56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
Size

479KB
MD5

5613f03a0c37b52aa972168a3d0036c0
SHA1

6ce1fc84ddf6ff43c2254bf557906a6f819e6702
SHA256

56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f
SHA512

83b140c4450257cf5eb0bd78b692693f355f480db3617f1f4219cc4a59895d99e269e81668dbaf206df140cb62934e4a364aa11a8e5019e000b385cf6329b345
SSDEEP

12288:yMrIy906hyRs/9x5c1u31uT4FskLvQbIzp2GN05UF7c:OylwRc9fXsTNGgIkq2D

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0926720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0926720.exe

Executes dropped EXE 3 IoCs

pid	Process
1924	y1276762.exe
960	k0926720.exe
760	l6895564.exe

Loads dropped DLL 6 IoCs

pid	Process
1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
1924	y1276762.exe
1924	y1276762.exe
960	k0926720.exe
1924	y1276762.exe
760	l6895564.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0926720.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1276762.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1276762.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	k0926720.exe
960	k0926720.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	k0926720.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1976 wrote to memory of 1924	1976	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	27
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 960	1924	y1276762.exe	28
PID 1924 wrote to memory of 760	1924	y1276762.exe	29
PID 1924 wrote to memory of 760	1924	y1276762.exe	29
PID 1924 wrote to memory of 760	1924	y1276762.exe	29
PID 1924 wrote to memory of 760	1924	y1276762.exe	29
PID 1924 wrote to memory of 760	1924	y1276762.exe	29
PID 1924 wrote to memory of 760	1924	y1276762.exe	29
PID 1924 wrote to memory of 760	1924	y1276762.exe	29

C:\Users\Admin\AppData\Local\Temp\56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
"C:\Users\Admin\AppData\Local\Temp\56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe

Filesize
307KB

MD5
6ae3909e97b1a72bdd1703aa32bb95dc

SHA1
c6f6fffe9ff72d6be295df1f70a41ed39e38427a

SHA256
d232f87402c4dede99ba9409835c41b8ae68e64e1f80bf00aca2b3346f944133

SHA512
e4fea778994d601d6a5b1c2c98cf2d2923c4227b51d3ef893d6af38344f911fbb6abbafd0095c5902c261321a184adf7e980685b7e0c348534c334936e4cd663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe

Filesize
307KB

MD5
6ae3909e97b1a72bdd1703aa32bb95dc

SHA1
c6f6fffe9ff72d6be295df1f70a41ed39e38427a

SHA256
d232f87402c4dede99ba9409835c41b8ae68e64e1f80bf00aca2b3346f944133

SHA512
e4fea778994d601d6a5b1c2c98cf2d2923c4227b51d3ef893d6af38344f911fbb6abbafd0095c5902c261321a184adf7e980685b7e0c348534c334936e4cd663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe

Filesize
175KB

MD5
c7d6fadff898ae219c318fbcbf089074

SHA1
6fe52888061afc4123ec2b5acce921744070033f

SHA256
53c22238130fa35873d8ed59dd64d92a754c0f819b280f517987c1b481ca7e0f

SHA512
c35ad38737f7d882de570bbc09c77802f1bf5202b138e081e27f240eaf7f8419c8325d5916db4ee12a938f59c14ebe82a1059988eea1ee7b8908b187e0be2972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe

Filesize
175KB

MD5
c7d6fadff898ae219c318fbcbf089074

SHA1
6fe52888061afc4123ec2b5acce921744070033f

SHA256
53c22238130fa35873d8ed59dd64d92a754c0f819b280f517987c1b481ca7e0f

SHA512
c35ad38737f7d882de570bbc09c77802f1bf5202b138e081e27f240eaf7f8419c8325d5916db4ee12a938f59c14ebe82a1059988eea1ee7b8908b187e0be2972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe

Filesize
137KB

MD5
0391590a54e3a8508bff8df1bd3ea712

SHA1
a12b4d2b8b2a9e8668225112132787e7f1cb089d

SHA256
277c773e3d6cf1c33c852012c3e0fb4ebca5b187237e4850e0f3182252426c06

SHA512
a77baaa921a71e1eca19f6b74a2428eb5ec775098b2ff34d61fd4c5b36366b7b0910d1aa45c8d966769936e8a8263108d6875176c28b0115d1bc2bfb4ebaadc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe

Filesize
137KB

MD5
0391590a54e3a8508bff8df1bd3ea712

SHA1
a12b4d2b8b2a9e8668225112132787e7f1cb089d

SHA256
277c773e3d6cf1c33c852012c3e0fb4ebca5b187237e4850e0f3182252426c06

SHA512
a77baaa921a71e1eca19f6b74a2428eb5ec775098b2ff34d61fd4c5b36366b7b0910d1aa45c8d966769936e8a8263108d6875176c28b0115d1bc2bfb4ebaadc6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe

Filesize
307KB

MD5
6ae3909e97b1a72bdd1703aa32bb95dc

SHA1
c6f6fffe9ff72d6be295df1f70a41ed39e38427a

SHA256
d232f87402c4dede99ba9409835c41b8ae68e64e1f80bf00aca2b3346f944133

SHA512
e4fea778994d601d6a5b1c2c98cf2d2923c4227b51d3ef893d6af38344f911fbb6abbafd0095c5902c261321a184adf7e980685b7e0c348534c334936e4cd663

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe

Filesize
307KB

MD5
6ae3909e97b1a72bdd1703aa32bb95dc

SHA1
c6f6fffe9ff72d6be295df1f70a41ed39e38427a

SHA256
d232f87402c4dede99ba9409835c41b8ae68e64e1f80bf00aca2b3346f944133

SHA512
e4fea778994d601d6a5b1c2c98cf2d2923c4227b51d3ef893d6af38344f911fbb6abbafd0095c5902c261321a184adf7e980685b7e0c348534c334936e4cd663

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe

Filesize
175KB

MD5
c7d6fadff898ae219c318fbcbf089074

SHA1
6fe52888061afc4123ec2b5acce921744070033f

SHA256
53c22238130fa35873d8ed59dd64d92a754c0f819b280f517987c1b481ca7e0f

SHA512
c35ad38737f7d882de570bbc09c77802f1bf5202b138e081e27f240eaf7f8419c8325d5916db4ee12a938f59c14ebe82a1059988eea1ee7b8908b187e0be2972

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe

Filesize
175KB

MD5
c7d6fadff898ae219c318fbcbf089074

SHA1
6fe52888061afc4123ec2b5acce921744070033f

SHA256
53c22238130fa35873d8ed59dd64d92a754c0f819b280f517987c1b481ca7e0f

SHA512
c35ad38737f7d882de570bbc09c77802f1bf5202b138e081e27f240eaf7f8419c8325d5916db4ee12a938f59c14ebe82a1059988eea1ee7b8908b187e0be2972

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe

Filesize
137KB

MD5
0391590a54e3a8508bff8df1bd3ea712

SHA1
a12b4d2b8b2a9e8668225112132787e7f1cb089d

SHA256
277c773e3d6cf1c33c852012c3e0fb4ebca5b187237e4850e0f3182252426c06

SHA512
a77baaa921a71e1eca19f6b74a2428eb5ec775098b2ff34d61fd4c5b36366b7b0910d1aa45c8d966769936e8a8263108d6875176c28b0115d1bc2bfb4ebaadc6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe

Filesize
137KB

MD5
0391590a54e3a8508bff8df1bd3ea712

SHA1
a12b4d2b8b2a9e8668225112132787e7f1cb089d

SHA256
277c773e3d6cf1c33c852012c3e0fb4ebca5b187237e4850e0f3182252426c06

SHA512
a77baaa921a71e1eca19f6b74a2428eb5ec775098b2ff34d61fd4c5b36366b7b0910d1aa45c8d966769936e8a8263108d6875176c28b0115d1bc2bfb4ebaadc6

Download Submit
memory/760-113-0x0000000001120000-0x0000000001148000-memory.dmp

Filesize
160KB

Download
memory/760-114-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/760-115-0x0000000007080000-0x00000000070C0000-memory.dmp

Filesize
256KB

Download
memory/960-99-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-77-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-103-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-101-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-97-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-91-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-89-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-85-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-79-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-93-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-104-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/960-106-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/960-105-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/960-95-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-87-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-81-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-83-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-76-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/960-75-0x0000000000B20000-0x0000000000B38000-memory.dmp

Filesize
96KB

Download
memory/960-74-0x0000000000990000-0x00000000009AA000-memory.dmp

Filesize
104KB

Download