074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e

Analysis

max time kernel
145s
max time network
157s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
Size

703KB
MD5

ceaf0ce3b0036d2e17a179a1eec7ddc0
SHA1

40367912bcfce0c977206a4070a79910e4703d31
SHA256

074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e
SHA512

ea608b1108c33702c55342c005e7b5d200eb37e961159ac6476c0278a5f9ac2ecedfefec496e72715770948d556a1d0ccf15c1dd0f38305f1886c4885043c592
SSDEEP

12288:Zy90+2YJFXNbwRip07UYqLTec2VKtWI1zzC9MIznMqo/KbdtdGT:ZyXBw1UpL0KZ/MMIDp7dHGT

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr315516.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr315516.exe

Executes dropped EXE 3 IoCs

pid	Process
632	un363612.exe
524	pr315516.exe
812	qu134620.exe

Loads dropped DLL 8 IoCs

pid	Process
936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
632	un363612.exe
632	un363612.exe
632	un363612.exe
524	pr315516.exe
632	un363612.exe
632	un363612.exe
812	qu134620.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr315516.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un363612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un363612.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	pr315516.exe
524	pr315516.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	pr315516.exe
Token: SeDebugPrivilege	812	qu134620.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 936 wrote to memory of 632	936	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	27
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 524	632	un363612.exe	28
PID 632 wrote to memory of 812	632	un363612.exe	29
PID 632 wrote to memory of 812	632	un363612.exe	29
PID 632 wrote to memory of 812	632	un363612.exe	29
PID 632 wrote to memory of 812	632	un363612.exe	29
PID 632 wrote to memory of 812	632	un363612.exe	29
PID 632 wrote to memory of 812	632	un363612.exe	29
PID 632 wrote to memory of 812	632	un363612.exe	29

C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
"C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

Filesize
549KB

MD5
592280f75e4c1d6252c30fcd978b428b

SHA1
6590d2b253f55789079e2fcfedb2d2d0cf8ed919

SHA256
35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351

SHA512
564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

Filesize
549KB

MD5
592280f75e4c1d6252c30fcd978b428b

SHA1
6590d2b253f55789079e2fcfedb2d2d0cf8ed919

SHA256
35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351

SHA512
564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

Filesize
549KB

MD5
592280f75e4c1d6252c30fcd978b428b

SHA1
6590d2b253f55789079e2fcfedb2d2d0cf8ed919

SHA256
35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351

SHA512
564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

Filesize
549KB

MD5
592280f75e4c1d6252c30fcd978b428b

SHA1
6590d2b253f55789079e2fcfedb2d2d0cf8ed919

SHA256
35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351

SHA512
564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
memory/524-112-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download
memory/524-86-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-88-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-90-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-92-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-94-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-96-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-98-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-100-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-102-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-104-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-106-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-108-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-110-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-111-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/524-113-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download
memory/524-84-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-114-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download
memory/524-116-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/524-83-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/524-82-0x0000000004870000-0x0000000004888000-memory.dmp

Filesize
96KB

Download
memory/524-79-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/524-81-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download
memory/524-80-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download
memory/524-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/812-127-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/812-128-0x0000000007050000-0x000000000708A000-memory.dmp

Filesize
232KB

Download
memory/812-129-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-130-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-132-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-134-0x00000000070B0000-0x00000000070F0000-memory.dmp

Filesize
256KB

Download
memory/812-133-0x0000000002C00000-0x0000000002C46000-memory.dmp

Filesize
280KB

Download
memory/812-137-0x00000000070B0000-0x00000000070F0000-memory.dmp

Filesize
256KB

Download
memory/812-136-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-139-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-141-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-143-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-145-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-147-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-149-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-151-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-153-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-157-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-155-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-159-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-161-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-163-0x0000000007050000-0x0000000007085000-memory.dmp

Filesize
212KB

Download
memory/812-924-0x00000000070B0000-0x00000000070F0000-memory.dmp

Filesize
256KB

Download
memory/812-926-0x00000000070B0000-0x00000000070F0000-memory.dmp

Filesize
256KB

Download
memory/812-927-0x00000000070B0000-0x00000000070F0000-memory.dmp

Filesize
256KB

Download
memory/812-929-0x00000000070B0000-0x00000000070F0000-memory.dmp

Filesize
256KB

Download