0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a

Analysis

max time kernel
165s
max time network
167s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe
Size

674KB
MD5

9e8fd0830e1265b764437ac139e3b085
SHA1

c5b70f6ed15bac86b686f4ed1a71a47c8347c872
SHA256

0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a
SHA512

b0d1eadc5de3d79847ec45843e6725bd4f66add3909d4383acf66a9dd9b1259561718a480b316692e60e667b1fb5b40a8e30f2d1e8f5c4f4b532e894a53edfd8
SSDEEP

12288:Py90/QVglLHBnvP48yTtJaPj3IMogFiluZUfxjGzTXMiJIm:PyA0glbB48yTtJaPd3muZyxjGzHr

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	19172331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	19172331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	19172331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	19172331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	19172331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	19172331.exe

Executes dropped EXE 3 IoCs

pid	Process
1956	st978037.exe
296	19172331.exe
1748	kp218586.exe

Loads dropped DLL 7 IoCs

pid	Process
2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe
1956	st978037.exe
1956	st978037.exe
296	19172331.exe
1956	st978037.exe
1956	st978037.exe
1748	kp218586.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	19172331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	19172331.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st978037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st978037.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
296	19172331.exe
296	19172331.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	19172331.exe
Token: SeDebugPrivilege	1748	kp218586.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 2012 wrote to memory of 1956	2012	0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe	28
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 296	1956	st978037.exe	29
PID 1956 wrote to memory of 1748	1956	st978037.exe	30
PID 1956 wrote to memory of 1748	1956	st978037.exe	30
PID 1956 wrote to memory of 1748	1956	st978037.exe	30
PID 1956 wrote to memory of 1748	1956	st978037.exe	30
PID 1956 wrote to memory of 1748	1956	st978037.exe	30
PID 1956 wrote to memory of 1748	1956	st978037.exe	30
PID 1956 wrote to memory of 1748	1956	st978037.exe	30

C:\Users\Admin\AppData\Local\Temp\0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe
"C:\Users\Admin\AppData\Local\Temp\0b7b42fd42728db6d0409004e3bd74d73d313b7920288eff065d0fde7b7eb22a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st978037.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st978037.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19172331.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19172331.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st978037.exe

Filesize
519KB

MD5
b1f815a16ef1eca6e5fb06d88d4c84ed

SHA1
b45f5daf9dca7c7f3b3b456b811abdcc5f8cac34

SHA256
b9de376dee820dd8863fcfdfdf69fe43d620cc1b4ecb8e199fcda706d94b407b

SHA512
eecc5ea2c807ca8dfe70928fe241436fb261e6d28966feafdecf1625703d0389c96d356e007d2bc8356430d0f06324af4e60117f1caf033f7ce3f9a5c43368c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st978037.exe

Filesize
519KB

MD5
b1f815a16ef1eca6e5fb06d88d4c84ed

SHA1
b45f5daf9dca7c7f3b3b456b811abdcc5f8cac34

SHA256
b9de376dee820dd8863fcfdfdf69fe43d620cc1b4ecb8e199fcda706d94b407b

SHA512
eecc5ea2c807ca8dfe70928fe241436fb261e6d28966feafdecf1625703d0389c96d356e007d2bc8356430d0f06324af4e60117f1caf033f7ce3f9a5c43368c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19172331.exe

Filesize
175KB

MD5
9d4add875dfead77dafad6ba1baf12a6

SHA1
5185346becfe09c40b232ea61ffe49969040d6cb

SHA256
1e2fe5bfba401cee4b289110a6d9c1574eca2c30b3d65864a70fde5f707c8a52

SHA512
c0d73b8778be0965c5989056e5fcc0cbcf068ea509211756854ab259d819e6aaf3438389653a7b5377e9d51fcde83d4c2ea63a8abd37886d92e99837a1c48196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19172331.exe

Filesize
175KB

MD5
9d4add875dfead77dafad6ba1baf12a6

SHA1
5185346becfe09c40b232ea61ffe49969040d6cb

SHA256
1e2fe5bfba401cee4b289110a6d9c1574eca2c30b3d65864a70fde5f707c8a52

SHA512
c0d73b8778be0965c5989056e5fcc0cbcf068ea509211756854ab259d819e6aaf3438389653a7b5377e9d51fcde83d4c2ea63a8abd37886d92e99837a1c48196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe

Filesize
415KB

MD5
d4ca4bb60b473c572aef4d22ef27905d

SHA1
32a7cde5c6dde42abab8ca25f9859465f7e1e1a1

SHA256
07b0d28b82d7d5f9b61db1dd9439728da1aed0913f50b6fcdbb55d9aa6084f8f

SHA512
af42c21b0d6753033bfb85fc64ffdadc2919711dc4ffafd97291a580af41f9d31c7de93d4642c93a7a07996402c5eb237795f8fc1b8d6566d4a716303bfe0b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe

Filesize
415KB

MD5
d4ca4bb60b473c572aef4d22ef27905d

SHA1
32a7cde5c6dde42abab8ca25f9859465f7e1e1a1

SHA256
07b0d28b82d7d5f9b61db1dd9439728da1aed0913f50b6fcdbb55d9aa6084f8f

SHA512
af42c21b0d6753033bfb85fc64ffdadc2919711dc4ffafd97291a580af41f9d31c7de93d4642c93a7a07996402c5eb237795f8fc1b8d6566d4a716303bfe0b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe

Filesize
415KB

MD5
d4ca4bb60b473c572aef4d22ef27905d

SHA1
32a7cde5c6dde42abab8ca25f9859465f7e1e1a1

SHA256
07b0d28b82d7d5f9b61db1dd9439728da1aed0913f50b6fcdbb55d9aa6084f8f

SHA512
af42c21b0d6753033bfb85fc64ffdadc2919711dc4ffafd97291a580af41f9d31c7de93d4642c93a7a07996402c5eb237795f8fc1b8d6566d4a716303bfe0b05

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st978037.exe

Filesize
519KB

MD5
b1f815a16ef1eca6e5fb06d88d4c84ed

SHA1
b45f5daf9dca7c7f3b3b456b811abdcc5f8cac34

SHA256
b9de376dee820dd8863fcfdfdf69fe43d620cc1b4ecb8e199fcda706d94b407b

SHA512
eecc5ea2c807ca8dfe70928fe241436fb261e6d28966feafdecf1625703d0389c96d356e007d2bc8356430d0f06324af4e60117f1caf033f7ce3f9a5c43368c2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st978037.exe

Filesize
519KB

MD5
b1f815a16ef1eca6e5fb06d88d4c84ed

SHA1
b45f5daf9dca7c7f3b3b456b811abdcc5f8cac34

SHA256
b9de376dee820dd8863fcfdfdf69fe43d620cc1b4ecb8e199fcda706d94b407b

SHA512
eecc5ea2c807ca8dfe70928fe241436fb261e6d28966feafdecf1625703d0389c96d356e007d2bc8356430d0f06324af4e60117f1caf033f7ce3f9a5c43368c2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\19172331.exe

Filesize
175KB

MD5
9d4add875dfead77dafad6ba1baf12a6

SHA1
5185346becfe09c40b232ea61ffe49969040d6cb

SHA256
1e2fe5bfba401cee4b289110a6d9c1574eca2c30b3d65864a70fde5f707c8a52

SHA512
c0d73b8778be0965c5989056e5fcc0cbcf068ea509211756854ab259d819e6aaf3438389653a7b5377e9d51fcde83d4c2ea63a8abd37886d92e99837a1c48196

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\19172331.exe

Filesize
175KB

MD5
9d4add875dfead77dafad6ba1baf12a6

SHA1
5185346becfe09c40b232ea61ffe49969040d6cb

SHA256
1e2fe5bfba401cee4b289110a6d9c1574eca2c30b3d65864a70fde5f707c8a52

SHA512
c0d73b8778be0965c5989056e5fcc0cbcf068ea509211756854ab259d819e6aaf3438389653a7b5377e9d51fcde83d4c2ea63a8abd37886d92e99837a1c48196

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe

Filesize
415KB

MD5
d4ca4bb60b473c572aef4d22ef27905d

SHA1
32a7cde5c6dde42abab8ca25f9859465f7e1e1a1

SHA256
07b0d28b82d7d5f9b61db1dd9439728da1aed0913f50b6fcdbb55d9aa6084f8f

SHA512
af42c21b0d6753033bfb85fc64ffdadc2919711dc4ffafd97291a580af41f9d31c7de93d4642c93a7a07996402c5eb237795f8fc1b8d6566d4a716303bfe0b05

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe

Filesize
415KB

MD5
d4ca4bb60b473c572aef4d22ef27905d

SHA1
32a7cde5c6dde42abab8ca25f9859465f7e1e1a1

SHA256
07b0d28b82d7d5f9b61db1dd9439728da1aed0913f50b6fcdbb55d9aa6084f8f

SHA512
af42c21b0d6753033bfb85fc64ffdadc2919711dc4ffafd97291a580af41f9d31c7de93d4642c93a7a07996402c5eb237795f8fc1b8d6566d4a716303bfe0b05

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp218586.exe

Filesize
415KB

MD5
d4ca4bb60b473c572aef4d22ef27905d

SHA1
32a7cde5c6dde42abab8ca25f9859465f7e1e1a1

SHA256
07b0d28b82d7d5f9b61db1dd9439728da1aed0913f50b6fcdbb55d9aa6084f8f

SHA512
af42c21b0d6753033bfb85fc64ffdadc2919711dc4ffafd97291a580af41f9d31c7de93d4642c93a7a07996402c5eb237795f8fc1b8d6566d4a716303bfe0b05

Download Submit
memory/296-85-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-83-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-87-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-89-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-91-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-93-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-95-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-97-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-99-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-101-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-103-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-105-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/296-104-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/296-106-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/296-81-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-79-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-77-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-76-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/296-75-0x0000000000AF0000-0x0000000000B08000-memory.dmp

Filesize
96KB

Download
memory/296-74-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1748-120-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-140-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-119-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-117-0x0000000000C10000-0x0000000000C4C000-memory.dmp

Filesize
240KB

Download
memory/1748-122-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-124-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-126-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-128-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-130-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-132-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-134-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-136-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-138-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-118-0x0000000000C80000-0x0000000000CBA000-memory.dmp

Filesize
232KB

Download
memory/1748-142-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-144-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-146-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-148-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-150-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-152-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-154-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/1748-397-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/1748-399-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/1748-913-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/1748-915-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/1748-917-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download