5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99

Analysis

max time kernel
148s
max time network
178s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe
Size

611KB
MD5

2e59d4402bf6d7e20401858fc9a4315f
SHA1

908bda3dc9b2876b1bf6e8ee07576705517f9fc6
SHA256

5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99
SHA512

3391a08232aa77e0a40a9aef6f526a12955d816cd782667123f303efbf8a3f3fb294a46ca9b75c25f97baf9df805590e573d40812729b00457a50600364f1906
SSDEEP

12288:4y90rNfiG2rMrSe/fJDM3uGRmRdbSlvksQBOy3kK:4yINa7qxXxHKksjyUK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	76700185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	76700185.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	76700185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	76700185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	76700185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	76700185.exe

Executes dropped EXE 3 IoCs

pid	Process
1456	st496218.exe
668	76700185.exe
1916	kp327918.exe

Loads dropped DLL 6 IoCs

pid	Process
1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe
1456	st496218.exe
1456	st496218.exe
1456	st496218.exe
1456	st496218.exe
1916	kp327918.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	76700185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	76700185.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st496218.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st496218.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	76700185.exe
668	76700185.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	76700185.exe
Token: SeDebugPrivilege	1916	kp327918.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1316 wrote to memory of 1456	1316	5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe	28
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 668	1456	st496218.exe	29
PID 1456 wrote to memory of 1916	1456	st496218.exe	30
PID 1456 wrote to memory of 1916	1456	st496218.exe	30
PID 1456 wrote to memory of 1916	1456	st496218.exe	30
PID 1456 wrote to memory of 1916	1456	st496218.exe	30
PID 1456 wrote to memory of 1916	1456	st496218.exe	30
PID 1456 wrote to memory of 1916	1456	st496218.exe	30
PID 1456 wrote to memory of 1916	1456	st496218.exe	30

C:\Users\Admin\AppData\Local\Temp\5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe
"C:\Users\Admin\AppData\Local\Temp\5a51caf6245a322f9064763a222883fd0b8df5a9394b79ccb3515da8f957ef99.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496218.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496218.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76700185.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76700185.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496218.exe

Filesize
457KB

MD5
b4cb5ac49e8de9e9275f09f8d93db76a

SHA1
667d5b3162513685ae5080f539cc6c771abb0df4

SHA256
cb275f83923b743b36542e76111c6202e5d57929f2203d6e779e1db326ea942b

SHA512
8b2402ec7f2d32ef3754f50f84f0f0f2d33186dc21c2fcb2c641d05ef82f2a8ae8e590dd3d5a6397a0d844f8d3df8cae73167f2887fa979a5bab7c7e23c5c888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496218.exe

Filesize
457KB

MD5
b4cb5ac49e8de9e9275f09f8d93db76a

SHA1
667d5b3162513685ae5080f539cc6c771abb0df4

SHA256
cb275f83923b743b36542e76111c6202e5d57929f2203d6e779e1db326ea942b

SHA512
8b2402ec7f2d32ef3754f50f84f0f0f2d33186dc21c2fcb2c641d05ef82f2a8ae8e590dd3d5a6397a0d844f8d3df8cae73167f2887fa979a5bab7c7e23c5c888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76700185.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76700185.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe

Filesize
460KB

MD5
680d0a02b262bbc55f6d87785eefbd19

SHA1
c249c60ae63fe2cca04872c3426bd3bbd1500fd5

SHA256
8bedf7d2e142f51f07af9b739296dadbf98c2bdea0cad123544c5c7e58f35245

SHA512
8c93a03d5ae78890b664a309bd3b1973176e76531f029cd55843555e9e197832f869d9189a4ccc931c91fffb0f8ac60d3e2ce6e2423857fd52c3a021838466ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe

Filesize
460KB

MD5
680d0a02b262bbc55f6d87785eefbd19

SHA1
c249c60ae63fe2cca04872c3426bd3bbd1500fd5

SHA256
8bedf7d2e142f51f07af9b739296dadbf98c2bdea0cad123544c5c7e58f35245

SHA512
8c93a03d5ae78890b664a309bd3b1973176e76531f029cd55843555e9e197832f869d9189a4ccc931c91fffb0f8ac60d3e2ce6e2423857fd52c3a021838466ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe

Filesize
460KB

MD5
680d0a02b262bbc55f6d87785eefbd19

SHA1
c249c60ae63fe2cca04872c3426bd3bbd1500fd5

SHA256
8bedf7d2e142f51f07af9b739296dadbf98c2bdea0cad123544c5c7e58f35245

SHA512
8c93a03d5ae78890b664a309bd3b1973176e76531f029cd55843555e9e197832f869d9189a4ccc931c91fffb0f8ac60d3e2ce6e2423857fd52c3a021838466ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496218.exe

Filesize
457KB

MD5
b4cb5ac49e8de9e9275f09f8d93db76a

SHA1
667d5b3162513685ae5080f539cc6c771abb0df4

SHA256
cb275f83923b743b36542e76111c6202e5d57929f2203d6e779e1db326ea942b

SHA512
8b2402ec7f2d32ef3754f50f84f0f0f2d33186dc21c2fcb2c641d05ef82f2a8ae8e590dd3d5a6397a0d844f8d3df8cae73167f2887fa979a5bab7c7e23c5c888

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st496218.exe

Filesize
457KB

MD5
b4cb5ac49e8de9e9275f09f8d93db76a

SHA1
667d5b3162513685ae5080f539cc6c771abb0df4

SHA256
cb275f83923b743b36542e76111c6202e5d57929f2203d6e779e1db326ea942b

SHA512
8b2402ec7f2d32ef3754f50f84f0f0f2d33186dc21c2fcb2c641d05ef82f2a8ae8e590dd3d5a6397a0d844f8d3df8cae73167f2887fa979a5bab7c7e23c5c888

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76700185.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe

Filesize
460KB

MD5
680d0a02b262bbc55f6d87785eefbd19

SHA1
c249c60ae63fe2cca04872c3426bd3bbd1500fd5

SHA256
8bedf7d2e142f51f07af9b739296dadbf98c2bdea0cad123544c5c7e58f35245

SHA512
8c93a03d5ae78890b664a309bd3b1973176e76531f029cd55843555e9e197832f869d9189a4ccc931c91fffb0f8ac60d3e2ce6e2423857fd52c3a021838466ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe

Filesize
460KB

MD5
680d0a02b262bbc55f6d87785eefbd19

SHA1
c249c60ae63fe2cca04872c3426bd3bbd1500fd5

SHA256
8bedf7d2e142f51f07af9b739296dadbf98c2bdea0cad123544c5c7e58f35245

SHA512
8c93a03d5ae78890b664a309bd3b1973176e76531f029cd55843555e9e197832f869d9189a4ccc931c91fffb0f8ac60d3e2ce6e2423857fd52c3a021838466ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp327918.exe

Filesize
460KB

MD5
680d0a02b262bbc55f6d87785eefbd19

SHA1
c249c60ae63fe2cca04872c3426bd3bbd1500fd5

SHA256
8bedf7d2e142f51f07af9b739296dadbf98c2bdea0cad123544c5c7e58f35245

SHA512
8c93a03d5ae78890b664a309bd3b1973176e76531f029cd55843555e9e197832f869d9189a4ccc931c91fffb0f8ac60d3e2ce6e2423857fd52c3a021838466ec

Download Submit
memory/668-72-0x0000000001310000-0x000000000131A000-memory.dmp

Filesize
40KB

Download
memory/1916-103-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-117-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-85-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1916-86-0x0000000002520000-0x000000000255C000-memory.dmp

Filesize
240KB

Download
memory/1916-87-0x0000000002560000-0x000000000259A000-memory.dmp

Filesize
232KB

Download
memory/1916-88-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1916-89-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1916-90-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-91-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-93-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-95-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-97-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-99-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-101-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-83-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1916-105-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-107-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-109-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-111-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-113-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-115-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-84-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/1916-119-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-121-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-123-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-125-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-127-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-129-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-131-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-133-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-135-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-137-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-139-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-141-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-143-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-145-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-147-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-149-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-151-0x0000000002560000-0x0000000002595000-memory.dmp

Filesize
212KB

Download
memory/1916-883-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1916-885-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1916-886-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download