548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe
Size

618KB
MD5

6dddf290c165ac0718e85db80cf4b419
SHA1

09b056f86dfeccc6a0d606c1ce63360865409255
SHA256

548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a
SHA512

9477b33283c9fcf70eb0ea457173e29aa46e7c420b376f0b2791302a163442ddf4bb586d6e85026189582b11b20197558fdeae0f055825ce87328fd8f45bac5a
SSDEEP

12288:Ky908BzWkIxp68nis5y4eRPclNPDBF1GsqojQS:KyDwxnis5rhlFht1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	13892538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	13892538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	13892538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	13892538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	13892538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	13892538.exe

Executes dropped EXE 3 IoCs

pid	Process
924	st452156.exe
1424	13892538.exe
1180	kp974505.exe

Loads dropped DLL 6 IoCs

pid	Process
1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe
924	st452156.exe
924	st452156.exe
924	st452156.exe
924	st452156.exe
1180	kp974505.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	13892538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	13892538.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st452156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st452156.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1424	13892538.exe
1424	13892538.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	13892538.exe
Token: SeDebugPrivilege	1180	kp974505.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 1776 wrote to memory of 924	1776	548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe	28
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1424	924	st452156.exe	29
PID 924 wrote to memory of 1180	924	st452156.exe	30
PID 924 wrote to memory of 1180	924	st452156.exe	30
PID 924 wrote to memory of 1180	924	st452156.exe	30
PID 924 wrote to memory of 1180	924	st452156.exe	30
PID 924 wrote to memory of 1180	924	st452156.exe	30
PID 924 wrote to memory of 1180	924	st452156.exe	30
PID 924 wrote to memory of 1180	924	st452156.exe	30

C:\Users\Admin\AppData\Local\Temp\548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe
"C:\Users\Admin\AppData\Local\Temp\548491da939d0a2a2b7fefea839e64c1308fcb316ffe565472d7fb741162233a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st452156.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st452156.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13892538.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13892538.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st452156.exe

Filesize
464KB

MD5
e1e6f32970955b3c700aee2a4bf2e5be

SHA1
c7da889706ff303953586c055d661a9fc51b02ed

SHA256
be6e6e63ec005738b02d12ffe57e834f7b9bc248f201f706c071a63f2a70d5f5

SHA512
6fe4be48c3f73d2cccddddc37fa045f988de20c3c8c2be681250e783309161b2db9ea2adadf04a250248a1601d305d20952f5dfade3ac858f7442854590e79bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st452156.exe

Filesize
464KB

MD5
e1e6f32970955b3c700aee2a4bf2e5be

SHA1
c7da889706ff303953586c055d661a9fc51b02ed

SHA256
be6e6e63ec005738b02d12ffe57e834f7b9bc248f201f706c071a63f2a70d5f5

SHA512
6fe4be48c3f73d2cccddddc37fa045f988de20c3c8c2be681250e783309161b2db9ea2adadf04a250248a1601d305d20952f5dfade3ac858f7442854590e79bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13892538.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13892538.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe

Filesize
478KB

MD5
16fb8f06605b4b3853fe822261e0d67d

SHA1
c7f5308ecd5e4d7ec8ec9bd90f24d7f264ee3fea

SHA256
4113ccceba5a2af5cf40b201d6d6a426e90d206d69baedd0b5b82845471b12a2

SHA512
8cf16fd0dd59847ebdd2373057800220c873783f81806443261d6c1649898013990a062f9ff7d9a9ae9fbea2f0729c80bc828faf23510c73992cf1303ee45658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe

Filesize
478KB

MD5
16fb8f06605b4b3853fe822261e0d67d

SHA1
c7f5308ecd5e4d7ec8ec9bd90f24d7f264ee3fea

SHA256
4113ccceba5a2af5cf40b201d6d6a426e90d206d69baedd0b5b82845471b12a2

SHA512
8cf16fd0dd59847ebdd2373057800220c873783f81806443261d6c1649898013990a062f9ff7d9a9ae9fbea2f0729c80bc828faf23510c73992cf1303ee45658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe

Filesize
478KB

MD5
16fb8f06605b4b3853fe822261e0d67d

SHA1
c7f5308ecd5e4d7ec8ec9bd90f24d7f264ee3fea

SHA256
4113ccceba5a2af5cf40b201d6d6a426e90d206d69baedd0b5b82845471b12a2

SHA512
8cf16fd0dd59847ebdd2373057800220c873783f81806443261d6c1649898013990a062f9ff7d9a9ae9fbea2f0729c80bc828faf23510c73992cf1303ee45658

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st452156.exe

Filesize
464KB

MD5
e1e6f32970955b3c700aee2a4bf2e5be

SHA1
c7da889706ff303953586c055d661a9fc51b02ed

SHA256
be6e6e63ec005738b02d12ffe57e834f7b9bc248f201f706c071a63f2a70d5f5

SHA512
6fe4be48c3f73d2cccddddc37fa045f988de20c3c8c2be681250e783309161b2db9ea2adadf04a250248a1601d305d20952f5dfade3ac858f7442854590e79bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st452156.exe

Filesize
464KB

MD5
e1e6f32970955b3c700aee2a4bf2e5be

SHA1
c7da889706ff303953586c055d661a9fc51b02ed

SHA256
be6e6e63ec005738b02d12ffe57e834f7b9bc248f201f706c071a63f2a70d5f5

SHA512
6fe4be48c3f73d2cccddddc37fa045f988de20c3c8c2be681250e783309161b2db9ea2adadf04a250248a1601d305d20952f5dfade3ac858f7442854590e79bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\13892538.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe

Filesize
478KB

MD5
16fb8f06605b4b3853fe822261e0d67d

SHA1
c7f5308ecd5e4d7ec8ec9bd90f24d7f264ee3fea

SHA256
4113ccceba5a2af5cf40b201d6d6a426e90d206d69baedd0b5b82845471b12a2

SHA512
8cf16fd0dd59847ebdd2373057800220c873783f81806443261d6c1649898013990a062f9ff7d9a9ae9fbea2f0729c80bc828faf23510c73992cf1303ee45658

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe

Filesize
478KB

MD5
16fb8f06605b4b3853fe822261e0d67d

SHA1
c7f5308ecd5e4d7ec8ec9bd90f24d7f264ee3fea

SHA256
4113ccceba5a2af5cf40b201d6d6a426e90d206d69baedd0b5b82845471b12a2

SHA512
8cf16fd0dd59847ebdd2373057800220c873783f81806443261d6c1649898013990a062f9ff7d9a9ae9fbea2f0729c80bc828faf23510c73992cf1303ee45658

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp974505.exe

Filesize
478KB

MD5
16fb8f06605b4b3853fe822261e0d67d

SHA1
c7f5308ecd5e4d7ec8ec9bd90f24d7f264ee3fea

SHA256
4113ccceba5a2af5cf40b201d6d6a426e90d206d69baedd0b5b82845471b12a2

SHA512
8cf16fd0dd59847ebdd2373057800220c873783f81806443261d6c1649898013990a062f9ff7d9a9ae9fbea2f0729c80bc828faf23510c73992cf1303ee45658

Download Submit
memory/1180-103-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-119-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-84-0x0000000002360000-0x000000000239C000-memory.dmp

Filesize
240KB

Download
memory/1180-85-0x00000000023A0000-0x00000000023DA000-memory.dmp

Filesize
232KB

Download
memory/1180-86-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-89-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-87-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-91-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-93-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-95-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-97-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-99-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-101-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-882-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1180-105-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-107-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-109-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-111-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-113-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-115-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-117-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-83-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download
memory/1180-121-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-123-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-125-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-127-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-129-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-131-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-133-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-135-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-137-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-139-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-145-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-147-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-144-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1180-142-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1180-141-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-149-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-151-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/1180-880-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1424-72-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download