075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
Size

479KB
MD5

5577147c5b1aa1dd66b5b84982cf3ac8
SHA1

e4ab9506f13992d220905a63757b9e2c8b620cff
SHA256

075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82
SHA512

b1b9d057d9ea4a45fb7f27a6ac0a6450f9f4ddfbcfbeb47e4b46a8b4e81add0236b10f128af19d7b15094834eb959691dfc71a53e01f007c4ca4b85cd0a588ab
SSDEEP

12288:GMrfy90tmBpUQZuTzDMoDYmO6aW81OGDXGmRvJURd0uO+i:ByxpZZuIIWTh1OUWrdli

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8735883.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8735883.exe

Executes dropped EXE 3 IoCs

pid	Process
1924	v3950559.exe
960	a8735883.exe
760	b2762133.exe

Loads dropped DLL 6 IoCs

pid	Process
1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
1924	v3950559.exe
1924	v3950559.exe
960	a8735883.exe
1924	v3950559.exe
760	b2762133.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8735883.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3950559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3950559.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	a8735883.exe
960	a8735883.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	a8735883.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1976 wrote to memory of 1924	1976	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	27
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 960	1924	v3950559.exe	28
PID 1924 wrote to memory of 760	1924	v3950559.exe	29
PID 1924 wrote to memory of 760	1924	v3950559.exe	29
PID 1924 wrote to memory of 760	1924	v3950559.exe	29
PID 1924 wrote to memory of 760	1924	v3950559.exe	29
PID 1924 wrote to memory of 760	1924	v3950559.exe	29
PID 1924 wrote to memory of 760	1924	v3950559.exe	29
PID 1924 wrote to memory of 760	1924	v3950559.exe	29

C:\Users\Admin\AppData\Local\Temp\075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
"C:\Users\Admin\AppData\Local\Temp\075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe

Filesize
307KB

MD5
d16fa6e85dfb4ae46405453c71b75694

SHA1
20b06617901676d15ff5a3bed81ee196ff82e166

SHA256
c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

SHA512
9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe

Filesize
307KB

MD5
d16fa6e85dfb4ae46405453c71b75694

SHA1
20b06617901676d15ff5a3bed81ee196ff82e166

SHA256
c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

SHA512
9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe

Filesize
175KB

MD5
53103813f9b185c5775d4351c5c97e25

SHA1
9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

SHA256
2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

SHA512
d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe

Filesize
175KB

MD5
53103813f9b185c5775d4351c5c97e25

SHA1
9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

SHA256
2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

SHA512
d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe

Filesize
136KB

MD5
b1d06b88514d2e393201805baee9f188

SHA1
38147f086ba49868921d3f506cc3bae4e7b388f0

SHA256
c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

SHA512
b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe

Filesize
136KB

MD5
b1d06b88514d2e393201805baee9f188

SHA1
38147f086ba49868921d3f506cc3bae4e7b388f0

SHA256
c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

SHA512
b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe

Filesize
307KB

MD5
d16fa6e85dfb4ae46405453c71b75694

SHA1
20b06617901676d15ff5a3bed81ee196ff82e166

SHA256
c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

SHA512
9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe

Filesize
307KB

MD5
d16fa6e85dfb4ae46405453c71b75694

SHA1
20b06617901676d15ff5a3bed81ee196ff82e166

SHA256
c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

SHA512
9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe

Filesize
175KB

MD5
53103813f9b185c5775d4351c5c97e25

SHA1
9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

SHA256
2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

SHA512
d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe

Filesize
175KB

MD5
53103813f9b185c5775d4351c5c97e25

SHA1
9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

SHA256
2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

SHA512
d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe

Filesize
136KB

MD5
b1d06b88514d2e393201805baee9f188

SHA1
38147f086ba49868921d3f506cc3bae4e7b388f0

SHA256
c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

SHA512
b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe

Filesize
136KB

MD5
b1d06b88514d2e393201805baee9f188

SHA1
38147f086ba49868921d3f506cc3bae4e7b388f0

SHA256
c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

SHA512
b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

Download Submit
memory/760-113-0x0000000000F30000-0x0000000000F58000-memory.dmp

Filesize
160KB

Download
memory/760-114-0x0000000007090000-0x00000000070D0000-memory.dmp

Filesize
256KB

Download
memory/760-115-0x0000000007090000-0x00000000070D0000-memory.dmp

Filesize
256KB

Download
memory/960-93-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-81-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-91-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-89-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-87-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-83-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-104-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/960-105-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/960-106-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/960-95-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-79-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-77-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-76-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-97-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-99-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-101-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-103-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-85-0x00000000021F0000-0x0000000002202000-memory.dmp

Filesize
72KB

Download
memory/960-75-0x00000000021F0000-0x0000000002208000-memory.dmp

Filesize
96KB

Download
memory/960-74-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download