064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe
Size

651KB
MD5

43409e1e086c3cb8df092c803d827472
SHA1

2739cbe4aec114facebed7d54bc10452bf4c17e5
SHA256

064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36
SHA512

a515db9397cc538554f34ae8ad7dba8979680cc6701256db2d76e2f57b784d62d2a5c3d4468d2a386998c2bfca5f77322db6f4f8d2c6fe35a0fb8b2b852723b1
SSDEEP

12288:zy90M5kc2lwmStJuP883tuOJdvtGDYZAqU359bgE6J:zygStJuP883lvtGU+F3I/

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	92188224.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	92188224.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	92188224.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	92188224.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	92188224.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	92188224.exe

Executes dropped EXE 3 IoCs

pid	Process
1736	st208490.exe
376	92188224.exe
940	kp857904.exe

Loads dropped DLL 7 IoCs

pid	Process
1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe
1736	st208490.exe
1736	st208490.exe
376	92188224.exe
1736	st208490.exe
1736	st208490.exe
940	kp857904.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	92188224.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	92188224.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st208490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st208490.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
376	92188224.exe
376	92188224.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	92188224.exe
Token: SeDebugPrivilege	940	kp857904.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1120 wrote to memory of 1736	1120	064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe	28
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 376	1736	st208490.exe	29
PID 1736 wrote to memory of 940	1736	st208490.exe	30
PID 1736 wrote to memory of 940	1736	st208490.exe	30
PID 1736 wrote to memory of 940	1736	st208490.exe	30
PID 1736 wrote to memory of 940	1736	st208490.exe	30
PID 1736 wrote to memory of 940	1736	st208490.exe	30
PID 1736 wrote to memory of 940	1736	st208490.exe	30
PID 1736 wrote to memory of 940	1736	st208490.exe	30

C:\Users\Admin\AppData\Local\Temp\064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe
"C:\Users\Admin\AppData\Local\Temp\064a4ced9bcaec0708109fb16e7cc9e8587c5ddefac8b54195861d37e4b47e36.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st208490.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st208490.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92188224.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92188224.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st208490.exe

Filesize
497KB

MD5
ded97ab4cbae554269e15a41aab614a7

SHA1
ead60ed6f0b0d56be186237d638c744fa9a13aa5

SHA256
6fed055d8b815e06a1eb1ad4ad8244bea6cd9c6ff66a2d3c7c346493b200734f

SHA512
b3558fef09b5204cbc8f941654fcbd220afa07cf11566c1a48e55624b7347486b8a67daf5a3f7d5e3fd8690db6efae0f2951d8c8d8c32d7cbe1c16eff51bd4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st208490.exe

Filesize
497KB

MD5
ded97ab4cbae554269e15a41aab614a7

SHA1
ead60ed6f0b0d56be186237d638c744fa9a13aa5

SHA256
6fed055d8b815e06a1eb1ad4ad8244bea6cd9c6ff66a2d3c7c346493b200734f

SHA512
b3558fef09b5204cbc8f941654fcbd220afa07cf11566c1a48e55624b7347486b8a67daf5a3f7d5e3fd8690db6efae0f2951d8c8d8c32d7cbe1c16eff51bd4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92188224.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92188224.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe

Filesize
342KB

MD5
76243905c769fd83647361c23f4f8c71

SHA1
88ca3390486d3b8cc262f184fa1d4c74452a37dd

SHA256
e16662bb9379a2d4062f7bb4fd30f5c7481acd325330972153978e6469d90d7d

SHA512
c0945eb414b672666c28fafdd98791994c58484f3c873f0f8caaab728182bd77eee731cc20b93177654552c78faef5f16fadfb6420f2e157e7ef91f5682db86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe

Filesize
342KB

MD5
76243905c769fd83647361c23f4f8c71

SHA1
88ca3390486d3b8cc262f184fa1d4c74452a37dd

SHA256
e16662bb9379a2d4062f7bb4fd30f5c7481acd325330972153978e6469d90d7d

SHA512
c0945eb414b672666c28fafdd98791994c58484f3c873f0f8caaab728182bd77eee731cc20b93177654552c78faef5f16fadfb6420f2e157e7ef91f5682db86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe

Filesize
342KB

MD5
76243905c769fd83647361c23f4f8c71

SHA1
88ca3390486d3b8cc262f184fa1d4c74452a37dd

SHA256
e16662bb9379a2d4062f7bb4fd30f5c7481acd325330972153978e6469d90d7d

SHA512
c0945eb414b672666c28fafdd98791994c58484f3c873f0f8caaab728182bd77eee731cc20b93177654552c78faef5f16fadfb6420f2e157e7ef91f5682db86d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st208490.exe

Filesize
497KB

MD5
ded97ab4cbae554269e15a41aab614a7

SHA1
ead60ed6f0b0d56be186237d638c744fa9a13aa5

SHA256
6fed055d8b815e06a1eb1ad4ad8244bea6cd9c6ff66a2d3c7c346493b200734f

SHA512
b3558fef09b5204cbc8f941654fcbd220afa07cf11566c1a48e55624b7347486b8a67daf5a3f7d5e3fd8690db6efae0f2951d8c8d8c32d7cbe1c16eff51bd4f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st208490.exe

Filesize
497KB

MD5
ded97ab4cbae554269e15a41aab614a7

SHA1
ead60ed6f0b0d56be186237d638c744fa9a13aa5

SHA256
6fed055d8b815e06a1eb1ad4ad8244bea6cd9c6ff66a2d3c7c346493b200734f

SHA512
b3558fef09b5204cbc8f941654fcbd220afa07cf11566c1a48e55624b7347486b8a67daf5a3f7d5e3fd8690db6efae0f2951d8c8d8c32d7cbe1c16eff51bd4f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92188224.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92188224.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe

Filesize
342KB

MD5
76243905c769fd83647361c23f4f8c71

SHA1
88ca3390486d3b8cc262f184fa1d4c74452a37dd

SHA256
e16662bb9379a2d4062f7bb4fd30f5c7481acd325330972153978e6469d90d7d

SHA512
c0945eb414b672666c28fafdd98791994c58484f3c873f0f8caaab728182bd77eee731cc20b93177654552c78faef5f16fadfb6420f2e157e7ef91f5682db86d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe

Filesize
342KB

MD5
76243905c769fd83647361c23f4f8c71

SHA1
88ca3390486d3b8cc262f184fa1d4c74452a37dd

SHA256
e16662bb9379a2d4062f7bb4fd30f5c7481acd325330972153978e6469d90d7d

SHA512
c0945eb414b672666c28fafdd98791994c58484f3c873f0f8caaab728182bd77eee731cc20b93177654552c78faef5f16fadfb6420f2e157e7ef91f5682db86d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp857904.exe

Filesize
342KB

MD5
76243905c769fd83647361c23f4f8c71

SHA1
88ca3390486d3b8cc262f184fa1d4c74452a37dd

SHA256
e16662bb9379a2d4062f7bb4fd30f5c7481acd325330972153978e6469d90d7d

SHA512
c0945eb414b672666c28fafdd98791994c58484f3c873f0f8caaab728182bd77eee731cc20b93177654552c78faef5f16fadfb6420f2e157e7ef91f5682db86d

Download Submit
memory/376-87-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-81-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-85-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-91-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-89-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-95-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-93-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-99-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-97-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-103-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-101-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-104-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/376-105-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/376-106-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/376-83-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-79-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-77-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-76-0x0000000001F10000-0x0000000001F23000-memory.dmp

Filesize
76KB

Download
memory/376-75-0x0000000001F10000-0x0000000001F28000-memory.dmp

Filesize
96KB

Download
memory/376-74-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/940-120-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/940-138-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-119-0x00000000002A0000-0x00000000002E6000-memory.dmp

Filesize
280KB

Download
memory/940-117-0x00000000021F0000-0x000000000222C000-memory.dmp

Filesize
240KB

Download
memory/940-121-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-122-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-124-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-126-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-128-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-130-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-132-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-134-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-136-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-118-0x0000000002230000-0x000000000226A000-memory.dmp

Filesize
232KB

Download
memory/940-140-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-142-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-144-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-146-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-150-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-148-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-152-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-154-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-156-0x0000000002230000-0x0000000002265000-memory.dmp

Filesize
212KB

Download
memory/940-913-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/940-915-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/940-917-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download