1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e

General

Target

1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe
Size

479KB
MD5

20b578125004cd9b23a8935e4b088a7b
SHA1

b6741599abfc42d7c99ecb821499f1ab3ae4893e
SHA256

1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e
SHA512

313718ca494217c2930cbe1adb6e325c8254432cfdf515e4067e7a9c2ee08d5ed56cd85992bcfe9ef8c9516b5d5cae9d8aca9dba3d53b1a03b7ecc5305635e1c
SSDEEP

12288:z2Mr0y90fYnv/F3ltTkXVqrQb0OMw2vvjlDpg1ZY:z2yGY3FVaXQU0Fw6vppgHY

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5294646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5294646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5294646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5294646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5294646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5294646.exe

Executes dropped EXE 3 IoCs

pid	Process
4172	y6130138.exe
4740	k5294646.exe
4324	l1265522.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5294646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5294646.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6130138.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6130138.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	k5294646.exe
4740	k5294646.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	k5294646.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4172	1644	1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe	83
PID 1644 wrote to memory of 4172	1644	1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe	83
PID 1644 wrote to memory of 4172	1644	1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe	83
PID 4172 wrote to memory of 4740	4172	y6130138.exe	84
PID 4172 wrote to memory of 4740	4172	y6130138.exe	84
PID 4172 wrote to memory of 4740	4172	y6130138.exe	84
PID 4172 wrote to memory of 4324	4172	y6130138.exe	89
PID 4172 wrote to memory of 4324	4172	y6130138.exe	89
PID 4172 wrote to memory of 4324	4172	y6130138.exe	89

C:\Users\Admin\AppData\Local\Temp\1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe
"C:\Users\Admin\AppData\Local\Temp\1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6130138.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6130138.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5294646.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5294646.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1265522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1265522.exe
    3⤵
    - Executes dropped EXE
    PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6130138.exe

Filesize
307KB

MD5
e26ddcfd400bc6fe6ea555ae753e700a

SHA1
1143032b157c6c51461772bebc631970b3e20482

SHA256
91db47afa98b34cc2ca4a7187747a549d2fad178fe3ec86da8f598662c51eb27

SHA512
621011270e2318394e03d5ea34d36a68dcf494e515f112d761180e9378a9bec18a08218ff45026064a6dd06dd7a3ecfd5f874f4cbc1e6f3c7187ec6955369ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6130138.exe

Filesize
307KB

MD5
e26ddcfd400bc6fe6ea555ae753e700a

SHA1
1143032b157c6c51461772bebc631970b3e20482

SHA256
91db47afa98b34cc2ca4a7187747a549d2fad178fe3ec86da8f598662c51eb27

SHA512
621011270e2318394e03d5ea34d36a68dcf494e515f112d761180e9378a9bec18a08218ff45026064a6dd06dd7a3ecfd5f874f4cbc1e6f3c7187ec6955369ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5294646.exe

Filesize
175KB

MD5
4311bdbfc7b0016fe6de239b75d6a8b4

SHA1
edb03f9a79ef45e2abbd76035d6ef59184738000

SHA256
777760bc357ac149a7bd203bb935c38151a419823bd6d8fe3c43fe781f055d4b

SHA512
926903700be7add21a58a2c4a4cacfb81b63d234db3cb641594813d4d2803ea13675fbc41885156076693934599a9a4edcc74372c4ed145fa587afa2c63883b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5294646.exe

Filesize
175KB

MD5
4311bdbfc7b0016fe6de239b75d6a8b4

SHA1
edb03f9a79ef45e2abbd76035d6ef59184738000

SHA256
777760bc357ac149a7bd203bb935c38151a419823bd6d8fe3c43fe781f055d4b

SHA512
926903700be7add21a58a2c4a4cacfb81b63d234db3cb641594813d4d2803ea13675fbc41885156076693934599a9a4edcc74372c4ed145fa587afa2c63883b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1265522.exe

Filesize
137KB

MD5
4beb0605aab42395f72afbc987065685

SHA1
74d88dab4d815987453391527223ce513580b41a

SHA256
543ac3756de90c8cda77b6c52435d3e19937661460f250a196a54ecbdbe1d0cf

SHA512
62c9a20649030b2c4c26b5dabcf9730875d70d27d5d2b2d6463e594bb6432947d5bade46df71643318b7fd42eff78fbeb6e2345e8d2e4831563dbf773d67fa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1265522.exe

Filesize
137KB

MD5
4beb0605aab42395f72afbc987065685

SHA1
74d88dab4d815987453391527223ce513580b41a

SHA256
543ac3756de90c8cda77b6c52435d3e19937661460f250a196a54ecbdbe1d0cf

SHA512
62c9a20649030b2c4c26b5dabcf9730875d70d27d5d2b2d6463e594bb6432947d5bade46df71643318b7fd42eff78fbeb6e2345e8d2e4831563dbf773d67fa73

Download Submit
memory/4324-190-0x0000000007520000-0x000000000755C000-memory.dmp

Filesize
240KB

Download
memory/4324-189-0x00000000075F0000-0x00000000076FA000-memory.dmp

Filesize
1.0MB

Download
memory/4324-188-0x00000000074C0000-0x00000000074D2000-memory.dmp

Filesize
72KB

Download
memory/4324-187-0x0000000007A40000-0x0000000008058000-memory.dmp

Filesize
6.1MB

Download
memory/4324-186-0x0000000000790000-0x00000000007B8000-memory.dmp

Filesize
160KB

Download
memory/4324-191-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/4324-192-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/4740-166-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-180-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4740-164-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-160-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-170-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-172-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-174-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-176-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-178-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-179-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4740-162-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-181-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4740-158-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-156-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-154-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-152-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-151-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4740-150-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4740-148-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4740-149-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4740-147-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads