7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48

Analysis

max time kernel
144s
max time network
165s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
Size

693KB
MD5

abaf3e8bf1aabaf5a140468a6b451acd
SHA1

7d84edc4a58f261271566512ecaaafdd787fe2fd
SHA256

7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48
SHA512

96d7b49705b50c39aa7832c1c60328c00e05c6599f5981fa4a65bfe17c64b80a897dd4c313d1c5e56395870ddd335c75efb46a2b23e94aea069601a08ccb6db2
SSDEEP

12288:ay90e3s3k2SNH/d47C9HVwaARjl0MYtWCOW16FT18bJK7A+p+w2lWrb:ay53hzNH/dTeaARjatLt6FT18bJsDkWn

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	20636919.exe

Executes dropped EXE 3 IoCs

pid	Process
864	un864612.exe
544	20636919.exe
1792	rk671639.exe

Loads dropped DLL 8 IoCs

pid	Process
1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
864	un864612.exe
864	un864612.exe
864	un864612.exe
544	20636919.exe
864	un864612.exe
864	un864612.exe
1792	rk671639.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	20636919.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un864612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un864612.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	20636919.exe
544	20636919.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	20636919.exe
Token: SeDebugPrivilege	1792	rk671639.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 1276 wrote to memory of 864	1276	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	28
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 544	864	un864612.exe	29
PID 864 wrote to memory of 1792	864	un864612.exe	30
PID 864 wrote to memory of 1792	864	un864612.exe	30
PID 864 wrote to memory of 1792	864	un864612.exe	30
PID 864 wrote to memory of 1792	864	un864612.exe	30
PID 864 wrote to memory of 1792	864	un864612.exe	30
PID 864 wrote to memory of 1792	864	un864612.exe	30
PID 864 wrote to memory of 1792	864	un864612.exe	30

C:\Users\Admin\AppData\Local\Temp\7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
"C:\Users\Admin\AppData\Local\Temp\7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe

Filesize
540KB

MD5
e775887d3c8244637bb54c06e6cb7dfd

SHA1
912e0e107b848d92d314a91edff7bc1fcd56ba2f

SHA256
62f94d6ac71c93d8d491041f11bc0cb8df9c48c9354076a38021ce5491044f9c

SHA512
6550a2370c5ede138f3be19d7a929ac85e221306258f2ae54786420ae6e3cb4e5c27955d4ced0d0df6710540badfdb6ddebc0ab932962deb67143eefc0028b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe

Filesize
540KB

MD5
e775887d3c8244637bb54c06e6cb7dfd

SHA1
912e0e107b848d92d314a91edff7bc1fcd56ba2f

SHA256
62f94d6ac71c93d8d491041f11bc0cb8df9c48c9354076a38021ce5491044f9c

SHA512
6550a2370c5ede138f3be19d7a929ac85e221306258f2ae54786420ae6e3cb4e5c27955d4ced0d0df6710540badfdb6ddebc0ab932962deb67143eefc0028b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe

Filesize
540KB

MD5
e775887d3c8244637bb54c06e6cb7dfd

SHA1
912e0e107b848d92d314a91edff7bc1fcd56ba2f

SHA256
62f94d6ac71c93d8d491041f11bc0cb8df9c48c9354076a38021ce5491044f9c

SHA512
6550a2370c5ede138f3be19d7a929ac85e221306258f2ae54786420ae6e3cb4e5c27955d4ced0d0df6710540badfdb6ddebc0ab932962deb67143eefc0028b00

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe

Filesize
540KB

MD5
e775887d3c8244637bb54c06e6cb7dfd

SHA1
912e0e107b848d92d314a91edff7bc1fcd56ba2f

SHA256
62f94d6ac71c93d8d491041f11bc0cb8df9c48c9354076a38021ce5491044f9c

SHA512
6550a2370c5ede138f3be19d7a929ac85e221306258f2ae54786420ae6e3cb4e5c27955d4ced0d0df6710540badfdb6ddebc0ab932962deb67143eefc0028b00

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
memory/544-89-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-87-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-93-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-97-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-95-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-91-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-101-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-99-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-105-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-103-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-107-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-108-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/544-109-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download
memory/544-110-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download
memory/544-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/544-113-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/544-85-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-83-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-81-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-80-0x0000000003340000-0x0000000003353000-memory.dmp

Filesize
76KB

Download
memory/544-79-0x0000000003340000-0x0000000003358000-memory.dmp

Filesize
96KB

Download
memory/544-78-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/1792-125-0x0000000006FF0000-0x000000000702A000-memory.dmp

Filesize
232KB

Download
memory/1792-147-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-126-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-127-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-129-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-133-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-131-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-135-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-137-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-139-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-141-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-143-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-145-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-124-0x0000000004880000-0x00000000048BC000-memory.dmp

Filesize
240KB

Download
memory/1792-151-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-149-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-153-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-155-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-157-0x0000000006FF0000-0x0000000007025000-memory.dmp

Filesize
212KB

Download
memory/1792-416-0x0000000002EE0000-0x0000000002F26000-memory.dmp

Filesize
280KB

Download
memory/1792-418-0x00000000070C0000-0x0000000007100000-memory.dmp

Filesize
256KB

Download
memory/1792-420-0x00000000070C0000-0x0000000007100000-memory.dmp

Filesize
256KB

Download
memory/1792-921-0x00000000070C0000-0x0000000007100000-memory.dmp

Filesize
256KB

Download
memory/1792-923-0x00000000070C0000-0x0000000007100000-memory.dmp

Filesize
256KB

Download
memory/1792-924-0x00000000070C0000-0x0000000007100000-memory.dmp

Filesize
256KB

Download
memory/1792-926-0x00000000070C0000-0x0000000007100000-memory.dmp

Filesize
256KB

Download