42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7

Analysis

max time kernel
252s
max time network
310s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe
Size

1.1MB
MD5

ece336e77131760b2ec83d42ef16a316
SHA1

b70be0308ffa2c3475124187f88b661f0722a420
SHA256

42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7
SHA512

020588800fa5c8df4594b89f9b81951ff4cc7ccff1fd7b98756874bc5fe9cb7ef952e511f7d3027b20c2261e8d61d991514c8fdeb918594bc18fb6f70aff9f3e
SSDEEP

24576:+ycoab8Ga9NoP/+ajbAiXNhDJNBxwVSIbADrUM16SjBz:NHwajot/ldVXjwVzbA/UMY

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	205072416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	205072416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	205072416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	205072416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	205072416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	110942092.exe

Executes dropped EXE 5 IoCs

pid	Process
1348	hB246554.exe
216	XO389442.exe
4960	AE640867.exe
3552	110942092.exe
3876	205072416.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	110942092.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	205072416.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	XO389442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	XO389442.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AE640867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AE640867.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hB246554.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hB246554.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3684	3876	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3552	110942092.exe
3552	110942092.exe
3876	205072416.exe
3876	205072416.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	110942092.exe
Token: SeDebugPrivilege	3876	205072416.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1348	2648	42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe	79
PID 2648 wrote to memory of 1348	2648	42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe	79
PID 2648 wrote to memory of 1348	2648	42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe	79
PID 1348 wrote to memory of 216	1348	hB246554.exe	80
PID 1348 wrote to memory of 216	1348	hB246554.exe	80
PID 1348 wrote to memory of 216	1348	hB246554.exe	80
PID 216 wrote to memory of 4960	216	XO389442.exe	81
PID 216 wrote to memory of 4960	216	XO389442.exe	81
PID 216 wrote to memory of 4960	216	XO389442.exe	81
PID 4960 wrote to memory of 3552	4960	AE640867.exe	82
PID 4960 wrote to memory of 3552	4960	AE640867.exe	82
PID 4960 wrote to memory of 3552	4960	AE640867.exe	82
PID 4960 wrote to memory of 3876	4960	AE640867.exe	83
PID 4960 wrote to memory of 3876	4960	AE640867.exe	83
PID 4960 wrote to memory of 3876	4960	AE640867.exe	83

C:\Users\Admin\AppData\Local\Temp\42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe
"C:\Users\Admin\AppData\Local\Temp\42b17c5a2e16dbc96cc7f682493a4e18c81bdc14d0c81ee57bd8c316e25d5de7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hB246554.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hB246554.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XO389442.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XO389442.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AE640867.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AE640867.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110942092.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110942092.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205072416.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205072416.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1080
        6⤵
        Program crash
        
        PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3876 -ip 3876
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hB246554.exe

Filesize
993KB

MD5
53fa0c9fe8b1e5f574e0bd9cadc44f3e

SHA1
5ab3892637aa48299a0ba9bbc722eccdf437d049

SHA256
35f44fa183d77455ec56cee160871844a552d0a85d464de3e2e4b885706861ad

SHA512
8450e6c996a1d835a786a00be4dc05a471ce990c896d1c7cc15f36e7685dc877bb52e080834067d0c47eee7667957a96cc5b12a8d4718e8f9e983a8a46f3a3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hB246554.exe

Filesize
993KB

MD5
53fa0c9fe8b1e5f574e0bd9cadc44f3e

SHA1
5ab3892637aa48299a0ba9bbc722eccdf437d049

SHA256
35f44fa183d77455ec56cee160871844a552d0a85d464de3e2e4b885706861ad

SHA512
8450e6c996a1d835a786a00be4dc05a471ce990c896d1c7cc15f36e7685dc877bb52e080834067d0c47eee7667957a96cc5b12a8d4718e8f9e983a8a46f3a3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XO389442.exe

Filesize
609KB

MD5
4db73ccd281620ea59cf05392487dfcc

SHA1
3ad6bc375b9390fe1eaa3b994495651c5ac18e00

SHA256
6b2cc906ccbac0ec69cbc5f28fbadd9b9bf02b95d6fe353adbed81709db3456d

SHA512
149c4e696b210decf3a48ef6622d6112a6da752e99c57a0bbeae4dbf295b29c900d63c219f0c43ff707594eeafd3ca5419c7ea78d5fa0d07f67a9564ccf918c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XO389442.exe

Filesize
609KB

MD5
4db73ccd281620ea59cf05392487dfcc

SHA1
3ad6bc375b9390fe1eaa3b994495651c5ac18e00

SHA256
6b2cc906ccbac0ec69cbc5f28fbadd9b9bf02b95d6fe353adbed81709db3456d

SHA512
149c4e696b210decf3a48ef6622d6112a6da752e99c57a0bbeae4dbf295b29c900d63c219f0c43ff707594eeafd3ca5419c7ea78d5fa0d07f67a9564ccf918c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AE640867.exe

Filesize
437KB

MD5
6e2042aedeb39ee1438b889ef6a418e3

SHA1
57927e0794eecf5f5d443cdb6d6165d5ad83441c

SHA256
7240ee97b8390d71e8883ce1e39b305bcd5fb399bcbcab4eb396d06e4f72a972

SHA512
3de260ef10d0d678ac5a01be94e479ea65cd54c9375f2f9555db543b5aaf26096df99c1f5bc8623a18553ffa2e8a43680319931da7f65aa697cd742cf8de0e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AE640867.exe

Filesize
437KB

MD5
6e2042aedeb39ee1438b889ef6a418e3

SHA1
57927e0794eecf5f5d443cdb6d6165d5ad83441c

SHA256
7240ee97b8390d71e8883ce1e39b305bcd5fb399bcbcab4eb396d06e4f72a972

SHA512
3de260ef10d0d678ac5a01be94e479ea65cd54c9375f2f9555db543b5aaf26096df99c1f5bc8623a18553ffa2e8a43680319931da7f65aa697cd742cf8de0e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110942092.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110942092.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205072416.exe

Filesize
332KB

MD5
2d3c8b22231696c054e7fa6ae3077d93

SHA1
a1337594b1dfe26025834b2fb677720cc547ef69

SHA256
8c7a36c92dc491eabadf96e989f4cbd171cb948a6839b79950d7d66caf7618dc

SHA512
bc072e92902e79b6a453b16a10307f67dbe6e9bea41e0ec23603683c070566c9b179fb3b087dbc5c666028aa26e3c78f83d8e4812a6f4184a37d56e8d1b6324c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205072416.exe

Filesize
332KB

MD5
2d3c8b22231696c054e7fa6ae3077d93

SHA1
a1337594b1dfe26025834b2fb677720cc547ef69

SHA256
8c7a36c92dc491eabadf96e989f4cbd171cb948a6839b79950d7d66caf7618dc

SHA512
bc072e92902e79b6a453b16a10307f67dbe6e9bea41e0ec23603683c070566c9b179fb3b087dbc5c666028aa26e3c78f83d8e4812a6f4184a37d56e8d1b6324c

Download Submit
memory/3552-161-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3552-163-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3552-162-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/3552-164-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3552-166-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-165-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-168-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-170-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-172-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-174-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-176-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-178-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-180-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-182-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-184-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-186-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-188-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-190-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-192-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/3552-193-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3552-194-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3876-201-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-200-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-203-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-205-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-207-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-209-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-211-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-213-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-215-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-217-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-219-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-221-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-223-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-225-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-227-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/3876-228-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/3876-229-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3876-230-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3876-231-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3876-232-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3876-233-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3876-234-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3876-235-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download