08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe
Size

695KB
MD5

ec03d334f391fd3c47ee497e3cc88dc8
SHA1

34c2363187fe63e3b54ed710519d2d107151f52a
SHA256

08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b
SHA512

1127904044ff6536d631507f6533f1b3429eb0fd9f3af9287beea07b7ee8b95d54d74fd57b2ae7b402e179f9415e35f4ed4352f6732653f4dcbc146ae8319af8
SSDEEP

12288:ey90n030fDEqDc+/6L/+tZ9CON+i16OzNOc+Wj6Ud18bAKPA+WoxybYlaH6:ey8uADEqQBL/+tXCDsL6Ud18bAYbxyTa

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	76662398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	76662398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	76662398.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	76662398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	76662398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	76662398.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	un602207.exe
1492	76662398.exe
704	rk064779.exe

Loads dropped DLL 8 IoCs

pid	Process
1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe
2040	un602207.exe
2040	un602207.exe
2040	un602207.exe
1492	76662398.exe
2040	un602207.exe
2040	un602207.exe
704	rk064779.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	76662398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	76662398.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un602207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un602207.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	76662398.exe
1492	76662398.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	76662398.exe
Token: SeDebugPrivilege	704	rk064779.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 1252 wrote to memory of 2040	1252	08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe	28
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 1492	2040	un602207.exe	29
PID 2040 wrote to memory of 704	2040	un602207.exe	30
PID 2040 wrote to memory of 704	2040	un602207.exe	30
PID 2040 wrote to memory of 704	2040	un602207.exe	30
PID 2040 wrote to memory of 704	2040	un602207.exe	30
PID 2040 wrote to memory of 704	2040	un602207.exe	30
PID 2040 wrote to memory of 704	2040	un602207.exe	30
PID 2040 wrote to memory of 704	2040	un602207.exe	30

C:\Users\Admin\AppData\Local\Temp\08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe
"C:\Users\Admin\AppData\Local\Temp\08ad5c39e970dc51f385ea10e0052cf0af55d2a9ab4b0598ebf34256b4bdac4b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602207.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602207.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602207.exe

Filesize
541KB

MD5
73d8e6fa9f2cf6a8a2e482ec15e119e9

SHA1
dce44f9dfb9cd4af3c75526dfb4a458739a68222

SHA256
8fabec85188c6542fc4b1ee3888310f99d3ae1afcb6d989fb908dc498dd84fe6

SHA512
3fd6b815d5f9160773e3189b23e07b322bd83085949a244a35c1299e1ac54edf291cfeb37af58d7a3649567ee272ffe7c9d45bc57af31b29bd638c2c0a4dcf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602207.exe

Filesize
541KB

MD5
73d8e6fa9f2cf6a8a2e482ec15e119e9

SHA1
dce44f9dfb9cd4af3c75526dfb4a458739a68222

SHA256
8fabec85188c6542fc4b1ee3888310f99d3ae1afcb6d989fb908dc498dd84fe6

SHA512
3fd6b815d5f9160773e3189b23e07b322bd83085949a244a35c1299e1ac54edf291cfeb37af58d7a3649567ee272ffe7c9d45bc57af31b29bd638c2c0a4dcf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe

Filesize
258KB

MD5
6affe6cde4ab3f6340db77f3cab4ab0c

SHA1
d44ca145c1885ddb96e4bdad1099452e12b0363e

SHA256
48d63a871cd5b1b20424b12a0c0b0a66fc32a728a43d6410be367bc9824cfb5d

SHA512
3aefe8671a715a776ef75617752c70d14dcaccb4790becc683a37055c91f4ae6f01aeabc39e169fd98299855e180bd791af1f02dca467afbd4e283e3ead546be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe

Filesize
258KB

MD5
6affe6cde4ab3f6340db77f3cab4ab0c

SHA1
d44ca145c1885ddb96e4bdad1099452e12b0363e

SHA256
48d63a871cd5b1b20424b12a0c0b0a66fc32a728a43d6410be367bc9824cfb5d

SHA512
3aefe8671a715a776ef75617752c70d14dcaccb4790becc683a37055c91f4ae6f01aeabc39e169fd98299855e180bd791af1f02dca467afbd4e283e3ead546be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe

Filesize
258KB

MD5
6affe6cde4ab3f6340db77f3cab4ab0c

SHA1
d44ca145c1885ddb96e4bdad1099452e12b0363e

SHA256
48d63a871cd5b1b20424b12a0c0b0a66fc32a728a43d6410be367bc9824cfb5d

SHA512
3aefe8671a715a776ef75617752c70d14dcaccb4790becc683a37055c91f4ae6f01aeabc39e169fd98299855e180bd791af1f02dca467afbd4e283e3ead546be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe

Filesize
340KB

MD5
2d48a562c157b48dcb27888bdb426e56

SHA1
d7ee01a321848e82ba1f1f9c36877757c694b4c3

SHA256
d21c4d4e531f8668e5c00229c8b7bd6d552600e7f26911591dc01d0ef06d7f36

SHA512
5df8481716c10f5130d407bef02d102559bf970eb2382ad960c45794cba59178829301363817f2892fde17fb989f8ddd00c0e0d71c68606544687bf4fb22eba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe

Filesize
340KB

MD5
2d48a562c157b48dcb27888bdb426e56

SHA1
d7ee01a321848e82ba1f1f9c36877757c694b4c3

SHA256
d21c4d4e531f8668e5c00229c8b7bd6d552600e7f26911591dc01d0ef06d7f36

SHA512
5df8481716c10f5130d407bef02d102559bf970eb2382ad960c45794cba59178829301363817f2892fde17fb989f8ddd00c0e0d71c68606544687bf4fb22eba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe

Filesize
340KB

MD5
2d48a562c157b48dcb27888bdb426e56

SHA1
d7ee01a321848e82ba1f1f9c36877757c694b4c3

SHA256
d21c4d4e531f8668e5c00229c8b7bd6d552600e7f26911591dc01d0ef06d7f36

SHA512
5df8481716c10f5130d407bef02d102559bf970eb2382ad960c45794cba59178829301363817f2892fde17fb989f8ddd00c0e0d71c68606544687bf4fb22eba3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602207.exe

Filesize
541KB

MD5
73d8e6fa9f2cf6a8a2e482ec15e119e9

SHA1
dce44f9dfb9cd4af3c75526dfb4a458739a68222

SHA256
8fabec85188c6542fc4b1ee3888310f99d3ae1afcb6d989fb908dc498dd84fe6

SHA512
3fd6b815d5f9160773e3189b23e07b322bd83085949a244a35c1299e1ac54edf291cfeb37af58d7a3649567ee272ffe7c9d45bc57af31b29bd638c2c0a4dcf51

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un602207.exe

Filesize
541KB

MD5
73d8e6fa9f2cf6a8a2e482ec15e119e9

SHA1
dce44f9dfb9cd4af3c75526dfb4a458739a68222

SHA256
8fabec85188c6542fc4b1ee3888310f99d3ae1afcb6d989fb908dc498dd84fe6

SHA512
3fd6b815d5f9160773e3189b23e07b322bd83085949a244a35c1299e1ac54edf291cfeb37af58d7a3649567ee272ffe7c9d45bc57af31b29bd638c2c0a4dcf51

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe

Filesize
258KB

MD5
6affe6cde4ab3f6340db77f3cab4ab0c

SHA1
d44ca145c1885ddb96e4bdad1099452e12b0363e

SHA256
48d63a871cd5b1b20424b12a0c0b0a66fc32a728a43d6410be367bc9824cfb5d

SHA512
3aefe8671a715a776ef75617752c70d14dcaccb4790becc683a37055c91f4ae6f01aeabc39e169fd98299855e180bd791af1f02dca467afbd4e283e3ead546be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe

Filesize
258KB

MD5
6affe6cde4ab3f6340db77f3cab4ab0c

SHA1
d44ca145c1885ddb96e4bdad1099452e12b0363e

SHA256
48d63a871cd5b1b20424b12a0c0b0a66fc32a728a43d6410be367bc9824cfb5d

SHA512
3aefe8671a715a776ef75617752c70d14dcaccb4790becc683a37055c91f4ae6f01aeabc39e169fd98299855e180bd791af1f02dca467afbd4e283e3ead546be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\76662398.exe

Filesize
258KB

MD5
6affe6cde4ab3f6340db77f3cab4ab0c

SHA1
d44ca145c1885ddb96e4bdad1099452e12b0363e

SHA256
48d63a871cd5b1b20424b12a0c0b0a66fc32a728a43d6410be367bc9824cfb5d

SHA512
3aefe8671a715a776ef75617752c70d14dcaccb4790becc683a37055c91f4ae6f01aeabc39e169fd98299855e180bd791af1f02dca467afbd4e283e3ead546be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe

Filesize
340KB

MD5
2d48a562c157b48dcb27888bdb426e56

SHA1
d7ee01a321848e82ba1f1f9c36877757c694b4c3

SHA256
d21c4d4e531f8668e5c00229c8b7bd6d552600e7f26911591dc01d0ef06d7f36

SHA512
5df8481716c10f5130d407bef02d102559bf970eb2382ad960c45794cba59178829301363817f2892fde17fb989f8ddd00c0e0d71c68606544687bf4fb22eba3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe

Filesize
340KB

MD5
2d48a562c157b48dcb27888bdb426e56

SHA1
d7ee01a321848e82ba1f1f9c36877757c694b4c3

SHA256
d21c4d4e531f8668e5c00229c8b7bd6d552600e7f26911591dc01d0ef06d7f36

SHA512
5df8481716c10f5130d407bef02d102559bf970eb2382ad960c45794cba59178829301363817f2892fde17fb989f8ddd00c0e0d71c68606544687bf4fb22eba3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk064779.exe

Filesize
340KB

MD5
2d48a562c157b48dcb27888bdb426e56

SHA1
d7ee01a321848e82ba1f1f9c36877757c694b4c3

SHA256
d21c4d4e531f8668e5c00229c8b7bd6d552600e7f26911591dc01d0ef06d7f36

SHA512
5df8481716c10f5130d407bef02d102559bf970eb2382ad960c45794cba59178829301363817f2892fde17fb989f8ddd00c0e0d71c68606544687bf4fb22eba3

Download Submit
memory/704-140-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-144-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-924-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/704-922-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/704-920-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/704-161-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-159-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-157-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-155-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/704-153-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/704-154-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-151-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/704-150-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-148-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-146-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-142-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-138-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-136-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-134-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-132-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-128-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-130-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-123-0x00000000048E0000-0x000000000491C000-memory.dmp

Filesize
240KB

Download
memory/704-124-0x0000000004920000-0x000000000495A000-memory.dmp

Filesize
232KB

Download
memory/704-125-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/704-126-0x0000000004920000-0x0000000004955000-memory.dmp

Filesize
212KB

Download
memory/1492-110-0x00000000071B0000-0x00000000071F0000-memory.dmp

Filesize
256KB

Download
memory/1492-109-0x00000000071B0000-0x00000000071F0000-memory.dmp

Filesize
256KB

Download
memory/1492-81-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-82-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-84-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-86-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-78-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/1492-112-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1492-90-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-108-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-80-0x00000000047D0000-0x00000000047E8000-memory.dmp

Filesize
96KB

Download
memory/1492-79-0x00000000045C0000-0x00000000045DA000-memory.dmp

Filesize
104KB

Download
memory/1492-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1492-104-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-106-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-100-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-102-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-96-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-98-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-92-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-94-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download
memory/1492-88-0x00000000047D0000-0x00000000047E3000-memory.dmp

Filesize
76KB

Download