06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96

Analysis

max time kernel
158s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Size

746KB
MD5

6d42a5aa78213429190d0a0934dc6b24
SHA1

fd3d8d238440a2fab9cb6d5a9a93c741e1f2d8bf
SHA256

06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96
SHA512

b9722189ee2d67791996c6cfb182a52189c186b65e78df82ae9b4209faad150a9c41cc006dbd889a6d339fbbe18c3e216828dad963f66d53f9fc864431def0f6
SSDEEP

12288:9y90WArweOkO4mzxdXHxmGtHwSONtTEFNgxGuaq9jcBtgXPl8iVuGf4fBV25rW:9ymkMSzjBftHwSONtTEFNg7kgXNFVlMt

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	53478779.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	53478779.exe

Executes dropped EXE 3 IoCs

pid	Process
1652	un093638.exe
472	53478779.exe
1548	rk374421.exe

Loads dropped DLL 8 IoCs

pid	Process
1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
1652	un093638.exe
1652	un093638.exe
1652	un093638.exe
472	53478779.exe
1652	un093638.exe
1652	un093638.exe
1548	rk374421.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	53478779.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un093638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un093638.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
472	53478779.exe
472	53478779.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	53478779.exe
Token: SeDebugPrivilege	1548	rk374421.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1636 wrote to memory of 1652	1636	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	28
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 472	1652	un093638.exe	29
PID 1652 wrote to memory of 1548	1652	un093638.exe	30
PID 1652 wrote to memory of 1548	1652	un093638.exe	30
PID 1652 wrote to memory of 1548	1652	un093638.exe	30
PID 1652 wrote to memory of 1548	1652	un093638.exe	30
PID 1652 wrote to memory of 1548	1652	un093638.exe	30
PID 1652 wrote to memory of 1548	1652	un093638.exe	30
PID 1652 wrote to memory of 1548	1652	un093638.exe	30

C:\Users\Admin\AppData\Local\Temp\06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
"C:\Users\Admin\AppData\Local\Temp\06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
memory/472-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/472-87-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-93-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-91-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-97-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-95-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-101-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-99-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-105-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-103-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-107-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-108-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/472-109-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download
memory/472-110-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download
memory/472-89-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-114-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/472-85-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-83-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-81-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-80-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/472-79-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

Filesize
96KB

Download
memory/472-78-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

Filesize
104KB

Download
memory/1548-126-0x0000000001070000-0x00000000010AA000-memory.dmp

Filesize
232KB

Download
memory/1548-142-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-127-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1548-128-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1548-129-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-130-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-132-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-134-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-136-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-138-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-140-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-125-0x0000000000EB0000-0x0000000000EEC000-memory.dmp

Filesize
240KB

Download
memory/1548-144-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-146-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-148-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-150-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-152-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-154-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-156-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-158-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-160-0x0000000001070000-0x00000000010A5000-memory.dmp

Filesize
212KB

Download
memory/1548-922-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1548-925-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download