479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
Size

701KB
MD5

67446d2a011827c1a4b04aee56e3891b
SHA1

54efb24003bcf2f68cd0ce6bc983d2be73426947
SHA256

479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da
SHA512

c3522129a8125c161a151f86d80df119908dcb15b9f4f661f940c931391fb8ea3d0243f6bf119549b613de3fe5c1f7b2bec8264acbf237482cf636519c16bd11
SSDEEP

12288:Dy90l5em2UNGtvak4ULYHM33L8EG2/o9waqQFbGprQ9bt825Y:DyOem2UNELYHM3pGLwtEcUpj5Y

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	02170913.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	02170913.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	02170913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	02170913.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	02170913.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	02170913.exe

Executes dropped EXE 3 IoCs

pid	Process
1252	un667618.exe
2024	02170913.exe
916	rk469242.exe

Loads dropped DLL 8 IoCs

pid	Process
1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
1252	un667618.exe
1252	un667618.exe
1252	un667618.exe
2024	02170913.exe
1252	un667618.exe
1252	un667618.exe
916	rk469242.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	02170913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	02170913.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un667618.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un667618.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	02170913.exe
2024	02170913.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	02170913.exe
Token: SeDebugPrivilege	916	rk469242.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1900 wrote to memory of 1252	1900	479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe	27
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 2024	1252	un667618.exe	28
PID 1252 wrote to memory of 916	1252	un667618.exe	29
PID 1252 wrote to memory of 916	1252	un667618.exe	29
PID 1252 wrote to memory of 916	1252	un667618.exe	29
PID 1252 wrote to memory of 916	1252	un667618.exe	29
PID 1252 wrote to memory of 916	1252	un667618.exe	29
PID 1252 wrote to memory of 916	1252	un667618.exe	29
PID 1252 wrote to memory of 916	1252	un667618.exe	29

C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe
"C:\Users\Admin\AppData\Local\Temp\479c56d566048b547c38abbfae66e6b7dd679c012030ab4593a12a30873ff3da.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

Filesize
547KB

MD5
f6828c152c21cfcdfd572d03d2e901e8

SHA1
3911590ba4c5c5351cf96fed746e1abd9c462161

SHA256
5a391db9a5dc9f37a0561df2ac04bc2208b0a287d34ccecba1bf95cf6badcb40

SHA512
e6d732d313845833cf0c8d63d3c814b7bdc9c9bf2eb3264e1f836d2b4c539792b2a036b5e0bcf1714eaf75872ae14fff07c38176b994fb566a02b3b1152e90af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

Filesize
547KB

MD5
f6828c152c21cfcdfd572d03d2e901e8

SHA1
3911590ba4c5c5351cf96fed746e1abd9c462161

SHA256
5a391db9a5dc9f37a0561df2ac04bc2208b0a287d34ccecba1bf95cf6badcb40

SHA512
e6d732d313845833cf0c8d63d3c814b7bdc9c9bf2eb3264e1f836d2b4c539792b2a036b5e0bcf1714eaf75872ae14fff07c38176b994fb566a02b3b1152e90af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

Filesize
269KB

MD5
8f269d1887866c15a539a3d99424f835

SHA1
d219c881df5ec78d07dac6a9db134a7f877880fb

SHA256
c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04

SHA512
2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

Filesize
269KB

MD5
8f269d1887866c15a539a3d99424f835

SHA1
d219c881df5ec78d07dac6a9db134a7f877880fb

SHA256
c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04

SHA512
2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

Filesize
269KB

MD5
8f269d1887866c15a539a3d99424f835

SHA1
d219c881df5ec78d07dac6a9db134a7f877880fb

SHA256
c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04

SHA512
2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Filesize
353KB

MD5
778dc79ee53274c98fe7a1637513505e

SHA1
4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80

SHA256
a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e

SHA512
602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Filesize
353KB

MD5
778dc79ee53274c98fe7a1637513505e

SHA1
4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80

SHA256
a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e

SHA512
602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Filesize
353KB

MD5
778dc79ee53274c98fe7a1637513505e

SHA1
4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80

SHA256
a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e

SHA512
602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

Filesize
547KB

MD5
f6828c152c21cfcdfd572d03d2e901e8

SHA1
3911590ba4c5c5351cf96fed746e1abd9c462161

SHA256
5a391db9a5dc9f37a0561df2ac04bc2208b0a287d34ccecba1bf95cf6badcb40

SHA512
e6d732d313845833cf0c8d63d3c814b7bdc9c9bf2eb3264e1f836d2b4c539792b2a036b5e0bcf1714eaf75872ae14fff07c38176b994fb566a02b3b1152e90af

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un667618.exe

Filesize
547KB

MD5
f6828c152c21cfcdfd572d03d2e901e8

SHA1
3911590ba4c5c5351cf96fed746e1abd9c462161

SHA256
5a391db9a5dc9f37a0561df2ac04bc2208b0a287d34ccecba1bf95cf6badcb40

SHA512
e6d732d313845833cf0c8d63d3c814b7bdc9c9bf2eb3264e1f836d2b4c539792b2a036b5e0bcf1714eaf75872ae14fff07c38176b994fb566a02b3b1152e90af

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

Filesize
269KB

MD5
8f269d1887866c15a539a3d99424f835

SHA1
d219c881df5ec78d07dac6a9db134a7f877880fb

SHA256
c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04

SHA512
2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

Filesize
269KB

MD5
8f269d1887866c15a539a3d99424f835

SHA1
d219c881df5ec78d07dac6a9db134a7f877880fb

SHA256
c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04

SHA512
2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\02170913.exe

Filesize
269KB

MD5
8f269d1887866c15a539a3d99424f835

SHA1
d219c881df5ec78d07dac6a9db134a7f877880fb

SHA256
c2f552b75d4e4ad8a3fec38fb700bad25b6e32fb7616d3dd94672ed3f4f6de04

SHA512
2866f88408cb70d770ad96ce9f1755b392ab458287369a1d1deb4d8f3183fb242ee7209db7ce74ff3e63806c6f3a331bd8077cf679aabf147aab89c66ea625f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Filesize
353KB

MD5
778dc79ee53274c98fe7a1637513505e

SHA1
4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80

SHA256
a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e

SHA512
602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Filesize
353KB

MD5
778dc79ee53274c98fe7a1637513505e

SHA1
4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80

SHA256
a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e

SHA512
602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469242.exe

Filesize
353KB

MD5
778dc79ee53274c98fe7a1637513505e

SHA1
4f7cbde5eb5ff2de0c3ff192bc797a15095c7e80

SHA256
a51182b3622057a27f583b2d0a01eb84aa234fddfab22d007bbba80c5b03067e

SHA512
602a539d8fac27a576516b8edf7cbb0656fa95143833b25d1f8e9fd1f4890230e6b2fadec7fb91f11eb9cad18f6a3e3a7ed37b414432896452689701005fd0e2

Download Submit
memory/916-151-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-133-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-155-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-153-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-128-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/916-149-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-143-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-145-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-147-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-141-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-139-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-137-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-135-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-157-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-131-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-132-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/916-129-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/916-130-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/916-159-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-161-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-163-0x00000000070E0000-0x0000000007115000-memory.dmp

Filesize
212KB

Download
memory/916-924-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/916-926-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/916-928-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/916-126-0x0000000003280000-0x00000000032BC000-memory.dmp

Filesize
240KB

Download
memory/916-127-0x00000000070E0000-0x000000000711A000-memory.dmp

Filesize
232KB

Download
memory/2024-87-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-115-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/2024-113-0x0000000007040000-0x0000000007080000-memory.dmp

Filesize
256KB

Download
memory/2024-112-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/2024-111-0x0000000007040000-0x0000000007080000-memory.dmp

Filesize
256KB

Download
memory/2024-110-0x0000000007040000-0x0000000007080000-memory.dmp

Filesize
256KB

Download
memory/2024-109-0x0000000007040000-0x0000000007080000-memory.dmp

Filesize
256KB

Download
memory/2024-108-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/2024-99-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-101-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-103-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-105-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-107-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-97-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-95-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-83-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-93-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-85-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-89-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-91-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-81-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-80-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2024-79-0x00000000048D0000-0x00000000048E8000-memory.dmp

Filesize
96KB

Download
memory/2024-78-0x00000000031B0000-0x00000000031CA000-memory.dmp

Filesize
104KB

Download