075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283

Analysis

max time kernel
149s
max time network
169s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe
Size

702KB
MD5

95a5b96020e2cc45ea7b0f376c13b055
SHA1

7717072b0bdfb1dd9b0e7bb8a46f8e6b68ab124a
SHA256

075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283
SHA512

1c9d148c3d818416985501f973dbf2bf1b4dd9d0ae46abe004f802aafd6a274474774c960fac6671c3f6a24f146d1d54e802c61894dc1500e5841203c4248c51
SSDEEP

12288:Uy90iWbevzP2bGG03AK2tkxRNY8jV4DbQlt1DEG2Vo9wJrfb7X8KJoVpX:Uy/0e720/2uNYj/K14GRwBDAKeVpX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	44504412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	44504412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	44504412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	44504412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	44504412.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	44504412.exe

Executes dropped EXE 3 IoCs

pid	Process
1132	un864540.exe
276	44504412.exe
692	rk420919.exe

Loads dropped DLL 8 IoCs

pid	Process
2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe
1132	un864540.exe
1132	un864540.exe
1132	un864540.exe
276	44504412.exe
1132	un864540.exe
1132	un864540.exe
692	rk420919.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	44504412.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	44504412.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un864540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un864540.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
276	44504412.exe
276	44504412.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	44504412.exe
Token: SeDebugPrivilege	692	rk420919.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 2000 wrote to memory of 1132	2000	075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe	27
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 276	1132	un864540.exe	28
PID 1132 wrote to memory of 692	1132	un864540.exe	29
PID 1132 wrote to memory of 692	1132	un864540.exe	29
PID 1132 wrote to memory of 692	1132	un864540.exe	29
PID 1132 wrote to memory of 692	1132	un864540.exe	29
PID 1132 wrote to memory of 692	1132	un864540.exe	29
PID 1132 wrote to memory of 692	1132	un864540.exe	29
PID 1132 wrote to memory of 692	1132	un864540.exe	29

C:\Users\Admin\AppData\Local\Temp\075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe
"C:\Users\Admin\AppData\Local\Temp\075de5873b4fbb3bd51f63e030d66a349d1c6e582961ad17809b6a7d71e69283.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864540.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864540.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864540.exe

Filesize
547KB

MD5
802f7dd1379d6ecf851a251d7529be65

SHA1
a7d5e9d621e067fd3bf2fda9a0f414bf0df7983e

SHA256
41e64a17267f03cbc6761288469254cc0ab77b6d8c4e44a3ada226ece72571fa

SHA512
b50e43425ea0a0ee79f0119881524303737e62ef2548c41c4d2df05edd87768344b9723d3a4485527722937bc2c04d36fa038c057161fa3cc2a4a3705aefcb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864540.exe

Filesize
547KB

MD5
802f7dd1379d6ecf851a251d7529be65

SHA1
a7d5e9d621e067fd3bf2fda9a0f414bf0df7983e

SHA256
41e64a17267f03cbc6761288469254cc0ab77b6d8c4e44a3ada226ece72571fa

SHA512
b50e43425ea0a0ee79f0119881524303737e62ef2548c41c4d2df05edd87768344b9723d3a4485527722937bc2c04d36fa038c057161fa3cc2a4a3705aefcb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe

Filesize
269KB

MD5
bb77556f43286de5e0c37a58d9191d33

SHA1
f8aa00207ef058963b045824fc63337563a5d2a5

SHA256
54500347455be1c8f60833552678d15d1c15a77dfdd1e722a338adaecb6da5ff

SHA512
e3e1ea029c4e7774893e9f16cd5024ea104fae7abf5b12478f7d2d89b6140e0acef76805e8746669af020b7ce57535513265a8500c0f22262bed351664d3dab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe

Filesize
269KB

MD5
bb77556f43286de5e0c37a58d9191d33

SHA1
f8aa00207ef058963b045824fc63337563a5d2a5

SHA256
54500347455be1c8f60833552678d15d1c15a77dfdd1e722a338adaecb6da5ff

SHA512
e3e1ea029c4e7774893e9f16cd5024ea104fae7abf5b12478f7d2d89b6140e0acef76805e8746669af020b7ce57535513265a8500c0f22262bed351664d3dab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe

Filesize
269KB

MD5
bb77556f43286de5e0c37a58d9191d33

SHA1
f8aa00207ef058963b045824fc63337563a5d2a5

SHA256
54500347455be1c8f60833552678d15d1c15a77dfdd1e722a338adaecb6da5ff

SHA512
e3e1ea029c4e7774893e9f16cd5024ea104fae7abf5b12478f7d2d89b6140e0acef76805e8746669af020b7ce57535513265a8500c0f22262bed351664d3dab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe

Filesize
353KB

MD5
3ee43e57361c7f11eee5a8fa338eab4f

SHA1
10f0ffa88bfa2cd6709311bc5a042d4bbbbfbdb1

SHA256
64b928f01fda0e904f5ea2e025e3d8a8652d885ef99e9c8ecd12ee30691934d4

SHA512
1cf5ef6c4a8018024a8fe55400c31a55c89a050c4dba93b19aa5c79cfcd6f28d95bc601d4f1c1b0f82921d9f4296ca140219ad10a8eedb9e8cce5277517cdf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe

Filesize
353KB

MD5
3ee43e57361c7f11eee5a8fa338eab4f

SHA1
10f0ffa88bfa2cd6709311bc5a042d4bbbbfbdb1

SHA256
64b928f01fda0e904f5ea2e025e3d8a8652d885ef99e9c8ecd12ee30691934d4

SHA512
1cf5ef6c4a8018024a8fe55400c31a55c89a050c4dba93b19aa5c79cfcd6f28d95bc601d4f1c1b0f82921d9f4296ca140219ad10a8eedb9e8cce5277517cdf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe

Filesize
353KB

MD5
3ee43e57361c7f11eee5a8fa338eab4f

SHA1
10f0ffa88bfa2cd6709311bc5a042d4bbbbfbdb1

SHA256
64b928f01fda0e904f5ea2e025e3d8a8652d885ef99e9c8ecd12ee30691934d4

SHA512
1cf5ef6c4a8018024a8fe55400c31a55c89a050c4dba93b19aa5c79cfcd6f28d95bc601d4f1c1b0f82921d9f4296ca140219ad10a8eedb9e8cce5277517cdf1c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864540.exe

Filesize
547KB

MD5
802f7dd1379d6ecf851a251d7529be65

SHA1
a7d5e9d621e067fd3bf2fda9a0f414bf0df7983e

SHA256
41e64a17267f03cbc6761288469254cc0ab77b6d8c4e44a3ada226ece72571fa

SHA512
b50e43425ea0a0ee79f0119881524303737e62ef2548c41c4d2df05edd87768344b9723d3a4485527722937bc2c04d36fa038c057161fa3cc2a4a3705aefcb42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864540.exe

Filesize
547KB

MD5
802f7dd1379d6ecf851a251d7529be65

SHA1
a7d5e9d621e067fd3bf2fda9a0f414bf0df7983e

SHA256
41e64a17267f03cbc6761288469254cc0ab77b6d8c4e44a3ada226ece72571fa

SHA512
b50e43425ea0a0ee79f0119881524303737e62ef2548c41c4d2df05edd87768344b9723d3a4485527722937bc2c04d36fa038c057161fa3cc2a4a3705aefcb42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe

Filesize
269KB

MD5
bb77556f43286de5e0c37a58d9191d33

SHA1
f8aa00207ef058963b045824fc63337563a5d2a5

SHA256
54500347455be1c8f60833552678d15d1c15a77dfdd1e722a338adaecb6da5ff

SHA512
e3e1ea029c4e7774893e9f16cd5024ea104fae7abf5b12478f7d2d89b6140e0acef76805e8746669af020b7ce57535513265a8500c0f22262bed351664d3dab1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe

Filesize
269KB

MD5
bb77556f43286de5e0c37a58d9191d33

SHA1
f8aa00207ef058963b045824fc63337563a5d2a5

SHA256
54500347455be1c8f60833552678d15d1c15a77dfdd1e722a338adaecb6da5ff

SHA512
e3e1ea029c4e7774893e9f16cd5024ea104fae7abf5b12478f7d2d89b6140e0acef76805e8746669af020b7ce57535513265a8500c0f22262bed351664d3dab1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\44504412.exe

Filesize
269KB

MD5
bb77556f43286de5e0c37a58d9191d33

SHA1
f8aa00207ef058963b045824fc63337563a5d2a5

SHA256
54500347455be1c8f60833552678d15d1c15a77dfdd1e722a338adaecb6da5ff

SHA512
e3e1ea029c4e7774893e9f16cd5024ea104fae7abf5b12478f7d2d89b6140e0acef76805e8746669af020b7ce57535513265a8500c0f22262bed351664d3dab1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe

Filesize
353KB

MD5
3ee43e57361c7f11eee5a8fa338eab4f

SHA1
10f0ffa88bfa2cd6709311bc5a042d4bbbbfbdb1

SHA256
64b928f01fda0e904f5ea2e025e3d8a8652d885ef99e9c8ecd12ee30691934d4

SHA512
1cf5ef6c4a8018024a8fe55400c31a55c89a050c4dba93b19aa5c79cfcd6f28d95bc601d4f1c1b0f82921d9f4296ca140219ad10a8eedb9e8cce5277517cdf1c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe

Filesize
353KB

MD5
3ee43e57361c7f11eee5a8fa338eab4f

SHA1
10f0ffa88bfa2cd6709311bc5a042d4bbbbfbdb1

SHA256
64b928f01fda0e904f5ea2e025e3d8a8652d885ef99e9c8ecd12ee30691934d4

SHA512
1cf5ef6c4a8018024a8fe55400c31a55c89a050c4dba93b19aa5c79cfcd6f28d95bc601d4f1c1b0f82921d9f4296ca140219ad10a8eedb9e8cce5277517cdf1c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk420919.exe

Filesize
353KB

MD5
3ee43e57361c7f11eee5a8fa338eab4f

SHA1
10f0ffa88bfa2cd6709311bc5a042d4bbbbfbdb1

SHA256
64b928f01fda0e904f5ea2e025e3d8a8652d885ef99e9c8ecd12ee30691934d4

SHA512
1cf5ef6c4a8018024a8fe55400c31a55c89a050c4dba93b19aa5c79cfcd6f28d95bc601d4f1c1b0f82921d9f4296ca140219ad10a8eedb9e8cce5277517cdf1c

Download Submit
memory/276-110-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/276-87-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-89-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-91-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-93-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-95-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-97-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-99-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-105-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-103-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-101-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-107-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-109-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-85-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-114-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/276-83-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-82-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/276-81-0x0000000002D60000-0x0000000002D78000-memory.dmp

Filesize
96KB

Download
memory/276-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/276-80-0x00000000072B0000-0x00000000072F0000-memory.dmp

Filesize
256KB

Download
memory/276-78-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/692-125-0x0000000003240000-0x000000000327C000-memory.dmp

Filesize
240KB

Download
memory/692-126-0x0000000004810000-0x000000000484A000-memory.dmp

Filesize
232KB

Download
memory/692-127-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-128-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-130-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-132-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-134-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-136-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-139-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-141-0x00000000072B0000-0x00000000072F0000-memory.dmp

Filesize
256KB

Download
memory/692-138-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/692-143-0x00000000072B0000-0x00000000072F0000-memory.dmp

Filesize
256KB

Download
memory/692-142-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-145-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-147-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-149-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-151-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-153-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-155-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-157-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-159-0x0000000004810000-0x0000000004845000-memory.dmp

Filesize
212KB

Download
memory/692-922-0x00000000072B0000-0x00000000072F0000-memory.dmp

Filesize
256KB

Download
memory/692-925-0x00000000072B0000-0x00000000072F0000-memory.dmp

Filesize
256KB

Download