0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe
Size

693KB
MD5

fc98537ded941c673d8addb2aacb0f68
SHA1

31ab080a9cd3ce47c9cff7733a0d7d00a1d1c72d
SHA256

0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6
SHA512

7c320285104852d3910f641b7ba7c0ff4fa6a7bdad33b6074e6e59cc4aea86a8c448192e4c329630611db2e8650520dea03c347156a38d86e1009adc55dd99a1
SSDEEP

12288:3y90RjZF+dOBLTe7pBQxSuU+vqYUPmlY2Ez7wzvpQ052:3yiNgdOMFBIhH5K2s77p

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	43088963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	43088963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	43088963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	43088963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	43088963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	43088963.exe

Executes dropped EXE 3 IoCs

pid	Process
1604	un823471.exe
1072	43088963.exe
656	rk432718.exe

Loads dropped DLL 8 IoCs

pid	Process
1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe
1604	un823471.exe
1604	un823471.exe
1604	un823471.exe
1072	43088963.exe
1604	un823471.exe
1604	un823471.exe
656	rk432718.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	43088963.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	43088963.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un823471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un823471.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1072	43088963.exe
1072	43088963.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	43088963.exe
Token: SeDebugPrivilege	656	rk432718.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1512 wrote to memory of 1604	1512	0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe	27
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 1072	1604	un823471.exe	28
PID 1604 wrote to memory of 656	1604	un823471.exe	29
PID 1604 wrote to memory of 656	1604	un823471.exe	29
PID 1604 wrote to memory of 656	1604	un823471.exe	29
PID 1604 wrote to memory of 656	1604	un823471.exe	29
PID 1604 wrote to memory of 656	1604	un823471.exe	29
PID 1604 wrote to memory of 656	1604	un823471.exe	29
PID 1604 wrote to memory of 656	1604	un823471.exe	29

C:\Users\Admin\AppData\Local\Temp\0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe
"C:\Users\Admin\AppData\Local\Temp\0f71f1fbff25966bcd29e3fc27071d5b9b0679665359c83082ae0ff5df1cf9c6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un823471.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un823471.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un823471.exe

Filesize
540KB

MD5
e56766e180cec517ddf8dc2c8d175794

SHA1
6d0898277dd19c4ebcc2752d348571871d9644e3

SHA256
2167ba86330d4ded3d532dbde8bbc70ea0e85ef8976a504035e7830f1359866e

SHA512
da71a1e3f5038ae687b35d0348bf00c0d3186b993a19cc9c5328ee66f23b0767fcffcec5b6c5768bb85ed7bd99dd4c029d871670c48353783822e2e5e646486b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un823471.exe

Filesize
540KB

MD5
e56766e180cec517ddf8dc2c8d175794

SHA1
6d0898277dd19c4ebcc2752d348571871d9644e3

SHA256
2167ba86330d4ded3d532dbde8bbc70ea0e85ef8976a504035e7830f1359866e

SHA512
da71a1e3f5038ae687b35d0348bf00c0d3186b993a19cc9c5328ee66f23b0767fcffcec5b6c5768bb85ed7bd99dd4c029d871670c48353783822e2e5e646486b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe

Filesize
258KB

MD5
94fdc24b94079bd02b5326100592b2f0

SHA1
032df1abdbbee6f60e85ca9f6532ecacd05069ff

SHA256
55527a22e2f77751beca120cd08d77ef558d8a28e002a32ae72a94525d895087

SHA512
7e87fd8e519be8601392ae172908af9784951e6f90e33bf0feba6073fab9a9ff2066ee43c5f0ff2d03c7f0bbe26440fd23e5ea89896f9a3837904ec6d5af088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe

Filesize
258KB

MD5
94fdc24b94079bd02b5326100592b2f0

SHA1
032df1abdbbee6f60e85ca9f6532ecacd05069ff

SHA256
55527a22e2f77751beca120cd08d77ef558d8a28e002a32ae72a94525d895087

SHA512
7e87fd8e519be8601392ae172908af9784951e6f90e33bf0feba6073fab9a9ff2066ee43c5f0ff2d03c7f0bbe26440fd23e5ea89896f9a3837904ec6d5af088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe

Filesize
258KB

MD5
94fdc24b94079bd02b5326100592b2f0

SHA1
032df1abdbbee6f60e85ca9f6532ecacd05069ff

SHA256
55527a22e2f77751beca120cd08d77ef558d8a28e002a32ae72a94525d895087

SHA512
7e87fd8e519be8601392ae172908af9784951e6f90e33bf0feba6073fab9a9ff2066ee43c5f0ff2d03c7f0bbe26440fd23e5ea89896f9a3837904ec6d5af088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe

Filesize
340KB

MD5
f2aef3c641925385e8ee555d369e3bbe

SHA1
988b45cbb47a1f248accc3da058a6f9a7827c0d4

SHA256
e3308623e2e070a63fb80fe374271cd4517848e8a12ed31bc1e32a4789f2de06

SHA512
db52edbc1a38ee701dfafc1a7a3870d93f5f5de4a5eefe2ecacd4a624170e3109dbabd1b8f5b15676f828b0b3a8c2ab6204d894b7fc95049c55919196de929ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe

Filesize
340KB

MD5
f2aef3c641925385e8ee555d369e3bbe

SHA1
988b45cbb47a1f248accc3da058a6f9a7827c0d4

SHA256
e3308623e2e070a63fb80fe374271cd4517848e8a12ed31bc1e32a4789f2de06

SHA512
db52edbc1a38ee701dfafc1a7a3870d93f5f5de4a5eefe2ecacd4a624170e3109dbabd1b8f5b15676f828b0b3a8c2ab6204d894b7fc95049c55919196de929ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe

Filesize
340KB

MD5
f2aef3c641925385e8ee555d369e3bbe

SHA1
988b45cbb47a1f248accc3da058a6f9a7827c0d4

SHA256
e3308623e2e070a63fb80fe374271cd4517848e8a12ed31bc1e32a4789f2de06

SHA512
db52edbc1a38ee701dfafc1a7a3870d93f5f5de4a5eefe2ecacd4a624170e3109dbabd1b8f5b15676f828b0b3a8c2ab6204d894b7fc95049c55919196de929ee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un823471.exe

Filesize
540KB

MD5
e56766e180cec517ddf8dc2c8d175794

SHA1
6d0898277dd19c4ebcc2752d348571871d9644e3

SHA256
2167ba86330d4ded3d532dbde8bbc70ea0e85ef8976a504035e7830f1359866e

SHA512
da71a1e3f5038ae687b35d0348bf00c0d3186b993a19cc9c5328ee66f23b0767fcffcec5b6c5768bb85ed7bd99dd4c029d871670c48353783822e2e5e646486b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un823471.exe

Filesize
540KB

MD5
e56766e180cec517ddf8dc2c8d175794

SHA1
6d0898277dd19c4ebcc2752d348571871d9644e3

SHA256
2167ba86330d4ded3d532dbde8bbc70ea0e85ef8976a504035e7830f1359866e

SHA512
da71a1e3f5038ae687b35d0348bf00c0d3186b993a19cc9c5328ee66f23b0767fcffcec5b6c5768bb85ed7bd99dd4c029d871670c48353783822e2e5e646486b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe

Filesize
258KB

MD5
94fdc24b94079bd02b5326100592b2f0

SHA1
032df1abdbbee6f60e85ca9f6532ecacd05069ff

SHA256
55527a22e2f77751beca120cd08d77ef558d8a28e002a32ae72a94525d895087

SHA512
7e87fd8e519be8601392ae172908af9784951e6f90e33bf0feba6073fab9a9ff2066ee43c5f0ff2d03c7f0bbe26440fd23e5ea89896f9a3837904ec6d5af088c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe

Filesize
258KB

MD5
94fdc24b94079bd02b5326100592b2f0

SHA1
032df1abdbbee6f60e85ca9f6532ecacd05069ff

SHA256
55527a22e2f77751beca120cd08d77ef558d8a28e002a32ae72a94525d895087

SHA512
7e87fd8e519be8601392ae172908af9784951e6f90e33bf0feba6073fab9a9ff2066ee43c5f0ff2d03c7f0bbe26440fd23e5ea89896f9a3837904ec6d5af088c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\43088963.exe

Filesize
258KB

MD5
94fdc24b94079bd02b5326100592b2f0

SHA1
032df1abdbbee6f60e85ca9f6532ecacd05069ff

SHA256
55527a22e2f77751beca120cd08d77ef558d8a28e002a32ae72a94525d895087

SHA512
7e87fd8e519be8601392ae172908af9784951e6f90e33bf0feba6073fab9a9ff2066ee43c5f0ff2d03c7f0bbe26440fd23e5ea89896f9a3837904ec6d5af088c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe

Filesize
340KB

MD5
f2aef3c641925385e8ee555d369e3bbe

SHA1
988b45cbb47a1f248accc3da058a6f9a7827c0d4

SHA256
e3308623e2e070a63fb80fe374271cd4517848e8a12ed31bc1e32a4789f2de06

SHA512
db52edbc1a38ee701dfafc1a7a3870d93f5f5de4a5eefe2ecacd4a624170e3109dbabd1b8f5b15676f828b0b3a8c2ab6204d894b7fc95049c55919196de929ee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe

Filesize
340KB

MD5
f2aef3c641925385e8ee555d369e3bbe

SHA1
988b45cbb47a1f248accc3da058a6f9a7827c0d4

SHA256
e3308623e2e070a63fb80fe374271cd4517848e8a12ed31bc1e32a4789f2de06

SHA512
db52edbc1a38ee701dfafc1a7a3870d93f5f5de4a5eefe2ecacd4a624170e3109dbabd1b8f5b15676f828b0b3a8c2ab6204d894b7fc95049c55919196de929ee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk432718.exe

Filesize
340KB

MD5
f2aef3c641925385e8ee555d369e3bbe

SHA1
988b45cbb47a1f248accc3da058a6f9a7827c0d4

SHA256
e3308623e2e070a63fb80fe374271cd4517848e8a12ed31bc1e32a4789f2de06

SHA512
db52edbc1a38ee701dfafc1a7a3870d93f5f5de4a5eefe2ecacd4a624170e3109dbabd1b8f5b15676f828b0b3a8c2ab6204d894b7fc95049c55919196de929ee

Download Submit
memory/656-139-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-147-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-925-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/656-924-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/656-921-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/656-433-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/656-431-0x0000000007310000-0x0000000007350000-memory.dmp

Filesize
256KB

Download
memory/656-429-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/656-159-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-157-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-155-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-153-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-151-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-149-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-145-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-143-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-141-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-137-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-135-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-133-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-126-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-127-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-131-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/656-124-0x0000000003380000-0x00000000033BC000-memory.dmp

Filesize
240KB

Download
memory/656-125-0x00000000048F0000-0x000000000492A000-memory.dmp

Filesize
232KB

Download
memory/656-129-0x00000000048F0000-0x0000000004925000-memory.dmp

Filesize
212KB

Download
memory/1072-109-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/1072-86-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-79-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1072-81-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-84-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-82-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-78-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1072-88-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-112-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1072-110-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/1072-113-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1072-80-0x00000000031D0000-0x00000000031E8000-memory.dmp

Filesize
96KB

Download
memory/1072-111-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1072-108-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-106-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-104-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-102-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-100-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-98-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-96-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-94-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-92-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download
memory/1072-90-0x00000000031D0000-0x00000000031E3000-memory.dmp

Filesize
76KB

Download