06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
Size

747KB
MD5

bf11028a9e04429e455cf58ded552c33
SHA1

56ab4b5e04bc8974db09cace011dbf6bf14d7ec8
SHA256

06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8
SHA512

351a3aa741f3e5169347971c4717a30261302baa4b309d9a8aaf5f730d239d66af4f380e21f0aefee7752a43eb88f39193450a31cf353591ffeccd5726d8428d
SSDEEP

12288:Jy90CSWL2KN4I/DL9C3kb8tzqbMIPV4wuP9FUGiARO9RYBtAmXuSLdMid1lCG:JyzSW6g/9CUb8tzq4IPVK9F9ipoAmXzj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	99332290.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	99332290.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	un461277.exe
468	99332290.exe
1548	rk005766.exe

Loads dropped DLL 8 IoCs

pid	Process
856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
2040	un461277.exe
2040	un461277.exe
2040	un461277.exe
468	99332290.exe
2040	un461277.exe
2040	un461277.exe
1548	rk005766.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	99332290.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un461277.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un461277.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	99332290.exe
468	99332290.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	99332290.exe
Token: SeDebugPrivilege	1548	rk005766.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 856 wrote to memory of 2040	856	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	27
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 468	2040	un461277.exe	28
PID 2040 wrote to memory of 1548	2040	un461277.exe	29
PID 2040 wrote to memory of 1548	2040	un461277.exe	29
PID 2040 wrote to memory of 1548	2040	un461277.exe	29
PID 2040 wrote to memory of 1548	2040	un461277.exe	29
PID 2040 wrote to memory of 1548	2040	un461277.exe	29
PID 2040 wrote to memory of 1548	2040	un461277.exe	29
PID 2040 wrote to memory of 1548	2040	un461277.exe	29

C:\Users\Admin\AppData\Local\Temp\06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
"C:\Users\Admin\AppData\Local\Temp\06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe

Filesize
592KB

MD5
8b7b15854936f57225667578a79ee2e1

SHA1
9a30ae196f01fd455b6e2f638f5f806daf03b1a7

SHA256
87bd121f389874788d90c7f96e039d7a58f06d7600fbeea42ea8812b54af6251

SHA512
176f5eb6a30604b814bce0753fcb9735f6271bc1af7e58684d9a670b5ed58e5494e02985ccf974712c6e10e3e035578929233ffd023772c3bb86d05e922a0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe

Filesize
592KB

MD5
8b7b15854936f57225667578a79ee2e1

SHA1
9a30ae196f01fd455b6e2f638f5f806daf03b1a7

SHA256
87bd121f389874788d90c7f96e039d7a58f06d7600fbeea42ea8812b54af6251

SHA512
176f5eb6a30604b814bce0753fcb9735f6271bc1af7e58684d9a670b5ed58e5494e02985ccf974712c6e10e3e035578929233ffd023772c3bb86d05e922a0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe

Filesize
592KB

MD5
8b7b15854936f57225667578a79ee2e1

SHA1
9a30ae196f01fd455b6e2f638f5f806daf03b1a7

SHA256
87bd121f389874788d90c7f96e039d7a58f06d7600fbeea42ea8812b54af6251

SHA512
176f5eb6a30604b814bce0753fcb9735f6271bc1af7e58684d9a670b5ed58e5494e02985ccf974712c6e10e3e035578929233ffd023772c3bb86d05e922a0d85

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe

Filesize
592KB

MD5
8b7b15854936f57225667578a79ee2e1

SHA1
9a30ae196f01fd455b6e2f638f5f806daf03b1a7

SHA256
87bd121f389874788d90c7f96e039d7a58f06d7600fbeea42ea8812b54af6251

SHA512
176f5eb6a30604b814bce0753fcb9735f6271bc1af7e58684d9a670b5ed58e5494e02985ccf974712c6e10e3e035578929233ffd023772c3bb86d05e922a0d85

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
memory/468-87-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-89-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-91-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-93-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-95-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-97-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-99-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-101-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-103-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-105-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-107-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-109-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/468-110-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/468-108-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/468-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/468-112-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/468-85-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-83-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-81-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-80-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/468-79-0x00000000022F0000-0x0000000002308000-memory.dmp

Filesize
96KB

Download
memory/468-78-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/1548-124-0x00000000026C0000-0x00000000026FC000-memory.dmp

Filesize
240KB

Download
memory/1548-145-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-125-0x0000000004BC0000-0x0000000004BFA000-memory.dmp

Filesize
232KB

Download
memory/1548-126-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-127-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-129-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-131-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-133-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-135-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-137-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-139-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-141-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-143-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-123-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/1548-147-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-149-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-151-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-153-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-155-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-157-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-159-0x0000000004BC0000-0x0000000004BF5000-memory.dmp

Filesize
212KB

Download
memory/1548-660-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1548-662-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1548-920-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1548-922-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1548-924-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download