3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
Size

747KB
MD5

72a896d421d41c5913d3a2e42fda4717
SHA1

e0bd15b47be605a799862d960a4c31cd0cf953ae
SHA256

3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf
SHA512

2bfba1e787411ce37b2cc0ffea1372d9f05e5733bb3babfa7b72730eda8d2ab36005a35514b87767fd02dd42ccb2e9984f963814e63c267150762cab9a3c15af
SSDEEP

12288:+y90foOt5rdmHdqt0UWffvUa5qTpTCSp7Dd3RqUiLW/f2dmFcVvPkwJOB:+yeoOt5JmHYtTWfXUa5qTcYp3tCwGm6q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	11649037.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	11649037.exe

Executes dropped EXE 3 IoCs

pid	Process
1696	un828097.exe
580	11649037.exe
1628	rk895948.exe

Loads dropped DLL 8 IoCs

pid	Process
1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
1696	un828097.exe
1696	un828097.exe
1696	un828097.exe
580	11649037.exe
1696	un828097.exe
1696	un828097.exe
1628	rk895948.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	11649037.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	11649037.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un828097.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un828097.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	11649037.exe
580	11649037.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	11649037.exe
Token: SeDebugPrivilege	1628	rk895948.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1312 wrote to memory of 1696	1312	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	28
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 580	1696	un828097.exe	29
PID 1696 wrote to memory of 1628	1696	un828097.exe	30
PID 1696 wrote to memory of 1628	1696	un828097.exe	30
PID 1696 wrote to memory of 1628	1696	un828097.exe	30
PID 1696 wrote to memory of 1628	1696	un828097.exe	30
PID 1696 wrote to memory of 1628	1696	un828097.exe	30
PID 1696 wrote to memory of 1628	1696	un828097.exe	30
PID 1696 wrote to memory of 1628	1696	un828097.exe	30

C:\Users\Admin\AppData\Local\Temp\3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
"C:\Users\Admin\AppData\Local\Temp\3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe

Filesize
593KB

MD5
1e7264a9bd5729ba621602292d228771

SHA1
a2a5c96ae0e46a9bb67e51fa3e41ba82f63e7cb9

SHA256
e84473804cc3078208f3470ceee0d2c6bf7a0282cbab723bd67ad5565bc733cd

SHA512
228202418f909fe124f587565cadd2783d5c60f7a5b7ade194ec0b9985d391bd4c6522feebff6b2f185bf7109df2df7e30ad6e5488d1b8b954d6ed216e6331bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe

Filesize
593KB

MD5
1e7264a9bd5729ba621602292d228771

SHA1
a2a5c96ae0e46a9bb67e51fa3e41ba82f63e7cb9

SHA256
e84473804cc3078208f3470ceee0d2c6bf7a0282cbab723bd67ad5565bc733cd

SHA512
228202418f909fe124f587565cadd2783d5c60f7a5b7ade194ec0b9985d391bd4c6522feebff6b2f185bf7109df2df7e30ad6e5488d1b8b954d6ed216e6331bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe

Filesize
593KB

MD5
1e7264a9bd5729ba621602292d228771

SHA1
a2a5c96ae0e46a9bb67e51fa3e41ba82f63e7cb9

SHA256
e84473804cc3078208f3470ceee0d2c6bf7a0282cbab723bd67ad5565bc733cd

SHA512
228202418f909fe124f587565cadd2783d5c60f7a5b7ade194ec0b9985d391bd4c6522feebff6b2f185bf7109df2df7e30ad6e5488d1b8b954d6ed216e6331bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe

Filesize
593KB

MD5
1e7264a9bd5729ba621602292d228771

SHA1
a2a5c96ae0e46a9bb67e51fa3e41ba82f63e7cb9

SHA256
e84473804cc3078208f3470ceee0d2c6bf7a0282cbab723bd67ad5565bc733cd

SHA512
228202418f909fe124f587565cadd2783d5c60f7a5b7ade194ec0b9985d391bd4c6522feebff6b2f185bf7109df2df7e30ad6e5488d1b8b954d6ed216e6331bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
memory/580-113-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/580-78-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/580-90-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-94-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-92-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-98-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-96-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-100-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-104-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-102-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-106-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-108-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-109-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/580-110-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/580-111-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/580-112-0x00000000002E0000-0x000000000030D000-memory.dmp

Filesize
180KB

Download
memory/580-86-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-115-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/580-84-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-82-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-81-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/580-80-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/580-79-0x0000000002350000-0x000000000236A000-memory.dmp

Filesize
104KB

Download
memory/580-88-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/1628-147-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-135-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-128-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-129-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-131-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-133-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-145-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-137-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-139-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-141-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-127-0x0000000002490000-0x00000000024CA000-memory.dmp

Filesize
232KB

Download
memory/1628-143-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-155-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-149-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-151-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-153-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-126-0x0000000002450000-0x000000000248C000-memory.dmp

Filesize
240KB

Download
memory/1628-157-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-159-0x0000000002490000-0x00000000024C5000-memory.dmp

Filesize
212KB

Download
memory/1628-472-0x0000000000B70000-0x0000000000BB6000-memory.dmp

Filesize
280KB

Download
memory/1628-474-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1628-922-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1628-924-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1628-926-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download