6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f

Analysis

max time kernel
150s
max time network
169s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe
Size

565KB
MD5

358bc492b89a189577f11d4f77ac89b4
SHA1

509acdae84acd2e8f053e9756b794c248fc3cd79
SHA256

6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f
SHA512

5df0fd26c1e16d643209528c67db23bcdfa7847e6f9c8cb7564e95fe9766ffa82faa59161ab34c4d61ad5b46ddf1f56761099fb8a998cbf606dccb92c9d0eac8
SSDEEP

12288:zMrIy90XGYyAel32z/qgfb0UksOZSWiE4YKsF9OK2zakQ:TyNYN627BfwNDRJFT6akQ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8688582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8688582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8688582.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8688582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8688582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8688582.exe

Executes dropped EXE 3 IoCs

pid	Process
1284	v9600108.exe
576	a8688582.exe
828	b7762460.exe

Loads dropped DLL 7 IoCs

pid	Process
928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe
1284	v9600108.exe
1284	v9600108.exe
1284	v9600108.exe
576	a8688582.exe
1284	v9600108.exe
828	b7762460.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a8688582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8688582.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9600108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9600108.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
576	a8688582.exe
576	a8688582.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	a8688582.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 928 wrote to memory of 1284	928	6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe	28
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 576	1284	v9600108.exe	29
PID 1284 wrote to memory of 828	1284	v9600108.exe	30
PID 1284 wrote to memory of 828	1284	v9600108.exe	30
PID 1284 wrote to memory of 828	1284	v9600108.exe	30
PID 1284 wrote to memory of 828	1284	v9600108.exe	30
PID 1284 wrote to memory of 828	1284	v9600108.exe	30
PID 1284 wrote to memory of 828	1284	v9600108.exe	30
PID 1284 wrote to memory of 828	1284	v9600108.exe	30

C:\Users\Admin\AppData\Local\Temp\6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe
"C:\Users\Admin\AppData\Local\Temp\6b02adf248b00f8b3ad6365c5c7a257ea16138890d0610b5f840cd7db9791f6f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9600108.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9600108.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7762460.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7762460.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9600108.exe

Filesize
393KB

MD5
39b0bd8a423a4eb28e2be1d7d3889c0a

SHA1
d9b26bdff900f7bd25caaaf9bc934020c7f5efea

SHA256
4f7e489be151adf48f38cb5f300f198e97ed2fe472e95f1eca822fd0670aa0de

SHA512
56f27ca6418c09326edc0474824778ba0c32f8116871e20646ad1cd9f82966b83aa760e4dc1145e7ff6095d8ff4a07cebbaca632553437908779f6fe14c7f141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9600108.exe

Filesize
393KB

MD5
39b0bd8a423a4eb28e2be1d7d3889c0a

SHA1
d9b26bdff900f7bd25caaaf9bc934020c7f5efea

SHA256
4f7e489be151adf48f38cb5f300f198e97ed2fe472e95f1eca822fd0670aa0de

SHA512
56f27ca6418c09326edc0474824778ba0c32f8116871e20646ad1cd9f82966b83aa760e4dc1145e7ff6095d8ff4a07cebbaca632553437908779f6fe14c7f141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe

Filesize
314KB

MD5
e99b46e94803bc6efa5e6271cf5bfe9a

SHA1
5b3d2ac5ec4fb34870d9d369acbe1354dcf475a1

SHA256
17ac6c8884d444237f60eaa1c0f814911e6cb11647274ff1411644491fdafa76

SHA512
fa3a6683b25c9654b24a86e7302283cb117b879a66d50912651302331532df9e48bb727057cc54732a71d7ff71fd8e0a4bd0b82094a97c7dd54951b46a020243

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe

Filesize
314KB

MD5
e99b46e94803bc6efa5e6271cf5bfe9a

SHA1
5b3d2ac5ec4fb34870d9d369acbe1354dcf475a1

SHA256
17ac6c8884d444237f60eaa1c0f814911e6cb11647274ff1411644491fdafa76

SHA512
fa3a6683b25c9654b24a86e7302283cb117b879a66d50912651302331532df9e48bb727057cc54732a71d7ff71fd8e0a4bd0b82094a97c7dd54951b46a020243

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe

Filesize
314KB

MD5
e99b46e94803bc6efa5e6271cf5bfe9a

SHA1
5b3d2ac5ec4fb34870d9d369acbe1354dcf475a1

SHA256
17ac6c8884d444237f60eaa1c0f814911e6cb11647274ff1411644491fdafa76

SHA512
fa3a6683b25c9654b24a86e7302283cb117b879a66d50912651302331532df9e48bb727057cc54732a71d7ff71fd8e0a4bd0b82094a97c7dd54951b46a020243

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7762460.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7762460.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9600108.exe

Filesize
393KB

MD5
39b0bd8a423a4eb28e2be1d7d3889c0a

SHA1
d9b26bdff900f7bd25caaaf9bc934020c7f5efea

SHA256
4f7e489be151adf48f38cb5f300f198e97ed2fe472e95f1eca822fd0670aa0de

SHA512
56f27ca6418c09326edc0474824778ba0c32f8116871e20646ad1cd9f82966b83aa760e4dc1145e7ff6095d8ff4a07cebbaca632553437908779f6fe14c7f141

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9600108.exe

Filesize
393KB

MD5
39b0bd8a423a4eb28e2be1d7d3889c0a

SHA1
d9b26bdff900f7bd25caaaf9bc934020c7f5efea

SHA256
4f7e489be151adf48f38cb5f300f198e97ed2fe472e95f1eca822fd0670aa0de

SHA512
56f27ca6418c09326edc0474824778ba0c32f8116871e20646ad1cd9f82966b83aa760e4dc1145e7ff6095d8ff4a07cebbaca632553437908779f6fe14c7f141

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe

Filesize
314KB

MD5
e99b46e94803bc6efa5e6271cf5bfe9a

SHA1
5b3d2ac5ec4fb34870d9d369acbe1354dcf475a1

SHA256
17ac6c8884d444237f60eaa1c0f814911e6cb11647274ff1411644491fdafa76

SHA512
fa3a6683b25c9654b24a86e7302283cb117b879a66d50912651302331532df9e48bb727057cc54732a71d7ff71fd8e0a4bd0b82094a97c7dd54951b46a020243

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe

Filesize
314KB

MD5
e99b46e94803bc6efa5e6271cf5bfe9a

SHA1
5b3d2ac5ec4fb34870d9d369acbe1354dcf475a1

SHA256
17ac6c8884d444237f60eaa1c0f814911e6cb11647274ff1411644491fdafa76

SHA512
fa3a6683b25c9654b24a86e7302283cb117b879a66d50912651302331532df9e48bb727057cc54732a71d7ff71fd8e0a4bd0b82094a97c7dd54951b46a020243

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8688582.exe

Filesize
314KB

MD5
e99b46e94803bc6efa5e6271cf5bfe9a

SHA1
5b3d2ac5ec4fb34870d9d369acbe1354dcf475a1

SHA256
17ac6c8884d444237f60eaa1c0f814911e6cb11647274ff1411644491fdafa76

SHA512
fa3a6683b25c9654b24a86e7302283cb117b879a66d50912651302331532df9e48bb727057cc54732a71d7ff71fd8e0a4bd0b82094a97c7dd54951b46a020243

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7762460.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7762460.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
memory/576-91-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-109-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/576-87-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-89-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-83-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-93-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-95-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-97-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-99-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-101-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-103-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-105-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-107-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-85-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-110-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/576-108-0x0000000000250000-0x000000000027D000-memory.dmp

Filesize
180KB

Download
memory/576-111-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/576-113-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/576-81-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-80-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/576-79-0x0000000000D80000-0x0000000000D98000-memory.dmp

Filesize
96KB

Download
memory/576-78-0x0000000000D60000-0x0000000000D7A000-memory.dmp

Filesize
104KB

Download
memory/828-120-0x00000000010D0000-0x00000000010F8000-memory.dmp

Filesize
160KB

Download
memory/828-121-0x0000000007050000-0x0000000007090000-memory.dmp

Filesize
256KB

Download
memory/828-122-0x0000000007050000-0x0000000007090000-memory.dmp

Filesize
256KB

Download