491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173

Analysis

max time kernel
168s
max time network
168s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe
Size

727KB
MD5

958279bb459a41ee7bb1c715f2e5f964
SHA1

f9a3dc04d4e65f539167ee4be1d65eb73ff5b0b5
SHA256

491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173
SHA512

5dd142a17598f642d8c82c874e600e59f34c957a380c1d574205b3e3dd4ee7f41dfb8d94fdce627b7d6ef376c113236fde1f03d827ab912efd776a1114cff3ed
SSDEEP

12288:6y90OHb9UUn27JqU/AT5WOESmwqdEwnzQz5+6lt93fg9ehzZWuWBO1uO1La2S5VV:6y9b9WcjfHtwh6ltJfg8zZLW4BBMB1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	92648985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	92648985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	92648985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	92648985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	92648985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	92648985.exe

Executes dropped EXE 3 IoCs

pid	Process
2016	un127539.exe
760	92648985.exe
920	rk754218.exe

Loads dropped DLL 8 IoCs

pid	Process
1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe
2016	un127539.exe
2016	un127539.exe
2016	un127539.exe
760	92648985.exe
2016	un127539.exe
2016	un127539.exe
920	rk754218.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	92648985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	92648985.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un127539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un127539.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
760	92648985.exe
760	92648985.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	92648985.exe
Token: SeDebugPrivilege	920	rk754218.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 1744 wrote to memory of 2016	1744	491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe	28
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 760	2016	un127539.exe	29
PID 2016 wrote to memory of 920	2016	un127539.exe	30
PID 2016 wrote to memory of 920	2016	un127539.exe	30
PID 2016 wrote to memory of 920	2016	un127539.exe	30
PID 2016 wrote to memory of 920	2016	un127539.exe	30
PID 2016 wrote to memory of 920	2016	un127539.exe	30
PID 2016 wrote to memory of 920	2016	un127539.exe	30
PID 2016 wrote to memory of 920	2016	un127539.exe	30

C:\Users\Admin\AppData\Local\Temp\491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe
"C:\Users\Admin\AppData\Local\Temp\491dc8485cd1e00f0f88d473fd3734e9ea0d7c2d48f6dd4204488c2a53e6c173.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127539.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127539.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127539.exe

Filesize
573KB

MD5
91bb58572b8a3bf9122f0e0aed264cc6

SHA1
cf87e1a7a478387931d89db488d9a95e856ca852

SHA256
81d33b04e75b235ced327ed53a3436b350977810fdaaa790040c38b2865229aa

SHA512
f8868601c2527f9e099cf1ad28e2031c5d2261134a703fec08b10fc877dca4a577c0d2f93d391cb7d2f9ba72847efdb66b0175b189ab20a46811d0bfd9e81db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127539.exe

Filesize
573KB

MD5
91bb58572b8a3bf9122f0e0aed264cc6

SHA1
cf87e1a7a478387931d89db488d9a95e856ca852

SHA256
81d33b04e75b235ced327ed53a3436b350977810fdaaa790040c38b2865229aa

SHA512
f8868601c2527f9e099cf1ad28e2031c5d2261134a703fec08b10fc877dca4a577c0d2f93d391cb7d2f9ba72847efdb66b0175b189ab20a46811d0bfd9e81db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe

Filesize
332KB

MD5
b5919d66cfc28eecdabc13aa876b52f9

SHA1
eaede722720ecced32fa497871aa106b088c528f

SHA256
da05776ddff745794790df2537a1dda7388717144a9a2c5950a0405da48b65a7

SHA512
c202e6b111f02a2f4f23e49e8b1aab6774f14928f25eadc661155f9e7aadc1cfa1cd5e1ae1cd331eb83c235a979852a41f5a548287966687d56e37a7f37bfa57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe

Filesize
332KB

MD5
b5919d66cfc28eecdabc13aa876b52f9

SHA1
eaede722720ecced32fa497871aa106b088c528f

SHA256
da05776ddff745794790df2537a1dda7388717144a9a2c5950a0405da48b65a7

SHA512
c202e6b111f02a2f4f23e49e8b1aab6774f14928f25eadc661155f9e7aadc1cfa1cd5e1ae1cd331eb83c235a979852a41f5a548287966687d56e37a7f37bfa57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe

Filesize
332KB

MD5
b5919d66cfc28eecdabc13aa876b52f9

SHA1
eaede722720ecced32fa497871aa106b088c528f

SHA256
da05776ddff745794790df2537a1dda7388717144a9a2c5950a0405da48b65a7

SHA512
c202e6b111f02a2f4f23e49e8b1aab6774f14928f25eadc661155f9e7aadc1cfa1cd5e1ae1cd331eb83c235a979852a41f5a548287966687d56e37a7f37bfa57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe

Filesize
415KB

MD5
8f91bd130b4e26f0d7a9e8126cd8a20f

SHA1
99072b95a03e3a940d97d5e2ae5e3a7d7612a9ea

SHA256
a96eb704fd166f53ce0a2f8e56c00f074830d116b45d83439901b4eeefba4743

SHA512
353a0027117afd135fa6a5c06efd48ee367f70f633f715941171e5de9f3f443fcf3cdefb2ef04c42f900815a08f6e36677414fdb5fed8c8562ef4f8159ba6813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe

Filesize
415KB

MD5
8f91bd130b4e26f0d7a9e8126cd8a20f

SHA1
99072b95a03e3a940d97d5e2ae5e3a7d7612a9ea

SHA256
a96eb704fd166f53ce0a2f8e56c00f074830d116b45d83439901b4eeefba4743

SHA512
353a0027117afd135fa6a5c06efd48ee367f70f633f715941171e5de9f3f443fcf3cdefb2ef04c42f900815a08f6e36677414fdb5fed8c8562ef4f8159ba6813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe

Filesize
415KB

MD5
8f91bd130b4e26f0d7a9e8126cd8a20f

SHA1
99072b95a03e3a940d97d5e2ae5e3a7d7612a9ea

SHA256
a96eb704fd166f53ce0a2f8e56c00f074830d116b45d83439901b4eeefba4743

SHA512
353a0027117afd135fa6a5c06efd48ee367f70f633f715941171e5de9f3f443fcf3cdefb2ef04c42f900815a08f6e36677414fdb5fed8c8562ef4f8159ba6813

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127539.exe

Filesize
573KB

MD5
91bb58572b8a3bf9122f0e0aed264cc6

SHA1
cf87e1a7a478387931d89db488d9a95e856ca852

SHA256
81d33b04e75b235ced327ed53a3436b350977810fdaaa790040c38b2865229aa

SHA512
f8868601c2527f9e099cf1ad28e2031c5d2261134a703fec08b10fc877dca4a577c0d2f93d391cb7d2f9ba72847efdb66b0175b189ab20a46811d0bfd9e81db1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un127539.exe

Filesize
573KB

MD5
91bb58572b8a3bf9122f0e0aed264cc6

SHA1
cf87e1a7a478387931d89db488d9a95e856ca852

SHA256
81d33b04e75b235ced327ed53a3436b350977810fdaaa790040c38b2865229aa

SHA512
f8868601c2527f9e099cf1ad28e2031c5d2261134a703fec08b10fc877dca4a577c0d2f93d391cb7d2f9ba72847efdb66b0175b189ab20a46811d0bfd9e81db1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe

Filesize
332KB

MD5
b5919d66cfc28eecdabc13aa876b52f9

SHA1
eaede722720ecced32fa497871aa106b088c528f

SHA256
da05776ddff745794790df2537a1dda7388717144a9a2c5950a0405da48b65a7

SHA512
c202e6b111f02a2f4f23e49e8b1aab6774f14928f25eadc661155f9e7aadc1cfa1cd5e1ae1cd331eb83c235a979852a41f5a548287966687d56e37a7f37bfa57

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe

Filesize
332KB

MD5
b5919d66cfc28eecdabc13aa876b52f9

SHA1
eaede722720ecced32fa497871aa106b088c528f

SHA256
da05776ddff745794790df2537a1dda7388717144a9a2c5950a0405da48b65a7

SHA512
c202e6b111f02a2f4f23e49e8b1aab6774f14928f25eadc661155f9e7aadc1cfa1cd5e1ae1cd331eb83c235a979852a41f5a548287966687d56e37a7f37bfa57

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92648985.exe

Filesize
332KB

MD5
b5919d66cfc28eecdabc13aa876b52f9

SHA1
eaede722720ecced32fa497871aa106b088c528f

SHA256
da05776ddff745794790df2537a1dda7388717144a9a2c5950a0405da48b65a7

SHA512
c202e6b111f02a2f4f23e49e8b1aab6774f14928f25eadc661155f9e7aadc1cfa1cd5e1ae1cd331eb83c235a979852a41f5a548287966687d56e37a7f37bfa57

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe

Filesize
415KB

MD5
8f91bd130b4e26f0d7a9e8126cd8a20f

SHA1
99072b95a03e3a940d97d5e2ae5e3a7d7612a9ea

SHA256
a96eb704fd166f53ce0a2f8e56c00f074830d116b45d83439901b4eeefba4743

SHA512
353a0027117afd135fa6a5c06efd48ee367f70f633f715941171e5de9f3f443fcf3cdefb2ef04c42f900815a08f6e36677414fdb5fed8c8562ef4f8159ba6813

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe

Filesize
415KB

MD5
8f91bd130b4e26f0d7a9e8126cd8a20f

SHA1
99072b95a03e3a940d97d5e2ae5e3a7d7612a9ea

SHA256
a96eb704fd166f53ce0a2f8e56c00f074830d116b45d83439901b4eeefba4743

SHA512
353a0027117afd135fa6a5c06efd48ee367f70f633f715941171e5de9f3f443fcf3cdefb2ef04c42f900815a08f6e36677414fdb5fed8c8562ef4f8159ba6813

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk754218.exe

Filesize
415KB

MD5
8f91bd130b4e26f0d7a9e8126cd8a20f

SHA1
99072b95a03e3a940d97d5e2ae5e3a7d7612a9ea

SHA256
a96eb704fd166f53ce0a2f8e56c00f074830d116b45d83439901b4eeefba4743

SHA512
353a0027117afd135fa6a5c06efd48ee367f70f633f715941171e5de9f3f443fcf3cdefb2ef04c42f900815a08f6e36677414fdb5fed8c8562ef4f8159ba6813

Download Submit
memory/760-84-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-86-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-88-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-90-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-92-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-94-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-96-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-98-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-108-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-110-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-106-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-104-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-102-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-100-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-111-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/760-112-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/760-83-0x0000000000B90000-0x0000000000BA3000-memory.dmp

Filesize
76KB

Download
memory/760-82-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/760-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/760-81-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/760-80-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/760-78-0x00000000004B0000-0x00000000004CA000-memory.dmp

Filesize
104KB

Download
memory/920-124-0x00000000024F0000-0x000000000252A000-memory.dmp

Filesize
232KB

Download
memory/920-143-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-125-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-126-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-128-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/920-130-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/920-129-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-132-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/920-133-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-135-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-137-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-139-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-141-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-123-0x00000000024B0000-0x00000000024EC000-memory.dmp

Filesize
240KB

Download
memory/920-145-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-147-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-149-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-151-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-153-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-155-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-157-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-159-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-161-0x00000000024F0000-0x0000000002525000-memory.dmp

Filesize
212KB

Download
memory/920-921-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/920-922-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/920-924-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download