0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5

General

Target

0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe
Size

940KB
MD5

2c47261c8ce5ab695f52845407dc317b
SHA1

95ff9e1d123e35ccb36b4c6287f038a909ead797
SHA256

0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5
SHA512

cfa58c334e945d98ae4d3897e099a9a64747821d1a50f15e7dbec2c0581029625c7db6a7962972d0dc6ad065b2214222d126f6f7be8d427e3403493d467e711a
SSDEEP

24576:PysTIoSu9668yN3K4HeDxdOeQMaDg9DdPQFY18juPtKC:asMa6zA3ZHKlQdgFOYKCV

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	w52Gr17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	w52Gr17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	w52Gr17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	w52Gr17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	w52Gr17.exe

Executes dropped EXE 4 IoCs

pid	Process
3176	za705661.exe
5052	za538065.exe
4996	83486999.exe
4792	w52Gr17.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	83486999.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	w52Gr17.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za705661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za705661.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za538065.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za538065.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4996	83486999.exe
4996	83486999.exe
4792	w52Gr17.exe
4792	w52Gr17.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	83486999.exe
Token: SeDebugPrivilege	4792	w52Gr17.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3176	5100	0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe	80
PID 5100 wrote to memory of 3176	5100	0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe	80
PID 5100 wrote to memory of 3176	5100	0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe	80
PID 3176 wrote to memory of 5052	3176	za705661.exe	81
PID 3176 wrote to memory of 5052	3176	za705661.exe	81
PID 3176 wrote to memory of 5052	3176	za705661.exe	81
PID 5052 wrote to memory of 4996	5052	za538065.exe	82
PID 5052 wrote to memory of 4996	5052	za538065.exe	82
PID 5052 wrote to memory of 4996	5052	za538065.exe	82
PID 5052 wrote to memory of 4792	5052	za538065.exe	85
PID 5052 wrote to memory of 4792	5052	za538065.exe	85
PID 5052 wrote to memory of 4792	5052	za538065.exe	85

C:\Users\Admin\AppData\Local\Temp\0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe
"C:\Users\Admin\AppData\Local\Temp\0eda81f5fc744303ed307a010e3502ac1091660b910cced4e184c119d906bad5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za705661.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za705661.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za538065.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za538065.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\83486999.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\83486999.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Gr17.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Gr17.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4792 -ip 4792
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za705661.exe

Filesize
588KB

MD5
0d50e7f89307fdacc317d26c90da1efc

SHA1
c8550ef8c4583acacabc7a8be2df950bd610d91f

SHA256
17088650ae697ecba4e2c8588364a698002dc99dccd2d92c6fe694169cdea314

SHA512
299d322367d8dbca3b8c43be24777ae59acc194031315f4af9c4a14a1a7dc0fdd363173f1d446be34b4d3da76aece5a6b7a0cd8efa3b6859106bbc2161e4c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za705661.exe

Filesize
588KB

MD5
0d50e7f89307fdacc317d26c90da1efc

SHA1
c8550ef8c4583acacabc7a8be2df950bd610d91f

SHA256
17088650ae697ecba4e2c8588364a698002dc99dccd2d92c6fe694169cdea314

SHA512
299d322367d8dbca3b8c43be24777ae59acc194031315f4af9c4a14a1a7dc0fdd363173f1d446be34b4d3da76aece5a6b7a0cd8efa3b6859106bbc2161e4c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za538065.exe

Filesize
405KB

MD5
893d40775b3f86296cd6f1196f4cdc28

SHA1
9435c8d6c40d028a349d15b2c5e680cfeb8bf987

SHA256
3d90395c983c479febb07aa98a9f71c90d2497373584e2a5dfbe0015faae0f7e

SHA512
d14ff434e7691d3ea72782f240bf313a036cf76afb1806d2db053b7ba76abd3c7d2e605f12ae7fa064b1a66f60762f7804e3cd6074a279d40ebec78402b624c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za538065.exe

Filesize
405KB

MD5
893d40775b3f86296cd6f1196f4cdc28

SHA1
9435c8d6c40d028a349d15b2c5e680cfeb8bf987

SHA256
3d90395c983c479febb07aa98a9f71c90d2497373584e2a5dfbe0015faae0f7e

SHA512
d14ff434e7691d3ea72782f240bf313a036cf76afb1806d2db053b7ba76abd3c7d2e605f12ae7fa064b1a66f60762f7804e3cd6074a279d40ebec78402b624c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\83486999.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\83486999.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Gr17.exe

Filesize
258KB

MD5
d2bba98b0b9056fdfb6feb7d2361e686

SHA1
fe6188c0da12a41db6ae33e80bc32161923c4a9e

SHA256
5a843652d7d214c8e8d9e2f98f5c9d4eabdd2b7b9810596d31c9795d450cd929

SHA512
5c6c4dd653cec43dd8d6fc8a29b0f397c2a642cf7a8bcdef7d65efc1f8845d87a2f05683ea4771301b928eb9de217dcf9c42b15dee78fe824cb0592c77d06e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w52Gr17.exe

Filesize
258KB

MD5
d2bba98b0b9056fdfb6feb7d2361e686

SHA1
fe6188c0da12a41db6ae33e80bc32161923c4a9e

SHA256
5a843652d7d214c8e8d9e2f98f5c9d4eabdd2b7b9810596d31c9795d450cd929

SHA512
5c6c4dd653cec43dd8d6fc8a29b0f397c2a642cf7a8bcdef7d65efc1f8845d87a2f05683ea4771301b928eb9de217dcf9c42b15dee78fe824cb0592c77d06e90

Download Submit
memory/4792-229-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4792-227-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4792-226-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4792-225-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4792-224-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4792-223-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4792-222-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/4792-228-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4792-231-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4996-173-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-169-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-175-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-177-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-179-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-181-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-183-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-185-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-186-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4996-187-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4996-188-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4996-171-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-167-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-165-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-163-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-161-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-159-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-158-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/4996-157-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4996-156-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4996-155-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4996-154-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads