39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb

Analysis

max time kernel
147s
max time network
175s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe
Size

747KB
MD5

8dd5da27707c53b6acf8484d46dd4d92
SHA1

6ed443bd9a356033531cb51d10e4bcc28763a06f
SHA256

39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb
SHA512

aad2f44870ef31f528fff29f386a8ce4ae80b50621f5568b20d1ad4f27a88cca9a7eabf5860f5ec9dfec38e2347330b632eb9994768759e06657ea9f46f43850
SSDEEP

12288:hy90Hh6UtNuE8UtcKmHwGvvyrUGayqmG+MBYaTqbL4wr2fLCo7HPxsc:hyu48oakQGCrfapYaGbLZseC7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	41690106.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	41690106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	41690106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	41690106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	41690106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	41690106.exe

Executes dropped EXE 3 IoCs

pid	Process
1244	un295215.exe
884	41690106.exe
1972	rk973565.exe

Loads dropped DLL 8 IoCs

pid	Process
1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe
1244	un295215.exe
1244	un295215.exe
1244	un295215.exe
884	41690106.exe
1244	un295215.exe
1244	un295215.exe
1972	rk973565.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	41690106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	41690106.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un295215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un295215.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	41690106.exe
884	41690106.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	41690106.exe
Token: SeDebugPrivilege	1972	rk973565.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1236 wrote to memory of 1244	1236	39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe	28
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 884	1244	un295215.exe	29
PID 1244 wrote to memory of 1972	1244	un295215.exe	30
PID 1244 wrote to memory of 1972	1244	un295215.exe	30
PID 1244 wrote to memory of 1972	1244	un295215.exe	30
PID 1244 wrote to memory of 1972	1244	un295215.exe	30
PID 1244 wrote to memory of 1972	1244	un295215.exe	30
PID 1244 wrote to memory of 1972	1244	un295215.exe	30
PID 1244 wrote to memory of 1972	1244	un295215.exe	30

C:\Users\Admin\AppData\Local\Temp\39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe
"C:\Users\Admin\AppData\Local\Temp\39755ae8c632c5b46f0a5f1ed5c40508d13594889387e246302f3ef6576552cb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe

Filesize
593KB

MD5
3ce352927ea202aa6dcf98ba784f41a5

SHA1
36b7014a702f5f2bf12824503f60440a407f65a7

SHA256
d31c7f72aec8e294d6c1438d3d84740b467ad114c82847338f59b4d2483ee37b

SHA512
b3ae38d89d90682d44add2058e0a6a79beb1abb6983911bc3956dd8cbb66f9774951199434d6b80471af4705b8f4e17179449c4cf29eb245beef0c0e6f82f58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe

Filesize
593KB

MD5
3ce352927ea202aa6dcf98ba784f41a5

SHA1
36b7014a702f5f2bf12824503f60440a407f65a7

SHA256
d31c7f72aec8e294d6c1438d3d84740b467ad114c82847338f59b4d2483ee37b

SHA512
b3ae38d89d90682d44add2058e0a6a79beb1abb6983911bc3956dd8cbb66f9774951199434d6b80471af4705b8f4e17179449c4cf29eb245beef0c0e6f82f58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe

Filesize
377KB

MD5
8a7efdcc89765019e90a2d9589b178fa

SHA1
decc7fdb89c1a1fe43e9ec1162c3e6d677073f84

SHA256
053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d

SHA512
77b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe

Filesize
377KB

MD5
8a7efdcc89765019e90a2d9589b178fa

SHA1
decc7fdb89c1a1fe43e9ec1162c3e6d677073f84

SHA256
053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d

SHA512
77b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe

Filesize
377KB

MD5
8a7efdcc89765019e90a2d9589b178fa

SHA1
decc7fdb89c1a1fe43e9ec1162c3e6d677073f84

SHA256
053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d

SHA512
77b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe

Filesize
459KB

MD5
388ee03e27f4533505002b9374ba9db4

SHA1
2d16cd8e276b7c65e351bc77e36342682c689de0

SHA256
3a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97

SHA512
fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe

Filesize
459KB

MD5
388ee03e27f4533505002b9374ba9db4

SHA1
2d16cd8e276b7c65e351bc77e36342682c689de0

SHA256
3a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97

SHA512
fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe

Filesize
459KB

MD5
388ee03e27f4533505002b9374ba9db4

SHA1
2d16cd8e276b7c65e351bc77e36342682c689de0

SHA256
3a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97

SHA512
fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe

Filesize
593KB

MD5
3ce352927ea202aa6dcf98ba784f41a5

SHA1
36b7014a702f5f2bf12824503f60440a407f65a7

SHA256
d31c7f72aec8e294d6c1438d3d84740b467ad114c82847338f59b4d2483ee37b

SHA512
b3ae38d89d90682d44add2058e0a6a79beb1abb6983911bc3956dd8cbb66f9774951199434d6b80471af4705b8f4e17179449c4cf29eb245beef0c0e6f82f58d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un295215.exe

Filesize
593KB

MD5
3ce352927ea202aa6dcf98ba784f41a5

SHA1
36b7014a702f5f2bf12824503f60440a407f65a7

SHA256
d31c7f72aec8e294d6c1438d3d84740b467ad114c82847338f59b4d2483ee37b

SHA512
b3ae38d89d90682d44add2058e0a6a79beb1abb6983911bc3956dd8cbb66f9774951199434d6b80471af4705b8f4e17179449c4cf29eb245beef0c0e6f82f58d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe

Filesize
377KB

MD5
8a7efdcc89765019e90a2d9589b178fa

SHA1
decc7fdb89c1a1fe43e9ec1162c3e6d677073f84

SHA256
053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d

SHA512
77b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe

Filesize
377KB

MD5
8a7efdcc89765019e90a2d9589b178fa

SHA1
decc7fdb89c1a1fe43e9ec1162c3e6d677073f84

SHA256
053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d

SHA512
77b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\41690106.exe

Filesize
377KB

MD5
8a7efdcc89765019e90a2d9589b178fa

SHA1
decc7fdb89c1a1fe43e9ec1162c3e6d677073f84

SHA256
053651850faf52d04b1d1a97f85467bdc6ef2ade256ac772027fe9e38c9a097d

SHA512
77b03127a0ddaac8d7691fd291aa9342d1d741412b8d388f52d6845a5cc9c15fa80d89d659d93b11274e0d448a1acac89b688ce6384ec00db197a161640ad224

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe

Filesize
459KB

MD5
388ee03e27f4533505002b9374ba9db4

SHA1
2d16cd8e276b7c65e351bc77e36342682c689de0

SHA256
3a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97

SHA512
fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe

Filesize
459KB

MD5
388ee03e27f4533505002b9374ba9db4

SHA1
2d16cd8e276b7c65e351bc77e36342682c689de0

SHA256
3a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97

SHA512
fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk973565.exe

Filesize
459KB

MD5
388ee03e27f4533505002b9374ba9db4

SHA1
2d16cd8e276b7c65e351bc77e36342682c689de0

SHA256
3a8a50052cbdaf62a62bf66d7f8346b50a92234f95d6f6a6bc3537ed70879a97

SHA512
fc52581a21e5cec95eacc13ada46a68649440b3c409ef587e29c97154d1615d1a66ec8fd357ef2a046f7365603e78c4195282bbae9b39e13a461826c8466a29f

Download Submit
memory/884-111-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/884-89-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-91-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-93-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-95-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-97-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-99-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-101-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-103-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-105-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-107-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-109-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/884-110-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/884-108-0x0000000000B70000-0x0000000000B9D000-memory.dmp

Filesize
180KB

Download
memory/884-87-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-112-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/884-114-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/884-85-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-83-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-81-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-80-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/884-79-0x00000000025A0000-0x00000000025B8000-memory.dmp

Filesize
96KB

Download
memory/884-78-0x0000000002320000-0x000000000233A000-memory.dmp

Filesize
104KB

Download
memory/1972-125-0x0000000002450000-0x000000000248C000-memory.dmp

Filesize
240KB

Download
memory/1972-126-0x00000000024B0000-0x00000000024EA000-memory.dmp

Filesize
232KB

Download
memory/1972-127-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/1972-129-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-128-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-131-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-133-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-135-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-137-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-139-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-141-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-143-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-145-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-147-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-149-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-151-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-153-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-155-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-157-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-159-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/1972-921-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/1972-924-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download