0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
Size

694KB
MD5

a6a88659855946657f11a724c1d36128
SHA1

2ad6b7402e6d324acaa50ed6b6ebcd0efc499126
SHA256

0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed
SHA512

65e2c7334755e52cea99626c8346cafcaae1690c1af3c736620b0557786dd8f943cb0b62ff0c8db9f7b0c1e7b58cae907fd62b40e59b41ed0a889885a47e19f7
SSDEEP

12288:Cy902m+4wnZmeG6i49M9Wbm89WpmerEQdhPyjY5VN+7Q/MA2Wzs+nGrX:CyiCZBGh4uPoeDHKUN+7QT2AqrX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36312146.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36312146.exe

Executes dropped EXE 3 IoCs

pid	Process
1864	un886271.exe
2004	36312146.exe
1324	rk309936.exe

Loads dropped DLL 8 IoCs

pid	Process
1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
1864	un886271.exe
1864	un886271.exe
1864	un886271.exe
2004	36312146.exe
1864	un886271.exe
1864	un886271.exe
1324	rk309936.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36312146.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un886271.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un886271.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	36312146.exe
2004	36312146.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	36312146.exe
Token: SeDebugPrivilege	1324	rk309936.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1852 wrote to memory of 1864	1852	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	26
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 2004	1864	un886271.exe	27
PID 1864 wrote to memory of 1324	1864	un886271.exe	28
PID 1864 wrote to memory of 1324	1864	un886271.exe	28
PID 1864 wrote to memory of 1324	1864	un886271.exe	28
PID 1864 wrote to memory of 1324	1864	un886271.exe	28
PID 1864 wrote to memory of 1324	1864	un886271.exe	28
PID 1864 wrote to memory of 1324	1864	un886271.exe	28
PID 1864 wrote to memory of 1324	1864	un886271.exe	28

C:\Users\Admin\AppData\Local\Temp\0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
"C:\Users\Admin\AppData\Local\Temp\0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe

Filesize
541KB

MD5
6596b3b9f5928d9a5332be4b4c660756

SHA1
281e06c367e03b45e4dcc89911882baa2ba14650

SHA256
077ed4d88a1bf54956a0581434b7578f8169574e33cf30b06f48374f69f545a8

SHA512
a3e4f9985fba41e64e525aa78cdacbc99ea0fac814a86bbe469e41fb1211755c1771993631eee0aeb1a6e5bc9c1e1b4e3f8539bdb237a18e34dd09643c59a5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe

Filesize
541KB

MD5
6596b3b9f5928d9a5332be4b4c660756

SHA1
281e06c367e03b45e4dcc89911882baa2ba14650

SHA256
077ed4d88a1bf54956a0581434b7578f8169574e33cf30b06f48374f69f545a8

SHA512
a3e4f9985fba41e64e525aa78cdacbc99ea0fac814a86bbe469e41fb1211755c1771993631eee0aeb1a6e5bc9c1e1b4e3f8539bdb237a18e34dd09643c59a5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe

Filesize
341KB

MD5
f77416b9607755a40ff1aa92d85b128f

SHA1
68e6218327590f6dfe864dbbf1a20e190eaee056

SHA256
ec8639d1262365799c84b3e74d91468ad1c1182dd462143a6118b32678ac3cdc

SHA512
19338bd58e2920201caf881da46033d9be50e4b48a1602743eaa878ae7102e60be63e8dd1572741b91705a30a5e45c1a04f83f8f0afc422ac69b12b8a764e890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe

Filesize
341KB

MD5
f77416b9607755a40ff1aa92d85b128f

SHA1
68e6218327590f6dfe864dbbf1a20e190eaee056

SHA256
ec8639d1262365799c84b3e74d91468ad1c1182dd462143a6118b32678ac3cdc

SHA512
19338bd58e2920201caf881da46033d9be50e4b48a1602743eaa878ae7102e60be63e8dd1572741b91705a30a5e45c1a04f83f8f0afc422ac69b12b8a764e890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe

Filesize
341KB

MD5
f77416b9607755a40ff1aa92d85b128f

SHA1
68e6218327590f6dfe864dbbf1a20e190eaee056

SHA256
ec8639d1262365799c84b3e74d91468ad1c1182dd462143a6118b32678ac3cdc

SHA512
19338bd58e2920201caf881da46033d9be50e4b48a1602743eaa878ae7102e60be63e8dd1572741b91705a30a5e45c1a04f83f8f0afc422ac69b12b8a764e890

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe

Filesize
541KB

MD5
6596b3b9f5928d9a5332be4b4c660756

SHA1
281e06c367e03b45e4dcc89911882baa2ba14650

SHA256
077ed4d88a1bf54956a0581434b7578f8169574e33cf30b06f48374f69f545a8

SHA512
a3e4f9985fba41e64e525aa78cdacbc99ea0fac814a86bbe469e41fb1211755c1771993631eee0aeb1a6e5bc9c1e1b4e3f8539bdb237a18e34dd09643c59a5fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe

Filesize
541KB

MD5
6596b3b9f5928d9a5332be4b4c660756

SHA1
281e06c367e03b45e4dcc89911882baa2ba14650

SHA256
077ed4d88a1bf54956a0581434b7578f8169574e33cf30b06f48374f69f545a8

SHA512
a3e4f9985fba41e64e525aa78cdacbc99ea0fac814a86bbe469e41fb1211755c1771993631eee0aeb1a6e5bc9c1e1b4e3f8539bdb237a18e34dd09643c59a5fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe

Filesize
341KB

MD5
f77416b9607755a40ff1aa92d85b128f

SHA1
68e6218327590f6dfe864dbbf1a20e190eaee056

SHA256
ec8639d1262365799c84b3e74d91468ad1c1182dd462143a6118b32678ac3cdc

SHA512
19338bd58e2920201caf881da46033d9be50e4b48a1602743eaa878ae7102e60be63e8dd1572741b91705a30a5e45c1a04f83f8f0afc422ac69b12b8a764e890

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe

Filesize
341KB

MD5
f77416b9607755a40ff1aa92d85b128f

SHA1
68e6218327590f6dfe864dbbf1a20e190eaee056

SHA256
ec8639d1262365799c84b3e74d91468ad1c1182dd462143a6118b32678ac3cdc

SHA512
19338bd58e2920201caf881da46033d9be50e4b48a1602743eaa878ae7102e60be63e8dd1572741b91705a30a5e45c1a04f83f8f0afc422ac69b12b8a764e890

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk309936.exe

Filesize
341KB

MD5
f77416b9607755a40ff1aa92d85b128f

SHA1
68e6218327590f6dfe864dbbf1a20e190eaee056

SHA256
ec8639d1262365799c84b3e74d91468ad1c1182dd462143a6118b32678ac3cdc

SHA512
19338bd58e2920201caf881da46033d9be50e4b48a1602743eaa878ae7102e60be63e8dd1572741b91705a30a5e45c1a04f83f8f0afc422ac69b12b8a764e890

Download Submit
memory/1324-153-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-138-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-157-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-155-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-130-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-152-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-149-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-150-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-148-0x0000000002C20000-0x0000000002C66000-memory.dmp

Filesize
280KB

Download
memory/1324-146-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-144-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-140-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-142-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-159-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-136-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-134-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-132-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-161-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-923-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-924-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-925-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-926-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-928-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1324-125-0x00000000030E0000-0x000000000311C000-memory.dmp

Filesize
240KB

Download
memory/1324-126-0x0000000003120000-0x000000000315A000-memory.dmp

Filesize
232KB

Download
memory/1324-127-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/1324-128-0x0000000003120000-0x0000000003155000-memory.dmp

Filesize
212KB

Download
memory/2004-84-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-114-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2004-112-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2004-111-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-107-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-109-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-105-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-103-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-101-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-99-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-97-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-95-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-93-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-89-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-91-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-87-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-85-0x0000000003170000-0x0000000003183000-memory.dmp

Filesize
76KB

Download
memory/2004-83-0x0000000007400000-0x0000000007440000-memory.dmp

Filesize
256KB

Download
memory/2004-82-0x0000000007400000-0x0000000007440000-memory.dmp

Filesize
256KB

Download
memory/2004-81-0x0000000003170000-0x0000000003188000-memory.dmp

Filesize
96KB

Download
memory/2004-80-0x0000000007400000-0x0000000007440000-memory.dmp

Filesize
256KB

Download
memory/2004-79-0x0000000002DE0000-0x0000000002DFA000-memory.dmp

Filesize
104KB

Download
memory/2004-78-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download