0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed

General

Target

0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
Size

694KB
MD5

a6a88659855946657f11a724c1d36128
SHA1

2ad6b7402e6d324acaa50ed6b6ebcd0efc499126
SHA256

0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed
SHA512

65e2c7334755e52cea99626c8346cafcaae1690c1af3c736620b0557786dd8f943cb0b62ff0c8db9f7b0c1e7b58cae907fd62b40e59b41ed0a889885a47e19f7
SSDEEP

12288:Cy902m+4wnZmeG6i49M9Wbm89WpmerEQdhPyjY5VN+7Q/MA2Wzs+nGrX:CyiCZBGh4uPoeDHKUN+7QT2AqrX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36312146.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36312146.exe

Executes dropped EXE 2 IoCs

pid	Process
1824	un886271.exe
2296	36312146.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	36312146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36312146.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un886271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un886271.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2260	2296	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2296	36312146.exe
2296	36312146.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	36312146.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1824	2060	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	80
PID 2060 wrote to memory of 1824	2060	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	80
PID 2060 wrote to memory of 1824	2060	0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe	80
PID 1824 wrote to memory of 2296	1824	un886271.exe	81
PID 1824 wrote to memory of 2296	1824	un886271.exe	81
PID 1824 wrote to memory of 2296	1824	un886271.exe	81

C:\Users\Admin\AppData\Local\Temp\0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe
"C:\Users\Admin\AppData\Local\Temp\0518480d89c957941220c32275188b433c68a87788fc9fba42895398700090ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1096
      4⤵
      Program crash
      PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2296 -ip 2296
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe

Filesize
541KB

MD5
6596b3b9f5928d9a5332be4b4c660756

SHA1
281e06c367e03b45e4dcc89911882baa2ba14650

SHA256
077ed4d88a1bf54956a0581434b7578f8169574e33cf30b06f48374f69f545a8

SHA512
a3e4f9985fba41e64e525aa78cdacbc99ea0fac814a86bbe469e41fb1211755c1771993631eee0aeb1a6e5bc9c1e1b4e3f8539bdb237a18e34dd09643c59a5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un886271.exe

Filesize
541KB

MD5
6596b3b9f5928d9a5332be4b4c660756

SHA1
281e06c367e03b45e4dcc89911882baa2ba14650

SHA256
077ed4d88a1bf54956a0581434b7578f8169574e33cf30b06f48374f69f545a8

SHA512
a3e4f9985fba41e64e525aa78cdacbc99ea0fac814a86bbe469e41fb1211755c1771993631eee0aeb1a6e5bc9c1e1b4e3f8539bdb237a18e34dd09643c59a5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36312146.exe

Filesize
258KB

MD5
25bb07ad99d655dc5e1733ba0e820770

SHA1
1d41dc2b3f821b0fc405a4097f033217b771eb80

SHA256
66187d4e48e9e2a1a0006f5f4870222aa2cf692c29c31ceb98f24d069fda7841

SHA512
4adb28173f31539f8561132291f93d48f9797c223fd6148bd2fef2298b52c2578b0a28db6fea41fb5f4f81476b7696d6b69376855380bdfe9bdd677a8cf24ec4

Download Submit
memory/2296-148-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/2296-149-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/2296-150-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-151-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-153-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-155-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-157-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-159-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-163-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-161-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-165-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-167-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-169-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-171-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-173-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-175-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-177-0x0000000004BA0000-0x0000000004BB3000-memory.dmp

Filesize
76KB

Download
memory/2296-178-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2296-179-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2296-180-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2296-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2296-182-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/2296-183-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2296-184-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2296-185-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2296-191-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads