05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde

Analysis

max time kernel
144s
max time network
164s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe
Size

747KB
MD5

d109166d0abea341b013b90fa72993b0
SHA1

ddad95f50e52786510613f8267cfef388de03a98
SHA256

05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde
SHA512

fff3b166e06435a7d5a500c3087ce19eddb53ae412a1eb5168e77dd96cab347eeb1e5972e9e1471c7b5a850877016cf0489102145fcb074db5de2bd262a09b0c
SSDEEP

12288:4y90GmLtZEilUZHJIl30TCXIM/lFV56V5lYPWYEE:4y/mLtZvSHS0O4MHL6V5aOa

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	42138815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	42138815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	42138815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	42138815.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	42138815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	42138815.exe

Executes dropped EXE 3 IoCs

pid	Process
1548	un600094.exe
576	42138815.exe
1152	rk768831.exe

Loads dropped DLL 8 IoCs

pid	Process
1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe
1548	un600094.exe
1548	un600094.exe
1548	un600094.exe
576	42138815.exe
1548	un600094.exe
1548	un600094.exe
1152	rk768831.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	42138815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	42138815.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un600094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un600094.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
576	42138815.exe
576	42138815.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	42138815.exe
Token: SeDebugPrivilege	1152	rk768831.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1688 wrote to memory of 1548	1688	05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe	28
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 576	1548	un600094.exe	29
PID 1548 wrote to memory of 1152	1548	un600094.exe	30
PID 1548 wrote to memory of 1152	1548	un600094.exe	30
PID 1548 wrote to memory of 1152	1548	un600094.exe	30
PID 1548 wrote to memory of 1152	1548	un600094.exe	30
PID 1548 wrote to memory of 1152	1548	un600094.exe	30
PID 1548 wrote to memory of 1152	1548	un600094.exe	30
PID 1548 wrote to memory of 1152	1548	un600094.exe	30

C:\Users\Admin\AppData\Local\Temp\05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe
"C:\Users\Admin\AppData\Local\Temp\05c7666859b4b497216bb769debb7bf3b71eacbcc35377ba7ebbba766c4d8bde.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600094.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600094.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600094.exe

Filesize
592KB

MD5
a60350665d5544fa472570a241e1b18f

SHA1
5bdc0eb2cbc89baefcf8b43deba02bab87f8eaa8

SHA256
3f3754a9fd30381ee9bc85637342d88311f1e999a256f3dd6b63fb090b998049

SHA512
8e085a91375def29346b3b55346796270b7e0a49dc7293fa3bde0310515140b01a01bd06c8241e42c8f5f032c9a300e247be2a1cb82635bbdadfd717d853d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600094.exe

Filesize
592KB

MD5
a60350665d5544fa472570a241e1b18f

SHA1
5bdc0eb2cbc89baefcf8b43deba02bab87f8eaa8

SHA256
3f3754a9fd30381ee9bc85637342d88311f1e999a256f3dd6b63fb090b998049

SHA512
8e085a91375def29346b3b55346796270b7e0a49dc7293fa3bde0310515140b01a01bd06c8241e42c8f5f032c9a300e247be2a1cb82635bbdadfd717d853d291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe

Filesize
376KB

MD5
d97c15265161f0230fbc78e683eee758

SHA1
5d384883df18d8f4ebe1f1efa091916107ac3b24

SHA256
9cafef785e64d4ff8fd437a2fdacdc383c7bbadcf3a5fa444058152fb5f93ac2

SHA512
6d2844b5ca9cd1d5bec90f58068449dfc97c61544a19b5d866238acb9010c434f552b8b5d4dc8a6cda8d332c571904148f098cb86ea270b72cf3dfe82692dd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe

Filesize
376KB

MD5
d97c15265161f0230fbc78e683eee758

SHA1
5d384883df18d8f4ebe1f1efa091916107ac3b24

SHA256
9cafef785e64d4ff8fd437a2fdacdc383c7bbadcf3a5fa444058152fb5f93ac2

SHA512
6d2844b5ca9cd1d5bec90f58068449dfc97c61544a19b5d866238acb9010c434f552b8b5d4dc8a6cda8d332c571904148f098cb86ea270b72cf3dfe82692dd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe

Filesize
376KB

MD5
d97c15265161f0230fbc78e683eee758

SHA1
5d384883df18d8f4ebe1f1efa091916107ac3b24

SHA256
9cafef785e64d4ff8fd437a2fdacdc383c7bbadcf3a5fa444058152fb5f93ac2

SHA512
6d2844b5ca9cd1d5bec90f58068449dfc97c61544a19b5d866238acb9010c434f552b8b5d4dc8a6cda8d332c571904148f098cb86ea270b72cf3dfe82692dd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe

Filesize
459KB

MD5
ee85de96b6145b0c083617d097f9a380

SHA1
86b8f0f1d4dcb09a0be66a8ad0a977ee01bcda5e

SHA256
d55b347213dda9ea57db61ba319e95c7095360cb103285784ecc6f18df1dd153

SHA512
c29ece7cd9af64f2540fb00ec4c0e07323886c261a26257d93ac6811e039c286669d5843eb38806dd5ef7568653a9d64963338bbfa816b2e1a2084e645f6958c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe

Filesize
459KB

MD5
ee85de96b6145b0c083617d097f9a380

SHA1
86b8f0f1d4dcb09a0be66a8ad0a977ee01bcda5e

SHA256
d55b347213dda9ea57db61ba319e95c7095360cb103285784ecc6f18df1dd153

SHA512
c29ece7cd9af64f2540fb00ec4c0e07323886c261a26257d93ac6811e039c286669d5843eb38806dd5ef7568653a9d64963338bbfa816b2e1a2084e645f6958c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe

Filesize
459KB

MD5
ee85de96b6145b0c083617d097f9a380

SHA1
86b8f0f1d4dcb09a0be66a8ad0a977ee01bcda5e

SHA256
d55b347213dda9ea57db61ba319e95c7095360cb103285784ecc6f18df1dd153

SHA512
c29ece7cd9af64f2540fb00ec4c0e07323886c261a26257d93ac6811e039c286669d5843eb38806dd5ef7568653a9d64963338bbfa816b2e1a2084e645f6958c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600094.exe

Filesize
592KB

MD5
a60350665d5544fa472570a241e1b18f

SHA1
5bdc0eb2cbc89baefcf8b43deba02bab87f8eaa8

SHA256
3f3754a9fd30381ee9bc85637342d88311f1e999a256f3dd6b63fb090b998049

SHA512
8e085a91375def29346b3b55346796270b7e0a49dc7293fa3bde0310515140b01a01bd06c8241e42c8f5f032c9a300e247be2a1cb82635bbdadfd717d853d291

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un600094.exe

Filesize
592KB

MD5
a60350665d5544fa472570a241e1b18f

SHA1
5bdc0eb2cbc89baefcf8b43deba02bab87f8eaa8

SHA256
3f3754a9fd30381ee9bc85637342d88311f1e999a256f3dd6b63fb090b998049

SHA512
8e085a91375def29346b3b55346796270b7e0a49dc7293fa3bde0310515140b01a01bd06c8241e42c8f5f032c9a300e247be2a1cb82635bbdadfd717d853d291

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe

Filesize
376KB

MD5
d97c15265161f0230fbc78e683eee758

SHA1
5d384883df18d8f4ebe1f1efa091916107ac3b24

SHA256
9cafef785e64d4ff8fd437a2fdacdc383c7bbadcf3a5fa444058152fb5f93ac2

SHA512
6d2844b5ca9cd1d5bec90f58068449dfc97c61544a19b5d866238acb9010c434f552b8b5d4dc8a6cda8d332c571904148f098cb86ea270b72cf3dfe82692dd36

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe

Filesize
376KB

MD5
d97c15265161f0230fbc78e683eee758

SHA1
5d384883df18d8f4ebe1f1efa091916107ac3b24

SHA256
9cafef785e64d4ff8fd437a2fdacdc383c7bbadcf3a5fa444058152fb5f93ac2

SHA512
6d2844b5ca9cd1d5bec90f58068449dfc97c61544a19b5d866238acb9010c434f552b8b5d4dc8a6cda8d332c571904148f098cb86ea270b72cf3dfe82692dd36

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42138815.exe

Filesize
376KB

MD5
d97c15265161f0230fbc78e683eee758

SHA1
5d384883df18d8f4ebe1f1efa091916107ac3b24

SHA256
9cafef785e64d4ff8fd437a2fdacdc383c7bbadcf3a5fa444058152fb5f93ac2

SHA512
6d2844b5ca9cd1d5bec90f58068449dfc97c61544a19b5d866238acb9010c434f552b8b5d4dc8a6cda8d332c571904148f098cb86ea270b72cf3dfe82692dd36

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe

Filesize
459KB

MD5
ee85de96b6145b0c083617d097f9a380

SHA1
86b8f0f1d4dcb09a0be66a8ad0a977ee01bcda5e

SHA256
d55b347213dda9ea57db61ba319e95c7095360cb103285784ecc6f18df1dd153

SHA512
c29ece7cd9af64f2540fb00ec4c0e07323886c261a26257d93ac6811e039c286669d5843eb38806dd5ef7568653a9d64963338bbfa816b2e1a2084e645f6958c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe

Filesize
459KB

MD5
ee85de96b6145b0c083617d097f9a380

SHA1
86b8f0f1d4dcb09a0be66a8ad0a977ee01bcda5e

SHA256
d55b347213dda9ea57db61ba319e95c7095360cb103285784ecc6f18df1dd153

SHA512
c29ece7cd9af64f2540fb00ec4c0e07323886c261a26257d93ac6811e039c286669d5843eb38806dd5ef7568653a9d64963338bbfa816b2e1a2084e645f6958c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768831.exe

Filesize
459KB

MD5
ee85de96b6145b0c083617d097f9a380

SHA1
86b8f0f1d4dcb09a0be66a8ad0a977ee01bcda5e

SHA256
d55b347213dda9ea57db61ba319e95c7095360cb103285784ecc6f18df1dd153

SHA512
c29ece7cd9af64f2540fb00ec4c0e07323886c261a26257d93ac6811e039c286669d5843eb38806dd5ef7568653a9d64963338bbfa816b2e1a2084e645f6958c

Download Submit
memory/576-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/576-86-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-88-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-92-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-90-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-96-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-94-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-100-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-98-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-104-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-102-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-106-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-110-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-108-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-84-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-114-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/576-83-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/576-82-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/576-81-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/576-80-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/576-79-0x0000000002420000-0x0000000002438000-memory.dmp

Filesize
96KB

Download
memory/576-78-0x0000000000C70000-0x0000000000C8A000-memory.dmp

Filesize
104KB

Download
memory/1152-126-0x0000000002600000-0x000000000263A000-memory.dmp

Filesize
232KB

Download
memory/1152-142-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-127-0x0000000002130000-0x0000000002176000-memory.dmp

Filesize
280KB

Download
memory/1152-128-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/1152-129-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-130-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-132-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-134-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-136-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-138-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-140-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-125-0x0000000002550000-0x000000000258C000-memory.dmp

Filesize
240KB

Download
memory/1152-144-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-146-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-148-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-152-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-150-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-154-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-156-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-158-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-160-0x0000000002600000-0x0000000002635000-memory.dmp

Filesize
212KB

Download
memory/1152-921-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/1152-924-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download