4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
Size

747KB
MD5

e98ec7a8ec64df9a42fbe22c7c441fa8
SHA1

4d487c60d7e64b08cc28ff9dc3ad719bb870dc3c
SHA256

4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d
SHA512

9af8df4894db7086e88b609d5681ba0233cd5ec0d677dcc0d77bd2186e3afbbca752a3fb4bcbf4ef915cdd49ad71616355e8488a3dcc2c5fbfa44f8ebe59dc0b
SSDEEP

12288:vy90Qbde6OAXQvEu05q6bCSaUmh7pyawKWU9Ur7TqRUyCi:vyXoE95qSv+7/yTq1Ci

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	95478020.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	95478020.exe

Executes dropped EXE 3 IoCs

pid	Process
1192	un650476.exe
848	95478020.exe
748	rk481565.exe

Loads dropped DLL 8 IoCs

pid	Process
1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
1192	un650476.exe
1192	un650476.exe
1192	un650476.exe
848	95478020.exe
1192	un650476.exe
1192	un650476.exe
748	rk481565.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	95478020.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	95478020.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un650476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un650476.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
848	95478020.exe
848	95478020.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	95478020.exe
Token: SeDebugPrivilege	748	rk481565.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1556 wrote to memory of 1192	1556	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	28
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 848	1192	un650476.exe	29
PID 1192 wrote to memory of 748	1192	un650476.exe	30
PID 1192 wrote to memory of 748	1192	un650476.exe	30
PID 1192 wrote to memory of 748	1192	un650476.exe	30
PID 1192 wrote to memory of 748	1192	un650476.exe	30
PID 1192 wrote to memory of 748	1192	un650476.exe	30
PID 1192 wrote to memory of 748	1192	un650476.exe	30
PID 1192 wrote to memory of 748	1192	un650476.exe	30

C:\Users\Admin\AppData\Local\Temp\4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
"C:\Users\Admin\AppData\Local\Temp\4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe

Filesize
593KB

MD5
946315dd9d1081f780642b371226eab0

SHA1
0e3725a53a44d2dde7767791406161ce14ab054c

SHA256
2e487294bb4cf571aa979adf9892784e184b3824c0f8c2ce33bdb3c51bcfa054

SHA512
8cb800e240c5b776c01d90e9d60420d6d7267745057ae369167863368826baa9ab2540e9ba769f086310c02155181d6686d35ec3d8398ed5bd2fc66373cbea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe

Filesize
593KB

MD5
946315dd9d1081f780642b371226eab0

SHA1
0e3725a53a44d2dde7767791406161ce14ab054c

SHA256
2e487294bb4cf571aa979adf9892784e184b3824c0f8c2ce33bdb3c51bcfa054

SHA512
8cb800e240c5b776c01d90e9d60420d6d7267745057ae369167863368826baa9ab2540e9ba769f086310c02155181d6686d35ec3d8398ed5bd2fc66373cbea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe

Filesize
593KB

MD5
946315dd9d1081f780642b371226eab0

SHA1
0e3725a53a44d2dde7767791406161ce14ab054c

SHA256
2e487294bb4cf571aa979adf9892784e184b3824c0f8c2ce33bdb3c51bcfa054

SHA512
8cb800e240c5b776c01d90e9d60420d6d7267745057ae369167863368826baa9ab2540e9ba769f086310c02155181d6686d35ec3d8398ed5bd2fc66373cbea3a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe

Filesize
593KB

MD5
946315dd9d1081f780642b371226eab0

SHA1
0e3725a53a44d2dde7767791406161ce14ab054c

SHA256
2e487294bb4cf571aa979adf9892784e184b3824c0f8c2ce33bdb3c51bcfa054

SHA512
8cb800e240c5b776c01d90e9d60420d6d7267745057ae369167863368826baa9ab2540e9ba769f086310c02155181d6686d35ec3d8398ed5bd2fc66373cbea3a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
memory/748-151-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-133-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-155-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-153-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-129-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-149-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-147-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-145-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-143-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-141-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-139-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-137-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-135-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-157-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-131-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-283-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/748-281-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/748-285-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/748-919-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/748-921-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/748-922-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/748-122-0x00000000025B0000-0x00000000025EC000-memory.dmp

Filesize
240KB

Download
memory/748-123-0x00000000025F0000-0x000000000262A000-memory.dmp

Filesize
232KB

Download
memory/748-124-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-125-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/748-127-0x00000000025F0000-0x0000000002625000-memory.dmp

Filesize
212KB

Download
memory/848-87-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/848-110-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/848-109-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/848-108-0x0000000000300000-0x000000000032D000-memory.dmp

Filesize
180KB

Download
memory/848-105-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-107-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-101-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-103-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-99-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-97-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-93-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-95-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-89-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-91-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-85-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-83-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-81-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-80-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/848-79-0x0000000000F10000-0x0000000000F28000-memory.dmp

Filesize
96KB

Download
memory/848-78-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

Filesize
104KB

Download