58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
Size

480KB
MD5

fd7bbd313416dfe87fddad9c104bf4bc
SHA1

cb81658f3475838486ae2dfb32e08a4ca32f7bec
SHA256

58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319
SHA512

ac1f7001f766a6e65701c74e2ea70d22a959a93f829962ede5bf474259b72150934b6137b145cdccd40a5d543ff4adc32f697b3d10bfde983d144edac3143078
SSDEEP

6144:KVy+bnr+Ip0yN90QEFHs4lKeE9eps3N4x5tOMIxRIFTUtP+0l6+0yDflnib/JBkq:bMrUy90k4lKBTi5kMbTUFl6Afln6/E+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7815453.exe

Executes dropped EXE 3 IoCs

pid	Process
2012	y7850969.exe
1020	k7815453.exe
1684	l3237088.exe

Loads dropped DLL 6 IoCs

pid	Process
1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
2012	y7850969.exe
2012	y7850969.exe
1020	k7815453.exe
2012	y7850969.exe
1684	l3237088.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7815453.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7850969.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7850969.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1020	k7815453.exe
1020	k7815453.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	k7815453.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 1060 wrote to memory of 2012	1060	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	27
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1020	2012	y7850969.exe	28
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29
PID 2012 wrote to memory of 1684	2012	y7850969.exe	29

C:\Users\Admin\AppData\Local\Temp\58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
"C:\Users\Admin\AppData\Local\Temp\58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe

Filesize
308KB

MD5
be27fd153053198b678edf35064169a7

SHA1
1b0876ebc7226743b7878ec2f3e57e52f5f1e138

SHA256
1a056863a81f40724c27ee77d5432a43c60526009c1292fce4556e75a5e5c148

SHA512
6a4f4037422010a055ad8ec1652d7e14c40daea1dcd98ec46fb66c1325bf7e0ce766ad3291ce28107b2506b84f84fb3945c90ec66c4f0b8631ebad3ff12adcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe

Filesize
308KB

MD5
be27fd153053198b678edf35064169a7

SHA1
1b0876ebc7226743b7878ec2f3e57e52f5f1e138

SHA256
1a056863a81f40724c27ee77d5432a43c60526009c1292fce4556e75a5e5c148

SHA512
6a4f4037422010a055ad8ec1652d7e14c40daea1dcd98ec46fb66c1325bf7e0ce766ad3291ce28107b2506b84f84fb3945c90ec66c4f0b8631ebad3ff12adcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe

Filesize
175KB

MD5
f1ac76a6bbf434763908e06abf8cb5fc

SHA1
3e96465ed99d15efe9996a1a0248c429882eec88

SHA256
4923c187145b1e822a3beb7868166ed43e159b13ae3d89606e7d3019b418c8b3

SHA512
c504dae1999c7c65d5e55597146bd278f89d080d9d07debdc9f493c8fbc3ff0d3c261660e07ea666b1837a0df3bbfd38b1107e4680313ddbd94fe28e78534049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe

Filesize
175KB

MD5
f1ac76a6bbf434763908e06abf8cb5fc

SHA1
3e96465ed99d15efe9996a1a0248c429882eec88

SHA256
4923c187145b1e822a3beb7868166ed43e159b13ae3d89606e7d3019b418c8b3

SHA512
c504dae1999c7c65d5e55597146bd278f89d080d9d07debdc9f493c8fbc3ff0d3c261660e07ea666b1837a0df3bbfd38b1107e4680313ddbd94fe28e78534049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe

Filesize
136KB

MD5
2fdd14078cf0d9e61417f82476797cfe

SHA1
bd5c98b60c515eb68aa4be41d32f5107f9f206e3

SHA256
1953a613971ced35646f9c7f9dab8190419377555c449227658b6c45b394f9c4

SHA512
4511453fabfd015290f152868e0b5629a98f9f45d36995b8fd09fd3dd539c14a5c5cdabbd8c5d872b128c4caadde004c1f68bfbeeec22ed50b2a5ab423f7e3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe

Filesize
136KB

MD5
2fdd14078cf0d9e61417f82476797cfe

SHA1
bd5c98b60c515eb68aa4be41d32f5107f9f206e3

SHA256
1953a613971ced35646f9c7f9dab8190419377555c449227658b6c45b394f9c4

SHA512
4511453fabfd015290f152868e0b5629a98f9f45d36995b8fd09fd3dd539c14a5c5cdabbd8c5d872b128c4caadde004c1f68bfbeeec22ed50b2a5ab423f7e3b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe

Filesize
308KB

MD5
be27fd153053198b678edf35064169a7

SHA1
1b0876ebc7226743b7878ec2f3e57e52f5f1e138

SHA256
1a056863a81f40724c27ee77d5432a43c60526009c1292fce4556e75a5e5c148

SHA512
6a4f4037422010a055ad8ec1652d7e14c40daea1dcd98ec46fb66c1325bf7e0ce766ad3291ce28107b2506b84f84fb3945c90ec66c4f0b8631ebad3ff12adcfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe

Filesize
308KB

MD5
be27fd153053198b678edf35064169a7

SHA1
1b0876ebc7226743b7878ec2f3e57e52f5f1e138

SHA256
1a056863a81f40724c27ee77d5432a43c60526009c1292fce4556e75a5e5c148

SHA512
6a4f4037422010a055ad8ec1652d7e14c40daea1dcd98ec46fb66c1325bf7e0ce766ad3291ce28107b2506b84f84fb3945c90ec66c4f0b8631ebad3ff12adcfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe

Filesize
175KB

MD5
f1ac76a6bbf434763908e06abf8cb5fc

SHA1
3e96465ed99d15efe9996a1a0248c429882eec88

SHA256
4923c187145b1e822a3beb7868166ed43e159b13ae3d89606e7d3019b418c8b3

SHA512
c504dae1999c7c65d5e55597146bd278f89d080d9d07debdc9f493c8fbc3ff0d3c261660e07ea666b1837a0df3bbfd38b1107e4680313ddbd94fe28e78534049

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe

Filesize
175KB

MD5
f1ac76a6bbf434763908e06abf8cb5fc

SHA1
3e96465ed99d15efe9996a1a0248c429882eec88

SHA256
4923c187145b1e822a3beb7868166ed43e159b13ae3d89606e7d3019b418c8b3

SHA512
c504dae1999c7c65d5e55597146bd278f89d080d9d07debdc9f493c8fbc3ff0d3c261660e07ea666b1837a0df3bbfd38b1107e4680313ddbd94fe28e78534049

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe

Filesize
136KB

MD5
2fdd14078cf0d9e61417f82476797cfe

SHA1
bd5c98b60c515eb68aa4be41d32f5107f9f206e3

SHA256
1953a613971ced35646f9c7f9dab8190419377555c449227658b6c45b394f9c4

SHA512
4511453fabfd015290f152868e0b5629a98f9f45d36995b8fd09fd3dd539c14a5c5cdabbd8c5d872b128c4caadde004c1f68bfbeeec22ed50b2a5ab423f7e3b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe

Filesize
136KB

MD5
2fdd14078cf0d9e61417f82476797cfe

SHA1
bd5c98b60c515eb68aa4be41d32f5107f9f206e3

SHA256
1953a613971ced35646f9c7f9dab8190419377555c449227658b6c45b394f9c4

SHA512
4511453fabfd015290f152868e0b5629a98f9f45d36995b8fd09fd3dd539c14a5c5cdabbd8c5d872b128c4caadde004c1f68bfbeeec22ed50b2a5ab423f7e3b0

Download Submit
memory/1020-85-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-99-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-78-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-83-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-79-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-87-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-89-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-91-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-93-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-95-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-97-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-81-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-101-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-103-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-105-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1020-76-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1020-77-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1020-75-0x0000000002130000-0x0000000002148000-memory.dmp

Filesize
96KB

Download
memory/1020-74-0x00000000020C0000-0x00000000020DA000-memory.dmp

Filesize
104KB

Download
memory/1684-112-0x0000000000E30000-0x0000000000E58000-memory.dmp

Filesize
160KB

Download
memory/1684-113-0x0000000006FE0000-0x0000000007020000-memory.dmp

Filesize
256KB

Download