33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a

Analysis

max time kernel
148s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
Size

701KB
MD5

243456c830cbe264025309d40192fdfd
SHA1

0211a08db62e814a81ae6000e6d106e93371335e
SHA256

33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a
SHA512

5303d2d6629704b9eea961b43ce92a2da3a191055d510dc93fcba251dabf461b71c6f8383f01cf81fd25e666774aa3046545d84cfee3c53980dd2ca0fa9ebaa6
SSDEEP

12288:iy909Vl56+rkrV/jriBpr3FDDjiDD+m5boAwXthlGiArHzPRiBCf5sPY:iyiTdgVuBpZDuDD+m5EAwoJzPRiBCRsg

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	31151928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	31151928.exe

Executes dropped EXE 3 IoCs

pid	Process
1836	un611357.exe
976	31151928.exe
1624	rk613042.exe

Loads dropped DLL 8 IoCs

pid	Process
1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
1836	un611357.exe
1836	un611357.exe
1836	un611357.exe
976	31151928.exe
1836	un611357.exe
1836	un611357.exe
1624	rk613042.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	31151928.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un611357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un611357.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
976	31151928.exe
976	31151928.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	31151928.exe
Token: SeDebugPrivilege	1624	rk613042.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1704 wrote to memory of 1836	1704	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	28
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 976	1836	un611357.exe	29
PID 1836 wrote to memory of 1624	1836	un611357.exe	30
PID 1836 wrote to memory of 1624	1836	un611357.exe	30
PID 1836 wrote to memory of 1624	1836	un611357.exe	30
PID 1836 wrote to memory of 1624	1836	un611357.exe	30
PID 1836 wrote to memory of 1624	1836	un611357.exe	30
PID 1836 wrote to memory of 1624	1836	un611357.exe	30
PID 1836 wrote to memory of 1624	1836	un611357.exe	30

C:\Users\Admin\AppData\Local\Temp\33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
"C:\Users\Admin\AppData\Local\Temp\33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe

Filesize
547KB

MD5
8dc485b769c5e0680d72419d2b568f19

SHA1
2c51522b756d0f4a5a93427c4701314682d34a34

SHA256
3342ad3abb0a858f8edeed019594bb3b05d6829439b4e9ecf8e3567c51629e87

SHA512
0d600949ff6a02c51d48e0b5ce02dfca66c3cfeeb11575987be3461bde682a01dce7d8a2f62b2618fc6b1683fae4d08cc82bc909f3c0d1a05147a5553a00f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe

Filesize
547KB

MD5
8dc485b769c5e0680d72419d2b568f19

SHA1
2c51522b756d0f4a5a93427c4701314682d34a34

SHA256
3342ad3abb0a858f8edeed019594bb3b05d6829439b4e9ecf8e3567c51629e87

SHA512
0d600949ff6a02c51d48e0b5ce02dfca66c3cfeeb11575987be3461bde682a01dce7d8a2f62b2618fc6b1683fae4d08cc82bc909f3c0d1a05147a5553a00f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe

Filesize
547KB

MD5
8dc485b769c5e0680d72419d2b568f19

SHA1
2c51522b756d0f4a5a93427c4701314682d34a34

SHA256
3342ad3abb0a858f8edeed019594bb3b05d6829439b4e9ecf8e3567c51629e87

SHA512
0d600949ff6a02c51d48e0b5ce02dfca66c3cfeeb11575987be3461bde682a01dce7d8a2f62b2618fc6b1683fae4d08cc82bc909f3c0d1a05147a5553a00f5b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe

Filesize
547KB

MD5
8dc485b769c5e0680d72419d2b568f19

SHA1
2c51522b756d0f4a5a93427c4701314682d34a34

SHA256
3342ad3abb0a858f8edeed019594bb3b05d6829439b4e9ecf8e3567c51629e87

SHA512
0d600949ff6a02c51d48e0b5ce02dfca66c3cfeeb11575987be3461bde682a01dce7d8a2f62b2618fc6b1683fae4d08cc82bc909f3c0d1a05147a5553a00f5b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
memory/976-110-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/976-87-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-93-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-91-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-97-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-95-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-101-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-99-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-105-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-103-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-107-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-108-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/976-109-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/976-89-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-113-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/976-83-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-85-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-81-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-80-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/976-79-0x0000000002CA0000-0x0000000002CB8000-memory.dmp

Filesize
96KB

Download
memory/976-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1624-126-0x0000000004A00000-0x0000000004A3A000-memory.dmp

Filesize
232KB

Download
memory/1624-143-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-124-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/1624-127-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1624-128-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1624-129-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1624-130-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-131-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-133-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-135-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-137-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-139-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-141-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-125-0x00000000048F0000-0x000000000492C000-memory.dmp

Filesize
240KB

Download
memory/1624-147-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-145-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-149-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-151-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-153-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-155-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-161-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-159-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-157-0x0000000004A00000-0x0000000004A35000-memory.dmp

Filesize
212KB

Download
memory/1624-922-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1624-924-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/1624-926-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download