070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10

Analysis

max time kernel
183s
max time network
190s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
Size

690KB
MD5

7d3e77b531fa906c491afb739756564e
SHA1

c3efa185e85308bdbdff907f2e6c9ca504a5f0e5
SHA256

070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10
SHA512

3c846accbc29b857c9a5ae996f1d2d35e36448aeab8e0e20bf53b269e52c0272b9c9af266e6831b82b48272ef8d95a99a4291533013404c722b72199edddd155
SSDEEP

12288:fy90H1RzuQ2zRpvwGrHg1/wioK2oL0y0sHD2nm9T5Wu2mHxb:fyyyQAfvVEFw9K2oLNj2nsT5WuHHxb

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	42068703.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	42068703.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	un355417.exe
564	42068703.exe
360	rk446965.exe

Loads dropped DLL 8 IoCs

pid	Process
2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
1704	un355417.exe
1704	un355417.exe
1704	un355417.exe
564	42068703.exe
1704	un355417.exe
1704	un355417.exe
360	rk446965.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	42068703.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	42068703.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un355417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un355417.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
564	42068703.exe
564	42068703.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	42068703.exe
Token: SeDebugPrivilege	360	rk446965.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 2012 wrote to memory of 1704	2012	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	28
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 564	1704	un355417.exe	29
PID 1704 wrote to memory of 360	1704	un355417.exe	30
PID 1704 wrote to memory of 360	1704	un355417.exe	30
PID 1704 wrote to memory of 360	1704	un355417.exe	30
PID 1704 wrote to memory of 360	1704	un355417.exe	30
PID 1704 wrote to memory of 360	1704	un355417.exe	30
PID 1704 wrote to memory of 360	1704	un355417.exe	30
PID 1704 wrote to memory of 360	1704	un355417.exe	30

C:\Users\Admin\AppData\Local\Temp\070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
"C:\Users\Admin\AppData\Local\Temp\070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe

Filesize
536KB

MD5
492146f1c10e0110c3232e556a66d5ef

SHA1
39b74e8d9a5cec0a7bc613d1649bcecc0e1382ad

SHA256
052e944b1b6fc35951ab32af01e0aace8406e6dcc253b6ef3d080b4757576b0d

SHA512
df8dc8f14b4228e6a7a8c7434534ccc711b46c8710acc774507399da4f3e3fad5edc28ce299a9294e201f0f04ef79d12b095801e0dd2524e8d03b4853cb463a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe

Filesize
536KB

MD5
492146f1c10e0110c3232e556a66d5ef

SHA1
39b74e8d9a5cec0a7bc613d1649bcecc0e1382ad

SHA256
052e944b1b6fc35951ab32af01e0aace8406e6dcc253b6ef3d080b4757576b0d

SHA512
df8dc8f14b4228e6a7a8c7434534ccc711b46c8710acc774507399da4f3e3fad5edc28ce299a9294e201f0f04ef79d12b095801e0dd2524e8d03b4853cb463a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe

Filesize
536KB

MD5
492146f1c10e0110c3232e556a66d5ef

SHA1
39b74e8d9a5cec0a7bc613d1649bcecc0e1382ad

SHA256
052e944b1b6fc35951ab32af01e0aace8406e6dcc253b6ef3d080b4757576b0d

SHA512
df8dc8f14b4228e6a7a8c7434534ccc711b46c8710acc774507399da4f3e3fad5edc28ce299a9294e201f0f04ef79d12b095801e0dd2524e8d03b4853cb463a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe

Filesize
536KB

MD5
492146f1c10e0110c3232e556a66d5ef

SHA1
39b74e8d9a5cec0a7bc613d1649bcecc0e1382ad

SHA256
052e944b1b6fc35951ab32af01e0aace8406e6dcc253b6ef3d080b4757576b0d

SHA512
df8dc8f14b4228e6a7a8c7434534ccc711b46c8710acc774507399da4f3e3fad5edc28ce299a9294e201f0f04ef79d12b095801e0dd2524e8d03b4853cb463a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
memory/360-150-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-132-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-154-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-152-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-128-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/360-148-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-146-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-144-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-142-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-140-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-138-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-136-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-134-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-158-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-131-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-130-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/360-129-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/360-156-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-160-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-162-0x0000000001F80000-0x0000000001FB5000-memory.dmp

Filesize
212KB

Download
memory/360-924-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/360-925-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/360-927-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/360-126-0x0000000000AF0000-0x0000000000B2C000-memory.dmp

Filesize
240KB

Download
memory/360-127-0x0000000001F80000-0x0000000001FBA000-memory.dmp

Filesize
232KB

Download
memory/564-86-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/564-112-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/564-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/564-110-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/564-109-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/564-96-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-98-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-100-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-102-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-104-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-108-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-106-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-94-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-92-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-90-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-88-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-84-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-81-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-82-0x0000000001F70000-0x0000000001F83000-memory.dmp

Filesize
76KB

Download
memory/564-80-0x0000000001F70000-0x0000000001F88000-memory.dmp

Filesize
96KB

Download
memory/564-79-0x0000000000A90000-0x0000000000AAA000-memory.dmp

Filesize
104KB

Download
memory/564-78-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download