0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe
Size

563KB
MD5

cd03ea7c1a55279409114424cb75b70a
SHA1

9c43060a1adc3323429868e046f1b8a9955923cf
SHA256

0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d
SHA512

d1689ddb5871fa0392dbca888f6faa5d856b5d458bf3d5a8f998b666a730fb772a5e1f86d86d28f8069d1b078b67a5741fc0adfdc84d34a815bc6437195df038
SSDEEP

12288:5y90mSdJ8jloUpyPzIB7zm0CvcnMMkJVpDq:5yqd6j25mnRCv8Hgpu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	14005984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	14005984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	14005984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	14005984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	14005984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	14005984.exe

Executes dropped EXE 3 IoCs

pid	Process
1416	st086610.exe
472	14005984.exe
328	kp596296.exe

Loads dropped DLL 6 IoCs

pid	Process
1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe
1416	st086610.exe
1416	st086610.exe
1416	st086610.exe
1416	st086610.exe
328	kp596296.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	14005984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	14005984.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st086610.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st086610.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
472	14005984.exe
472	14005984.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	14005984.exe
Token: SeDebugPrivilege	328	kp596296.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1544 wrote to memory of 1416	1544	0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe	26
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 472	1416	st086610.exe	27
PID 1416 wrote to memory of 328	1416	st086610.exe	28
PID 1416 wrote to memory of 328	1416	st086610.exe	28
PID 1416 wrote to memory of 328	1416	st086610.exe	28
PID 1416 wrote to memory of 328	1416	st086610.exe	28
PID 1416 wrote to memory of 328	1416	st086610.exe	28
PID 1416 wrote to memory of 328	1416	st086610.exe	28
PID 1416 wrote to memory of 328	1416	st086610.exe	28

C:\Users\Admin\AppData\Local\Temp\0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe
"C:\Users\Admin\AppData\Local\Temp\0638a2b83c7ef6d2ba53e57b35173235d9cebf44f443c74dec07135fb0f0074d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st086610.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st086610.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14005984.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14005984.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st086610.exe

Filesize
409KB

MD5
fa1152f9110a2e4d67c8c4fe39641988

SHA1
cf5c8c8e6dcf338a3f240c1ba78b5837fec9d79b

SHA256
899297c1bb38a9d4659d216cd248a8c5edd49e4251a6dadf061c93f690fdc8a5

SHA512
fd8509c026df614d993fd8b7969db5187307e083c7da5bece4294664d70d9d5a29b88861fc62bff540a9098895f13969bc15c06f14b617e33f35922aae8a458e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st086610.exe

Filesize
409KB

MD5
fa1152f9110a2e4d67c8c4fe39641988

SHA1
cf5c8c8e6dcf338a3f240c1ba78b5837fec9d79b

SHA256
899297c1bb38a9d4659d216cd248a8c5edd49e4251a6dadf061c93f690fdc8a5

SHA512
fd8509c026df614d993fd8b7969db5187307e083c7da5bece4294664d70d9d5a29b88861fc62bff540a9098895f13969bc15c06f14b617e33f35922aae8a458e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14005984.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14005984.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe

Filesize
361KB

MD5
5454de066a7eba4dc0cc47761dec0f11

SHA1
f61856b9ad1b3811df1629ac9204e3e8198dc251

SHA256
078197c87bb7b1abc172069ad16bd82c832cfdf9ba37849d7f4c3e4ebc974927

SHA512
f10d6e65dfc89c78f475fff7e24b110ee8ac96dfcad26ecf681bc623f826a114930c11534f051f74507a8659f461ff33f522b8d47a4732da0fae1cf734ab67f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe

Filesize
361KB

MD5
5454de066a7eba4dc0cc47761dec0f11

SHA1
f61856b9ad1b3811df1629ac9204e3e8198dc251

SHA256
078197c87bb7b1abc172069ad16bd82c832cfdf9ba37849d7f4c3e4ebc974927

SHA512
f10d6e65dfc89c78f475fff7e24b110ee8ac96dfcad26ecf681bc623f826a114930c11534f051f74507a8659f461ff33f522b8d47a4732da0fae1cf734ab67f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe

Filesize
361KB

MD5
5454de066a7eba4dc0cc47761dec0f11

SHA1
f61856b9ad1b3811df1629ac9204e3e8198dc251

SHA256
078197c87bb7b1abc172069ad16bd82c832cfdf9ba37849d7f4c3e4ebc974927

SHA512
f10d6e65dfc89c78f475fff7e24b110ee8ac96dfcad26ecf681bc623f826a114930c11534f051f74507a8659f461ff33f522b8d47a4732da0fae1cf734ab67f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st086610.exe

Filesize
409KB

MD5
fa1152f9110a2e4d67c8c4fe39641988

SHA1
cf5c8c8e6dcf338a3f240c1ba78b5837fec9d79b

SHA256
899297c1bb38a9d4659d216cd248a8c5edd49e4251a6dadf061c93f690fdc8a5

SHA512
fd8509c026df614d993fd8b7969db5187307e083c7da5bece4294664d70d9d5a29b88861fc62bff540a9098895f13969bc15c06f14b617e33f35922aae8a458e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st086610.exe

Filesize
409KB

MD5
fa1152f9110a2e4d67c8c4fe39641988

SHA1
cf5c8c8e6dcf338a3f240c1ba78b5837fec9d79b

SHA256
899297c1bb38a9d4659d216cd248a8c5edd49e4251a6dadf061c93f690fdc8a5

SHA512
fd8509c026df614d993fd8b7969db5187307e083c7da5bece4294664d70d9d5a29b88861fc62bff540a9098895f13969bc15c06f14b617e33f35922aae8a458e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\14005984.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe

Filesize
361KB

MD5
5454de066a7eba4dc0cc47761dec0f11

SHA1
f61856b9ad1b3811df1629ac9204e3e8198dc251

SHA256
078197c87bb7b1abc172069ad16bd82c832cfdf9ba37849d7f4c3e4ebc974927

SHA512
f10d6e65dfc89c78f475fff7e24b110ee8ac96dfcad26ecf681bc623f826a114930c11534f051f74507a8659f461ff33f522b8d47a4732da0fae1cf734ab67f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe

Filesize
361KB

MD5
5454de066a7eba4dc0cc47761dec0f11

SHA1
f61856b9ad1b3811df1629ac9204e3e8198dc251

SHA256
078197c87bb7b1abc172069ad16bd82c832cfdf9ba37849d7f4c3e4ebc974927

SHA512
f10d6e65dfc89c78f475fff7e24b110ee8ac96dfcad26ecf681bc623f826a114930c11534f051f74507a8659f461ff33f522b8d47a4732da0fae1cf734ab67f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp596296.exe

Filesize
361KB

MD5
5454de066a7eba4dc0cc47761dec0f11

SHA1
f61856b9ad1b3811df1629ac9204e3e8198dc251

SHA256
078197c87bb7b1abc172069ad16bd82c832cfdf9ba37849d7f4c3e4ebc974927

SHA512
f10d6e65dfc89c78f475fff7e24b110ee8ac96dfcad26ecf681bc623f826a114930c11534f051f74507a8659f461ff33f522b8d47a4732da0fae1cf734ab67f8

Download Submit
memory/328-102-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-118-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-85-0x0000000007320000-0x0000000007360000-memory.dmp

Filesize
256KB

Download
memory/328-86-0x0000000004970000-0x00000000049AA000-memory.dmp

Filesize
232KB

Download
memory/328-87-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-88-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-90-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-92-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-94-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-96-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-98-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-100-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-104-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-83-0x0000000004930000-0x000000000496C000-memory.dmp

Filesize
240KB

Download
memory/328-106-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-108-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-110-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-112-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-114-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-84-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/328-120-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-116-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-122-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-124-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-126-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-128-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-130-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-132-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-134-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-136-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-138-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-140-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-142-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-144-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-146-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-148-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-150-0x0000000004970000-0x00000000049A5000-memory.dmp

Filesize
212KB

Download
memory/328-879-0x0000000007320000-0x0000000007360000-memory.dmp

Filesize
256KB

Download
memory/328-882-0x0000000007320000-0x0000000007360000-memory.dmp

Filesize
256KB

Download
memory/472-72-0x00000000012D0000-0x00000000012DA000-memory.dmp

Filesize
40KB

Download