be9885913c63b467e102d7650841bd56dc038e4d347c7823fe78c8205917cc2d

Resubmissions

06/05/2023, 03:34

230506-d4318sab4x 8

06/05/2023, 03:31

230506-d24jzsfh36 10

06/05/2023, 03:27

230506-dz82paab2z 10

06/05/2023, 03:16

230506-dsqlrsaa71 10

Analysis

max time kernel
1785s
max time network
1794s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe
Size

1.3MB
MD5

c6326212f846c43fd017ae3ecd6e7f4d
SHA1

c92d9d6a4df83cd701ab170209a3af9d381ca928
SHA256

00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896
SHA512

fd0d59818687ecebec17820d63bcb61c0e0a4a5253899439e311e0f431234abf22f22cfc88de7801e5c5d95392b9da1e331bf43cfc15a406381fb4b02cbb6268
SSDEEP

24576:1yV1s8yRxwV7JGccW9Uan8Ax+dAuQ52W0oIw0A8IZ:Q3s8yRUJGccYUa/yV8x0oIwE

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n8400605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n8400605.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n8400605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n8400605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n8400605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n8400605.exe

Executes dropped EXE 5 IoCs

pid	Process
1716	z2782167.exe
4852	z0741032.exe
3092	z9472836.exe
2600	n8400605.exe
3076	o8123542.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n8400605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n8400605.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2782167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2782167.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0741032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0741032.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9472836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9472836.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3980	2600	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	n8400605.exe
2600	n8400605.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	n8400605.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1716	1848	00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe	87
PID 1848 wrote to memory of 1716	1848	00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe	87
PID 1848 wrote to memory of 1716	1848	00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe	87
PID 1716 wrote to memory of 4852	1716	z2782167.exe	88
PID 1716 wrote to memory of 4852	1716	z2782167.exe	88
PID 1716 wrote to memory of 4852	1716	z2782167.exe	88
PID 4852 wrote to memory of 3092	4852	z0741032.exe	89
PID 4852 wrote to memory of 3092	4852	z0741032.exe	89
PID 4852 wrote to memory of 3092	4852	z0741032.exe	89
PID 3092 wrote to memory of 2600	3092	z9472836.exe	90
PID 3092 wrote to memory of 2600	3092	z9472836.exe	90
PID 3092 wrote to memory of 2600	3092	z9472836.exe	90
PID 3092 wrote to memory of 3076	3092	z9472836.exe	93
PID 3092 wrote to memory of 3076	3092	z9472836.exe	93
PID 3092 wrote to memory of 3076	3092	z9472836.exe	93

C:\Users\Admin\AppData\Local\Temp\00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe
"C:\Users\Admin\AppData\Local\Temp\00f0216950a0e1670937a7e76d2328226792363edc980aedda2de8722ace0896.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2782167.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2782167.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0741032.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0741032.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9472836.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9472836.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n8400605.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n8400605.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1084
        6⤵
        Program crash
        
        PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o8123542.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o8123542.exe
        5⤵
        Executes dropped EXE
        
        PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2600 -ip 2600
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2782167.exe

Filesize
1.1MB

MD5
6de3329e4817473b6b8ac62a3c5c6b59

SHA1
382b23d4ca29863993d5f932820053c66737b020

SHA256
40f8b276607d020b68b7b72a119cdd1fbb3d69e059156954a7f739b8fcfa0ed5

SHA512
9efd59bcf78e22e00f4fbd69b87a3f4b946de2281713f0893f11c233b1515d3a3e23ecb13a1ffed5a773451d602bdb87652c2d75b5ca0d3f658cd84c03faa021

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2782167.exe

Filesize
1.1MB

MD5
6de3329e4817473b6b8ac62a3c5c6b59

SHA1
382b23d4ca29863993d5f932820053c66737b020

SHA256
40f8b276607d020b68b7b72a119cdd1fbb3d69e059156954a7f739b8fcfa0ed5

SHA512
9efd59bcf78e22e00f4fbd69b87a3f4b946de2281713f0893f11c233b1515d3a3e23ecb13a1ffed5a773451d602bdb87652c2d75b5ca0d3f658cd84c03faa021

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0741032.exe

Filesize
621KB

MD5
3730c6ca253a6bec0c560547d29950c9

SHA1
5bbab824cb4d766eb38d5e847d5ff38cd1a06ab3

SHA256
2ede7db066aea98b9ab440bcf3459df99a732f2a7f4006e1109a18a98acafefd

SHA512
d04ba71401db9e415206ccdbd92ca3211f10c052ecda7e76948ebacf0c06d0f2336fe2cf7c767e780b5903516168a7390671b60624ab5fc984ae302bddcd4203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0741032.exe

Filesize
621KB

MD5
3730c6ca253a6bec0c560547d29950c9

SHA1
5bbab824cb4d766eb38d5e847d5ff38cd1a06ab3

SHA256
2ede7db066aea98b9ab440bcf3459df99a732f2a7f4006e1109a18a98acafefd

SHA512
d04ba71401db9e415206ccdbd92ca3211f10c052ecda7e76948ebacf0c06d0f2336fe2cf7c767e780b5903516168a7390671b60624ab5fc984ae302bddcd4203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9472836.exe

Filesize
417KB

MD5
fee3ee82da864a63149dcad7ae84dd08

SHA1
9b5d6a19607bc51e2d30280412214995afbbfccf

SHA256
6dd292c345cc87952f5c7e8022b1fdc63314b7ae8763a0a2f785ea7d811c5996

SHA512
fda497744fe1e9cb343822fed06548f9c052e071bbfae19f9eb34f47c97513edb080cf49712d313b7d9033fa25de8d74fe8d61519de94e243c23c1f5ec70a26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9472836.exe

Filesize
417KB

MD5
fee3ee82da864a63149dcad7ae84dd08

SHA1
9b5d6a19607bc51e2d30280412214995afbbfccf

SHA256
6dd292c345cc87952f5c7e8022b1fdc63314b7ae8763a0a2f785ea7d811c5996

SHA512
fda497744fe1e9cb343822fed06548f9c052e071bbfae19f9eb34f47c97513edb080cf49712d313b7d9033fa25de8d74fe8d61519de94e243c23c1f5ec70a26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n8400605.exe

Filesize
360KB

MD5
7ee65377a741d142faa2f927f6aa78bb

SHA1
c07e33ef45490ba4937e308c513558c717ae76ca

SHA256
cc4eb5b47d66e17b9ea66334f826e6121d501e994380b0ce150b8ec27eb9bb29

SHA512
870a30536148ebf0614d5a870a00b5bb1e137cad428c66f1908f65f65104964dfc70e9b8425785b8de0fb6da5312a4002001bf0df147c6f7bf6c9122004d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n8400605.exe

Filesize
360KB

MD5
7ee65377a741d142faa2f927f6aa78bb

SHA1
c07e33ef45490ba4937e308c513558c717ae76ca

SHA256
cc4eb5b47d66e17b9ea66334f826e6121d501e994380b0ce150b8ec27eb9bb29

SHA512
870a30536148ebf0614d5a870a00b5bb1e137cad428c66f1908f65f65104964dfc70e9b8425785b8de0fb6da5312a4002001bf0df147c6f7bf6c9122004d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o8123542.exe

Filesize
136KB

MD5
cc60cb4f3504297fed428ecbf5f17f66

SHA1
2bc25e3901a136be933cd3e2ba32c0b4cdc99982

SHA256
9759986068c7f098c6a5e1b48ca54696f3c2a819fd8837cc3e41337ea1355bef

SHA512
89ede7e141763644ff05d4f0949ec2e28b8161fd0ddeadbea2f9daeb83d72edf5a604c56703118b4869d07f1c40626b5da23488c2f48fddbcc1df19dddae86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o8123542.exe

Filesize
136KB

MD5
cc60cb4f3504297fed428ecbf5f17f66

SHA1
2bc25e3901a136be933cd3e2ba32c0b4cdc99982

SHA256
9759986068c7f098c6a5e1b48ca54696f3c2a819fd8837cc3e41337ea1355bef

SHA512
89ede7e141763644ff05d4f0949ec2e28b8161fd0ddeadbea2f9daeb83d72edf5a604c56703118b4869d07f1c40626b5da23488c2f48fddbcc1df19dddae86de

Download Submit
memory/2600-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-190-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-166-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2600-167-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-165-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2600-182-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-184-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-186-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-188-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-164-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2600-192-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-194-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2600-195-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2600-196-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2600-197-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2600-198-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2600-200-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2600-163-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/2600-162-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download
memory/3076-204-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/3076-205-0x0000000007570000-0x0000000007B88000-memory.dmp

Filesize
6.1MB

Download
memory/3076-206-0x0000000007010000-0x0000000007022000-memory.dmp

Filesize
72KB

Download
memory/3076-207-0x0000000007140000-0x000000000724A000-memory.dmp

Filesize
1.0MB

Download
memory/3076-208-0x00000000070A0000-0x00000000070DC000-memory.dmp

Filesize
240KB

Download
memory/3076-209-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download
memory/3076-210-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download