0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe
Size

559KB
MD5

b38519a8f782c971c8e84c3635436558
SHA1

80ffc807405954bd1a5dde8f3768f7c281a4e1d0
SHA256

0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e
SHA512

be9e0f96733821304c286d3f7b41a6e54c36d29c0b4e526df98bf1a719017a932550b12fae7a6e193ba677f69fa3fc46bf75a4f666183b758aff492a13e42e15
SSDEEP

12288:9y90edrF7922Dh/pHnu6uv3Ecj/qDsINq4A082a5:9yDtFbxHduv03i2Q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it873883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it873883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it873883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it873883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it873883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it873883.exe

Executes dropped EXE 3 IoCs

pid	Process
1988	ziEL4184.exe
580	it873883.exe
964	kp817261.exe

Loads dropped DLL 6 IoCs

pid	Process
2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe
1988	ziEL4184.exe
1988	ziEL4184.exe
1988	ziEL4184.exe
1988	ziEL4184.exe
964	kp817261.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	it873883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it873883.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEL4184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziEL4184.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	it873883.exe
580	it873883.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	it873883.exe
Token: SeDebugPrivilege	964	kp817261.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 2028 wrote to memory of 1988	2028	0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe	28
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 580	1988	ziEL4184.exe	29
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30
PID 1988 wrote to memory of 964	1988	ziEL4184.exe	30

C:\Users\Admin\AppData\Local\Temp\0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe
"C:\Users\Admin\AppData\Local\Temp\0495d1f62563f75dc67ecda28ee2dabc661231ca970384ca381de3c0fa05c43e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEL4184.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEL4184.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it873883.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it873883.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEL4184.exe

Filesize
405KB

MD5
9a3a788a091385190c2a9b2de94c562f

SHA1
783722b9a463e87ae225d5ccf1febdd55509fcd4

SHA256
cf773b577b022908fdcd4aa298066dcd148dfef36ddefb2eb7611a1497149a73

SHA512
fb842af8f966a116e6530a4778672c4dc04a7693988797bbb3c72f27997a46b62581cc6d1d65d0802d9438c68b857855aaf478b5d338f823893038fb7a13e616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEL4184.exe

Filesize
405KB

MD5
9a3a788a091385190c2a9b2de94c562f

SHA1
783722b9a463e87ae225d5ccf1febdd55509fcd4

SHA256
cf773b577b022908fdcd4aa298066dcd148dfef36ddefb2eb7611a1497149a73

SHA512
fb842af8f966a116e6530a4778672c4dc04a7693988797bbb3c72f27997a46b62581cc6d1d65d0802d9438c68b857855aaf478b5d338f823893038fb7a13e616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it873883.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it873883.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe

Filesize
351KB

MD5
277d558024db330d1ad9942ca60d552c

SHA1
f74172b58309293748d7b1f14aea6170c98528f7

SHA256
ccb0e76ed6199b96c112bf4236e25ac7ddde3a952174c9fce28cfa66716316a5

SHA512
1bf520d18b9e7781a64859bb40ebded8600b9a8763a54fbe177a315e3abb5b320be0f3caaf9950012fcf59505dffcfcf08a19958619fa4b85d25cdb356f78401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe

Filesize
351KB

MD5
277d558024db330d1ad9942ca60d552c

SHA1
f74172b58309293748d7b1f14aea6170c98528f7

SHA256
ccb0e76ed6199b96c112bf4236e25ac7ddde3a952174c9fce28cfa66716316a5

SHA512
1bf520d18b9e7781a64859bb40ebded8600b9a8763a54fbe177a315e3abb5b320be0f3caaf9950012fcf59505dffcfcf08a19958619fa4b85d25cdb356f78401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe

Filesize
351KB

MD5
277d558024db330d1ad9942ca60d552c

SHA1
f74172b58309293748d7b1f14aea6170c98528f7

SHA256
ccb0e76ed6199b96c112bf4236e25ac7ddde3a952174c9fce28cfa66716316a5

SHA512
1bf520d18b9e7781a64859bb40ebded8600b9a8763a54fbe177a315e3abb5b320be0f3caaf9950012fcf59505dffcfcf08a19958619fa4b85d25cdb356f78401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEL4184.exe

Filesize
405KB

MD5
9a3a788a091385190c2a9b2de94c562f

SHA1
783722b9a463e87ae225d5ccf1febdd55509fcd4

SHA256
cf773b577b022908fdcd4aa298066dcd148dfef36ddefb2eb7611a1497149a73

SHA512
fb842af8f966a116e6530a4778672c4dc04a7693988797bbb3c72f27997a46b62581cc6d1d65d0802d9438c68b857855aaf478b5d338f823893038fb7a13e616

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEL4184.exe

Filesize
405KB

MD5
9a3a788a091385190c2a9b2de94c562f

SHA1
783722b9a463e87ae225d5ccf1febdd55509fcd4

SHA256
cf773b577b022908fdcd4aa298066dcd148dfef36ddefb2eb7611a1497149a73

SHA512
fb842af8f966a116e6530a4778672c4dc04a7693988797bbb3c72f27997a46b62581cc6d1d65d0802d9438c68b857855aaf478b5d338f823893038fb7a13e616

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\it873883.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe

Filesize
351KB

MD5
277d558024db330d1ad9942ca60d552c

SHA1
f74172b58309293748d7b1f14aea6170c98528f7

SHA256
ccb0e76ed6199b96c112bf4236e25ac7ddde3a952174c9fce28cfa66716316a5

SHA512
1bf520d18b9e7781a64859bb40ebded8600b9a8763a54fbe177a315e3abb5b320be0f3caaf9950012fcf59505dffcfcf08a19958619fa4b85d25cdb356f78401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe

Filesize
351KB

MD5
277d558024db330d1ad9942ca60d552c

SHA1
f74172b58309293748d7b1f14aea6170c98528f7

SHA256
ccb0e76ed6199b96c112bf4236e25ac7ddde3a952174c9fce28cfa66716316a5

SHA512
1bf520d18b9e7781a64859bb40ebded8600b9a8763a54fbe177a315e3abb5b320be0f3caaf9950012fcf59505dffcfcf08a19958619fa4b85d25cdb356f78401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp817261.exe

Filesize
351KB

MD5
277d558024db330d1ad9942ca60d552c

SHA1
f74172b58309293748d7b1f14aea6170c98528f7

SHA256
ccb0e76ed6199b96c112bf4236e25ac7ddde3a952174c9fce28cfa66716316a5

SHA512
1bf520d18b9e7781a64859bb40ebded8600b9a8763a54fbe177a315e3abb5b320be0f3caaf9950012fcf59505dffcfcf08a19958619fa4b85d25cdb356f78401

Download Submit
memory/580-72-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/964-105-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-119-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-85-0x0000000004AD0000-0x0000000004B0A000-memory.dmp

Filesize
232KB

Download
memory/964-86-0x0000000007290000-0x00000000072D0000-memory.dmp

Filesize
256KB

Download
memory/964-87-0x0000000007290000-0x00000000072D0000-memory.dmp

Filesize
256KB

Download
memory/964-88-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-89-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-91-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-93-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-95-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-97-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-99-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-101-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-103-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-83-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/964-107-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-109-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-111-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-113-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-115-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-117-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-84-0x0000000004840000-0x000000000487C000-memory.dmp

Filesize
240KB

Download
memory/964-121-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-123-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-125-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-127-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-129-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-131-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-135-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-133-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-137-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-139-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-141-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-143-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-145-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-147-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-149-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-151-0x0000000004AD0000-0x0000000004B05000-memory.dmp

Filesize
212KB

Download
memory/964-880-0x0000000007290000-0x00000000072D0000-memory.dmp

Filesize
256KB

Download
memory/964-883-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/964-884-0x0000000007290000-0x00000000072D0000-memory.dmp

Filesize
256KB

Download
memory/964-885-0x0000000007290000-0x00000000072D0000-memory.dmp

Filesize
256KB

Download