4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f

Analysis

max time kernel
250s
max time network
341s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe
Size

702KB
MD5

869f11955bba2c951bb305e25b3f4564
SHA1

db8c071579bba46bae21c2d628f229ac2be551aa
SHA256

4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f
SHA512

ce054e60f98adbc2800b2e45b89a85b3fd7b3bccf5c7af25f7eee9003bf861a5a2780ee23e47d6c6f8d9d401d230e4d70d91550b46011411e568f2288df486d2
SSDEEP

12288:By90exQe4Sx0QfA8WkbQouslkX6yVASyghkjEG21o9wxKX0I06evHUi:ByX+e4SnfAMsVzkYGRwsk+A0i

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	38333901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	38333901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	38333901.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	38333901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	38333901.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	38333901.exe

Executes dropped EXE 3 IoCs

pid	Process
856	un336204.exe
292	38333901.exe
1856	rk436365.exe

Loads dropped DLL 8 IoCs

pid	Process
1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe
856	un336204.exe
856	un336204.exe
856	un336204.exe
292	38333901.exe
856	un336204.exe
856	un336204.exe
1856	rk436365.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	38333901.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	38333901.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un336204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un336204.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
292	38333901.exe
292	38333901.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	292	38333901.exe
Token: SeDebugPrivilege	1856	rk436365.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 1164 wrote to memory of 856	1164	4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe	28
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 292	856	un336204.exe	29
PID 856 wrote to memory of 1856	856	un336204.exe	30
PID 856 wrote to memory of 1856	856	un336204.exe	30
PID 856 wrote to memory of 1856	856	un336204.exe	30
PID 856 wrote to memory of 1856	856	un336204.exe	30
PID 856 wrote to memory of 1856	856	un336204.exe	30
PID 856 wrote to memory of 1856	856	un336204.exe	30
PID 856 wrote to memory of 1856	856	un336204.exe	30

C:\Users\Admin\AppData\Local\Temp\4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe
"C:\Users\Admin\AppData\Local\Temp\4d695b5e1cc2c788a47abcb61b51e8b704e0fc0c8819516678e8442d867ef36f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336204.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336204.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336204.exe

Filesize
547KB

MD5
4e7ab542a027b6a4458f9ef2a6035519

SHA1
9fe570aaadb5b73e4cfe7d7c40490cdb5961fc0b

SHA256
f0bc3e425087619e9f1593a8bbc03915439b1d300e439705c4108b999fe4d10f

SHA512
5138769fa707997277ffb448eccd04a3fe06379d8497b9c644635486043a248e06bca1d29985f031ac57de5b6264f865d8dd19fd857357584bd82d04fd300fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336204.exe

Filesize
547KB

MD5
4e7ab542a027b6a4458f9ef2a6035519

SHA1
9fe570aaadb5b73e4cfe7d7c40490cdb5961fc0b

SHA256
f0bc3e425087619e9f1593a8bbc03915439b1d300e439705c4108b999fe4d10f

SHA512
5138769fa707997277ffb448eccd04a3fe06379d8497b9c644635486043a248e06bca1d29985f031ac57de5b6264f865d8dd19fd857357584bd82d04fd300fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe

Filesize
269KB

MD5
87739424568a1d230a04ce6b2824c5b7

SHA1
5073b8d5aa004d12f4bc4f24b498f14f75d0e80c

SHA256
16660866598b92229498214779388735cc72a2ed140a7e9cd5c874f835e2b416

SHA512
054e19b53811738af7ca3a52db578e2ad326b507d1c2e732374f026cf53c82f30d0826fbbdb76f2a1b24f50a469da221e280f30f3372ef03a5c82a4558f8704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe

Filesize
269KB

MD5
87739424568a1d230a04ce6b2824c5b7

SHA1
5073b8d5aa004d12f4bc4f24b498f14f75d0e80c

SHA256
16660866598b92229498214779388735cc72a2ed140a7e9cd5c874f835e2b416

SHA512
054e19b53811738af7ca3a52db578e2ad326b507d1c2e732374f026cf53c82f30d0826fbbdb76f2a1b24f50a469da221e280f30f3372ef03a5c82a4558f8704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe

Filesize
269KB

MD5
87739424568a1d230a04ce6b2824c5b7

SHA1
5073b8d5aa004d12f4bc4f24b498f14f75d0e80c

SHA256
16660866598b92229498214779388735cc72a2ed140a7e9cd5c874f835e2b416

SHA512
054e19b53811738af7ca3a52db578e2ad326b507d1c2e732374f026cf53c82f30d0826fbbdb76f2a1b24f50a469da221e280f30f3372ef03a5c82a4558f8704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe

Filesize
353KB

MD5
bfbfad9cd1f996a4138d0efdbdc8aac4

SHA1
5ab203157238f68df9020c6a31475b23779469bd

SHA256
3750440ad8ee8e3d2211afb5175d3520fd3c99d147d1f3491f4f6b4569c46683

SHA512
8ad432c1b5f0e1bd6dcc926a03bc667777afd1ed2cd5b718905b6ff4705995ca888b3139fc5bb2e878b8d1354c82adb2b491627311cc1f619afe0e3f190ae276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe

Filesize
353KB

MD5
bfbfad9cd1f996a4138d0efdbdc8aac4

SHA1
5ab203157238f68df9020c6a31475b23779469bd

SHA256
3750440ad8ee8e3d2211afb5175d3520fd3c99d147d1f3491f4f6b4569c46683

SHA512
8ad432c1b5f0e1bd6dcc926a03bc667777afd1ed2cd5b718905b6ff4705995ca888b3139fc5bb2e878b8d1354c82adb2b491627311cc1f619afe0e3f190ae276

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe

Filesize
353KB

MD5
bfbfad9cd1f996a4138d0efdbdc8aac4

SHA1
5ab203157238f68df9020c6a31475b23779469bd

SHA256
3750440ad8ee8e3d2211afb5175d3520fd3c99d147d1f3491f4f6b4569c46683

SHA512
8ad432c1b5f0e1bd6dcc926a03bc667777afd1ed2cd5b718905b6ff4705995ca888b3139fc5bb2e878b8d1354c82adb2b491627311cc1f619afe0e3f190ae276

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336204.exe

Filesize
547KB

MD5
4e7ab542a027b6a4458f9ef2a6035519

SHA1
9fe570aaadb5b73e4cfe7d7c40490cdb5961fc0b

SHA256
f0bc3e425087619e9f1593a8bbc03915439b1d300e439705c4108b999fe4d10f

SHA512
5138769fa707997277ffb448eccd04a3fe06379d8497b9c644635486043a248e06bca1d29985f031ac57de5b6264f865d8dd19fd857357584bd82d04fd300fe0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un336204.exe

Filesize
547KB

MD5
4e7ab542a027b6a4458f9ef2a6035519

SHA1
9fe570aaadb5b73e4cfe7d7c40490cdb5961fc0b

SHA256
f0bc3e425087619e9f1593a8bbc03915439b1d300e439705c4108b999fe4d10f

SHA512
5138769fa707997277ffb448eccd04a3fe06379d8497b9c644635486043a248e06bca1d29985f031ac57de5b6264f865d8dd19fd857357584bd82d04fd300fe0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe

Filesize
269KB

MD5
87739424568a1d230a04ce6b2824c5b7

SHA1
5073b8d5aa004d12f4bc4f24b498f14f75d0e80c

SHA256
16660866598b92229498214779388735cc72a2ed140a7e9cd5c874f835e2b416

SHA512
054e19b53811738af7ca3a52db578e2ad326b507d1c2e732374f026cf53c82f30d0826fbbdb76f2a1b24f50a469da221e280f30f3372ef03a5c82a4558f8704a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe

Filesize
269KB

MD5
87739424568a1d230a04ce6b2824c5b7

SHA1
5073b8d5aa004d12f4bc4f24b498f14f75d0e80c

SHA256
16660866598b92229498214779388735cc72a2ed140a7e9cd5c874f835e2b416

SHA512
054e19b53811738af7ca3a52db578e2ad326b507d1c2e732374f026cf53c82f30d0826fbbdb76f2a1b24f50a469da221e280f30f3372ef03a5c82a4558f8704a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\38333901.exe

Filesize
269KB

MD5
87739424568a1d230a04ce6b2824c5b7

SHA1
5073b8d5aa004d12f4bc4f24b498f14f75d0e80c

SHA256
16660866598b92229498214779388735cc72a2ed140a7e9cd5c874f835e2b416

SHA512
054e19b53811738af7ca3a52db578e2ad326b507d1c2e732374f026cf53c82f30d0826fbbdb76f2a1b24f50a469da221e280f30f3372ef03a5c82a4558f8704a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe

Filesize
353KB

MD5
bfbfad9cd1f996a4138d0efdbdc8aac4

SHA1
5ab203157238f68df9020c6a31475b23779469bd

SHA256
3750440ad8ee8e3d2211afb5175d3520fd3c99d147d1f3491f4f6b4569c46683

SHA512
8ad432c1b5f0e1bd6dcc926a03bc667777afd1ed2cd5b718905b6ff4705995ca888b3139fc5bb2e878b8d1354c82adb2b491627311cc1f619afe0e3f190ae276

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe

Filesize
353KB

MD5
bfbfad9cd1f996a4138d0efdbdc8aac4

SHA1
5ab203157238f68df9020c6a31475b23779469bd

SHA256
3750440ad8ee8e3d2211afb5175d3520fd3c99d147d1f3491f4f6b4569c46683

SHA512
8ad432c1b5f0e1bd6dcc926a03bc667777afd1ed2cd5b718905b6ff4705995ca888b3139fc5bb2e878b8d1354c82adb2b491627311cc1f619afe0e3f190ae276

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk436365.exe

Filesize
353KB

MD5
bfbfad9cd1f996a4138d0efdbdc8aac4

SHA1
5ab203157238f68df9020c6a31475b23779469bd

SHA256
3750440ad8ee8e3d2211afb5175d3520fd3c99d147d1f3491f4f6b4569c46683

SHA512
8ad432c1b5f0e1bd6dcc926a03bc667777afd1ed2cd5b718905b6ff4705995ca888b3139fc5bb2e878b8d1354c82adb2b491627311cc1f619afe0e3f190ae276

Download Submit
memory/292-114-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/292-89-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-91-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-93-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-95-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-97-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-99-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-101-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-103-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-105-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-107-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-108-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/292-110-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/292-109-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/292-111-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/292-113-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/292-112-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/292-87-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-116-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/292-85-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-83-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-81-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-80-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/292-79-0x00000000047D0000-0x00000000047E8000-memory.dmp

Filesize
96KB

Download
memory/292-78-0x00000000030F0000-0x000000000310A000-memory.dmp

Filesize
104KB

Download
memory/1856-129-0x0000000003040000-0x0000000003086000-memory.dmp

Filesize
280KB

Download
memory/1856-146-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-127-0x00000000048A0000-0x00000000048DC000-memory.dmp

Filesize
240KB

Download
memory/1856-131-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-132-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-130-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-133-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-136-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-134-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-138-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-140-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-142-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-144-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-128-0x0000000004930000-0x000000000496A000-memory.dmp

Filesize
232KB

Download
memory/1856-148-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-150-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-152-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-154-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-156-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-158-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-160-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-162-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-164-0x0000000004930000-0x0000000004965000-memory.dmp

Filesize
212KB

Download
memory/1856-926-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-927-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-928-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-929-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download
memory/1856-931-0x00000000071F0000-0x0000000007230000-memory.dmp

Filesize
256KB

Download