4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
Size

480KB
MD5

aa4d92d7e29127412ab7b815c9e188d5
SHA1

5c85d479e8fa55843246b294eb4133b28645b8f8
SHA256

4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42
SHA512

a203fa76fad8291b056bad6a8d3b2cdf8995d339e570a5eeb4865b167975a83a73e8fa09ecdf5bf1e1513f7d3be6a1c2dc54115328ee694750b1a8cfb9513958
SSDEEP

12288:CMr5y90gX2BLOJxHnV64GvdrtYTq9pGtfGCiy+Nl+B:TyLeODnlEdh7u3iuB

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8253627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8253627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8253627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8253627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8253627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8253627.exe

Executes dropped EXE 3 IoCs

pid	Process
1092	v4829590.exe
1184	a8253627.exe
728	b0246952.exe

Loads dropped DLL 6 IoCs

pid	Process
816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
1092	v4829590.exe
1092	v4829590.exe
1184	a8253627.exe
1092	v4829590.exe
728	b0246952.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a8253627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8253627.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4829590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4829590.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1184	a8253627.exe
1184	a8253627.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	a8253627.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 816 wrote to memory of 1092	816	4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe	27
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 1184	1092	v4829590.exe	28
PID 1092 wrote to memory of 728	1092	v4829590.exe	29
PID 1092 wrote to memory of 728	1092	v4829590.exe	29
PID 1092 wrote to memory of 728	1092	v4829590.exe	29
PID 1092 wrote to memory of 728	1092	v4829590.exe	29
PID 1092 wrote to memory of 728	1092	v4829590.exe	29
PID 1092 wrote to memory of 728	1092	v4829590.exe	29
PID 1092 wrote to memory of 728	1092	v4829590.exe	29

C:\Users\Admin\AppData\Local\Temp\4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
"C:\Users\Admin\AppData\Local\Temp\4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe

Filesize
308KB

MD5
08dbcc9196cde1876eb96e92e9573fee

SHA1
8e271b455722fef13e63b2b24e8ef8d5fc2edd92

SHA256
f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605

SHA512
7459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe

Filesize
308KB

MD5
08dbcc9196cde1876eb96e92e9573fee

SHA1
8e271b455722fef13e63b2b24e8ef8d5fc2edd92

SHA256
f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605

SHA512
7459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe

Filesize
176KB

MD5
767489e8edf5f9f601cee1211e4914be

SHA1
5cf597ac8311b8e2e8c5137a929f73e960297cfa

SHA256
3b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8

SHA512
46e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe

Filesize
176KB

MD5
767489e8edf5f9f601cee1211e4914be

SHA1
5cf597ac8311b8e2e8c5137a929f73e960297cfa

SHA256
3b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8

SHA512
46e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe

Filesize
136KB

MD5
7dfc4202db1c9a6ea03e10c58eadd6df

SHA1
62a1aedd2daf734e121222129a190d40b4dbb2b3

SHA256
d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6

SHA512
daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe

Filesize
136KB

MD5
7dfc4202db1c9a6ea03e10c58eadd6df

SHA1
62a1aedd2daf734e121222129a190d40b4dbb2b3

SHA256
d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6

SHA512
daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe

Filesize
308KB

MD5
08dbcc9196cde1876eb96e92e9573fee

SHA1
8e271b455722fef13e63b2b24e8ef8d5fc2edd92

SHA256
f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605

SHA512
7459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe

Filesize
308KB

MD5
08dbcc9196cde1876eb96e92e9573fee

SHA1
8e271b455722fef13e63b2b24e8ef8d5fc2edd92

SHA256
f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605

SHA512
7459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe

Filesize
176KB

MD5
767489e8edf5f9f601cee1211e4914be

SHA1
5cf597ac8311b8e2e8c5137a929f73e960297cfa

SHA256
3b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8

SHA512
46e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe

Filesize
176KB

MD5
767489e8edf5f9f601cee1211e4914be

SHA1
5cf597ac8311b8e2e8c5137a929f73e960297cfa

SHA256
3b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8

SHA512
46e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe

Filesize
136KB

MD5
7dfc4202db1c9a6ea03e10c58eadd6df

SHA1
62a1aedd2daf734e121222129a190d40b4dbb2b3

SHA256
d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6

SHA512
daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe

Filesize
136KB

MD5
7dfc4202db1c9a6ea03e10c58eadd6df

SHA1
62a1aedd2daf734e121222129a190d40b4dbb2b3

SHA256
d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6

SHA512
daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8

Download Submit
memory/728-112-0x0000000000AB0000-0x0000000000AD8000-memory.dmp

Filesize
160KB

Download
memory/728-113-0x0000000000D80000-0x0000000000DC0000-memory.dmp

Filesize
256KB

Download
memory/728-114-0x0000000000D80000-0x0000000000DC0000-memory.dmp

Filesize
256KB

Download
memory/1184-91-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-87-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-101-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-103-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-99-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-97-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-95-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-93-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-89-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-85-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-105-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/1184-104-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/1184-83-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-81-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-79-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-77-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-76-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1184-75-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download
memory/1184-74-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download