422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880

Analysis

max time kernel
145s
max time network
170s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe
Size

694KB
MD5

9fca21135cb20903f1ba1279ef2e0037
SHA1

c79bac041ae0513c86ca2037d0a0f350436467fb
SHA256

422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880
SHA512

77b0a6baf0f0a3a4313c986d03f757eedc4f826c910da7f945e61acfce49157d01974cae3050741ead49c42ce3d50c55ca2f0999973452ab945d461cbb486213
SSDEEP

12288:qy90zQVxJjipyjXqcKpi5cBxpwdcrAxmhVNU7W/dXZ2Q19nV792Qal/:qyeQVx1l6tCmxE5ONU7WSa92Dl/

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	43448141.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	43448141.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	43448141.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	43448141.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	43448141.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	43448141.exe

Executes dropped EXE 3 IoCs

pid	Process
1064	un840536.exe
660	43448141.exe
1660	rk181987.exe

Loads dropped DLL 8 IoCs

pid	Process
1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe
1064	un840536.exe
1064	un840536.exe
1064	un840536.exe
660	43448141.exe
1064	un840536.exe
1064	un840536.exe
1660	rk181987.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	43448141.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	43448141.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un840536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un840536.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
660	43448141.exe
660	43448141.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	43448141.exe
Token: SeDebugPrivilege	1660	rk181987.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1376 wrote to memory of 1064	1376	422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe	28
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 660	1064	un840536.exe	29
PID 1064 wrote to memory of 1660	1064	un840536.exe	30
PID 1064 wrote to memory of 1660	1064	un840536.exe	30
PID 1064 wrote to memory of 1660	1064	un840536.exe	30
PID 1064 wrote to memory of 1660	1064	un840536.exe	30
PID 1064 wrote to memory of 1660	1064	un840536.exe	30
PID 1064 wrote to memory of 1660	1064	un840536.exe	30
PID 1064 wrote to memory of 1660	1064	un840536.exe	30

C:\Users\Admin\AppData\Local\Temp\422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe
"C:\Users\Admin\AppData\Local\Temp\422f44be3bcf95f126b2bf659640bce30e45f992f381038aeac62f76f9609880.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840536.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840536.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840536.exe

Filesize
541KB

MD5
fa707d7358c65067b5badfe1521d0553

SHA1
edd8f311f3eb7ba5a51b44aa6642fc005e947f97

SHA256
edba7a941c3880f205b1abb76593fe034bb3f4c4f32ed673a6dd5e97e81588d8

SHA512
3028b284b16d1b6f39bebcd20623e5e11a1629488a1814fcc9920ef2ccc9a11335eee0c619bb10c165ac77f4822e0cec039f4f1659b463d70c6cea09a31fd4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840536.exe

Filesize
541KB

MD5
fa707d7358c65067b5badfe1521d0553

SHA1
edd8f311f3eb7ba5a51b44aa6642fc005e947f97

SHA256
edba7a941c3880f205b1abb76593fe034bb3f4c4f32ed673a6dd5e97e81588d8

SHA512
3028b284b16d1b6f39bebcd20623e5e11a1629488a1814fcc9920ef2ccc9a11335eee0c619bb10c165ac77f4822e0cec039f4f1659b463d70c6cea09a31fd4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe

Filesize
258KB

MD5
3a27084235eef83f23b2d8ca4f1baf68

SHA1
e6dddf6e9ccea238a57bedca8bd4774533e705c8

SHA256
c6e3cd9cd54889db9dc7d9c52588b2c6a0e4beff77087aa147053d0d96cbb5c9

SHA512
8e11daff57d978851e0c64b66e8021eefb6f088b157b8921b4f676c9e7a59f67741ab42a06345e9f79d03f993e184d461a449daf9ecede6abbc06583f7eb9623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe

Filesize
258KB

MD5
3a27084235eef83f23b2d8ca4f1baf68

SHA1
e6dddf6e9ccea238a57bedca8bd4774533e705c8

SHA256
c6e3cd9cd54889db9dc7d9c52588b2c6a0e4beff77087aa147053d0d96cbb5c9

SHA512
8e11daff57d978851e0c64b66e8021eefb6f088b157b8921b4f676c9e7a59f67741ab42a06345e9f79d03f993e184d461a449daf9ecede6abbc06583f7eb9623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe

Filesize
258KB

MD5
3a27084235eef83f23b2d8ca4f1baf68

SHA1
e6dddf6e9ccea238a57bedca8bd4774533e705c8

SHA256
c6e3cd9cd54889db9dc7d9c52588b2c6a0e4beff77087aa147053d0d96cbb5c9

SHA512
8e11daff57d978851e0c64b66e8021eefb6f088b157b8921b4f676c9e7a59f67741ab42a06345e9f79d03f993e184d461a449daf9ecede6abbc06583f7eb9623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe

Filesize
341KB

MD5
bd738efcbbc9d4e7fe6f6f9956c64942

SHA1
cced567daca383988999d0ad74633c6e9fc0f58d

SHA256
7a9081c9cac67ca10a507673c754548864e82117e2751378a47bcb770eec9320

SHA512
25a7b6fce99356f4c65f7e4b385e83e4ee06f6c921f852e4849ae2820536cd0c5d2fa4a574fffafc5cff36a5fb35ad8e83bca417f32a81050a9f9ce5553f3fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe

Filesize
341KB

MD5
bd738efcbbc9d4e7fe6f6f9956c64942

SHA1
cced567daca383988999d0ad74633c6e9fc0f58d

SHA256
7a9081c9cac67ca10a507673c754548864e82117e2751378a47bcb770eec9320

SHA512
25a7b6fce99356f4c65f7e4b385e83e4ee06f6c921f852e4849ae2820536cd0c5d2fa4a574fffafc5cff36a5fb35ad8e83bca417f32a81050a9f9ce5553f3fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe

Filesize
341KB

MD5
bd738efcbbc9d4e7fe6f6f9956c64942

SHA1
cced567daca383988999d0ad74633c6e9fc0f58d

SHA256
7a9081c9cac67ca10a507673c754548864e82117e2751378a47bcb770eec9320

SHA512
25a7b6fce99356f4c65f7e4b385e83e4ee06f6c921f852e4849ae2820536cd0c5d2fa4a574fffafc5cff36a5fb35ad8e83bca417f32a81050a9f9ce5553f3fac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840536.exe

Filesize
541KB

MD5
fa707d7358c65067b5badfe1521d0553

SHA1
edd8f311f3eb7ba5a51b44aa6642fc005e947f97

SHA256
edba7a941c3880f205b1abb76593fe034bb3f4c4f32ed673a6dd5e97e81588d8

SHA512
3028b284b16d1b6f39bebcd20623e5e11a1629488a1814fcc9920ef2ccc9a11335eee0c619bb10c165ac77f4822e0cec039f4f1659b463d70c6cea09a31fd4f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un840536.exe

Filesize
541KB

MD5
fa707d7358c65067b5badfe1521d0553

SHA1
edd8f311f3eb7ba5a51b44aa6642fc005e947f97

SHA256
edba7a941c3880f205b1abb76593fe034bb3f4c4f32ed673a6dd5e97e81588d8

SHA512
3028b284b16d1b6f39bebcd20623e5e11a1629488a1814fcc9920ef2ccc9a11335eee0c619bb10c165ac77f4822e0cec039f4f1659b463d70c6cea09a31fd4f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe

Filesize
258KB

MD5
3a27084235eef83f23b2d8ca4f1baf68

SHA1
e6dddf6e9ccea238a57bedca8bd4774533e705c8

SHA256
c6e3cd9cd54889db9dc7d9c52588b2c6a0e4beff77087aa147053d0d96cbb5c9

SHA512
8e11daff57d978851e0c64b66e8021eefb6f088b157b8921b4f676c9e7a59f67741ab42a06345e9f79d03f993e184d461a449daf9ecede6abbc06583f7eb9623

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe

Filesize
258KB

MD5
3a27084235eef83f23b2d8ca4f1baf68

SHA1
e6dddf6e9ccea238a57bedca8bd4774533e705c8

SHA256
c6e3cd9cd54889db9dc7d9c52588b2c6a0e4beff77087aa147053d0d96cbb5c9

SHA512
8e11daff57d978851e0c64b66e8021eefb6f088b157b8921b4f676c9e7a59f67741ab42a06345e9f79d03f993e184d461a449daf9ecede6abbc06583f7eb9623

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\43448141.exe

Filesize
258KB

MD5
3a27084235eef83f23b2d8ca4f1baf68

SHA1
e6dddf6e9ccea238a57bedca8bd4774533e705c8

SHA256
c6e3cd9cd54889db9dc7d9c52588b2c6a0e4beff77087aa147053d0d96cbb5c9

SHA512
8e11daff57d978851e0c64b66e8021eefb6f088b157b8921b4f676c9e7a59f67741ab42a06345e9f79d03f993e184d461a449daf9ecede6abbc06583f7eb9623

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe

Filesize
341KB

MD5
bd738efcbbc9d4e7fe6f6f9956c64942

SHA1
cced567daca383988999d0ad74633c6e9fc0f58d

SHA256
7a9081c9cac67ca10a507673c754548864e82117e2751378a47bcb770eec9320

SHA512
25a7b6fce99356f4c65f7e4b385e83e4ee06f6c921f852e4849ae2820536cd0c5d2fa4a574fffafc5cff36a5fb35ad8e83bca417f32a81050a9f9ce5553f3fac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe

Filesize
341KB

MD5
bd738efcbbc9d4e7fe6f6f9956c64942

SHA1
cced567daca383988999d0ad74633c6e9fc0f58d

SHA256
7a9081c9cac67ca10a507673c754548864e82117e2751378a47bcb770eec9320

SHA512
25a7b6fce99356f4c65f7e4b385e83e4ee06f6c921f852e4849ae2820536cd0c5d2fa4a574fffafc5cff36a5fb35ad8e83bca417f32a81050a9f9ce5553f3fac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk181987.exe

Filesize
341KB

MD5
bd738efcbbc9d4e7fe6f6f9956c64942

SHA1
cced567daca383988999d0ad74633c6e9fc0f58d

SHA256
7a9081c9cac67ca10a507673c754548864e82117e2751378a47bcb770eec9320

SHA512
25a7b6fce99356f4c65f7e4b385e83e4ee06f6c921f852e4849ae2820536cd0c5d2fa4a574fffafc5cff36a5fb35ad8e83bca417f32a81050a9f9ce5553f3fac

Download Submit
memory/660-84-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-86-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-88-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-90-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-92-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-94-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-96-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-98-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-100-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-102-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-104-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-106-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-108-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-110-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/660-113-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/660-83-0x0000000002F40000-0x0000000002F53000-memory.dmp

Filesize
76KB

Download
memory/660-82-0x00000000073E0000-0x0000000007420000-memory.dmp

Filesize
256KB

Download
memory/660-80-0x0000000000250000-0x000000000027D000-memory.dmp

Filesize
180KB

Download
memory/660-81-0x00000000073E0000-0x0000000007420000-memory.dmp

Filesize
256KB

Download
memory/660-79-0x0000000002F40000-0x0000000002F58000-memory.dmp

Filesize
96KB

Download
memory/660-78-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/1660-125-0x0000000002CE0000-0x0000000002D1A000-memory.dmp

Filesize
232KB

Download
memory/1660-144-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-126-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1660-127-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/1660-128-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/1660-130-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-132-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-129-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-134-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-136-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-138-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-140-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-142-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-124-0x0000000002C80000-0x0000000002CBC000-memory.dmp

Filesize
240KB

Download
memory/1660-146-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-148-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-150-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-152-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-154-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-156-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-158-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-160-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1660-922-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/1660-923-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/1660-924-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download
memory/1660-927-0x0000000007620000-0x0000000007660000-memory.dmp

Filesize
256KB

Download