77bd131a5a6c295fb02805ab1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6056680.exe

Filesize
1.0MB

MD5
3e70ce9b7d13c3bf017d0c7535942549

SHA1
5e0f52b45a45a560d0172bdb5fb46b5794f843f3

SHA256
6bcd2349bf5fce02215f505c74769e2e42223dd5b466427e9d6f8fb2d1d33270

SHA512
6132d54ee053cc3bbf9f568eb65a9c1050a4c6bbe1c6966eaacc896977a802f6a69c80fe683fcb96acd4e9e94b116048cdbaae77bd131a5a6c295fb02805ab1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0509872.exe

Filesize
589KB

MD5
e87d89338395884418d55a943c2a92be

SHA1
0105c105a01e3d2e85f401316e6b00fca5285266

SHA256
45fdb78546b33fc3bcdd7508aa062d80d926a4d7ea2ebd0c0ab880f230ce68a9

SHA512
c0199fed677f08dda8260885e75a5c4b6c8572160e3a71c8002ee07d466741c0d71232b4fd746bae7a764bdd8494994de584dda5dff3e92c3233e735996cda38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0509872.exe

Filesize
589KB

MD5
e87d89338395884418d55a943c2a92be

SHA1
0105c105a01e3d2e85f401316e6b00fca5285266

SHA256
45fdb78546b33fc3bcdd7508aa062d80d926a4d7ea2ebd0c0ab880f230ce68a9

SHA512
c0199fed677f08dda8260885e75a5c4b6c8572160e3a71c8002ee07d466741c0d71232b4fd746bae7a764bdd8494994de584dda5dff3e92c3233e735996cda38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0623982.exe

Filesize
385KB

MD5
d70f9ca6e1a0111906b00a85e686a1c6

SHA1
1e6af463c0e745e70e42d5bb137e6362ab9c7384

SHA256
187f8daa0c704ce71805b3c3ed4c3cffdef67a8887008ce928b8af0f39c94dd3

SHA512
7f8678c19d627731ddf273991bfc75845f4f6ca3d4b6ae030dc8ab8bbe16b9f40b60a8042374db6e71a0c7349480fa64e90264599ddfa4cab07c2cb0931a3d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0623982.exe

Filesize
385KB

MD5
d70f9ca6e1a0111906b00a85e686a1c6

SHA1
1e6af463c0e745e70e42d5bb137e6362ab9c7384

SHA256
187f8daa0c704ce71805b3c3ed4c3cffdef67a8887008ce928b8af0f39c94dd3

SHA512
7f8678c19d627731ddf273991bfc75845f4f6ca3d4b6ae030dc8ab8bbe16b9f40b60a8042374db6e71a0c7349480fa64e90264599ddfa4cab07c2cb0931a3d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0551794.exe

Filesize
292KB

MD5
06c251347b9b847229a1fd3d451582dc

SHA1
96db494e4281ee9be5161f7be3d060ebfb8c0be3

SHA256
11a34a403eae651bd9b86839e12b69f927807473c9536a0d63fe7fbd929fa421

SHA512
8e3eb8f51e28754a815922a6770558d0f30ebe64d49292945f3144bd9103db6bce50f07ac60d77f0ce10a1e4c0f45afd15559856488b96b9cf91f9900926155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0551794.exe

Filesize
292KB

MD5
06c251347b9b847229a1fd3d451582dc

SHA1
96db494e4281ee9be5161f7be3d060ebfb8c0be3

SHA256
11a34a403eae651bd9b86839e12b69f927807473c9536a0d63fe7fbd929fa421

SHA512
8e3eb8f51e28754a815922a6770558d0f30ebe64d49292945f3144bd9103db6bce50f07ac60d77f0ce10a1e4c0f45afd15559856488b96b9cf91f9900926155c

Download Submit
memory/3544-162-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/3544-163-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3544-164-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/3544-165-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-166-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-168-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-170-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-172-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-174-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-176-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-178-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-180-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-182-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-184-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-186-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-188-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-190-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-192-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3544-193-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3544-194-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3544-195-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3544-196-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/3544-197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3544-198-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3544-199-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3544-200-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3544-206-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads