167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9

Analysis

max time kernel
257s
max time network
282s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe
Size

1.1MB
MD5

3c6b9ed83ec463ab847261669ddd03cd
SHA1

cfaaf6e983df990e429ed44d8a611ff76d2e9dd8
SHA256

167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9
SHA512

296a7152087340aa7cff26fac6c275f8c5b6e6c8c31886b6fced54c83b21fac05f7958e77109a886442fc41194adc0f1c3ca9a17835f44ae908ddc068a1c6e5c
SSDEEP

24576:Eykus7A+FocLFuis8rkY/nzPGXw6O/ny58J6VMbFJ:TkcTOA98P/zPj6O/nyY6VM

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	218986138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	218986138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	218986138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	218986138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	218986138.exe

Executes dropped EXE 5 IoCs

pid	Process
872	CD937448.exe
4132	SR606409.exe
1608	mz365556.exe
380	118088691.exe
3876	218986138.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	118088691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	218986138.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	mz365556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mz365556.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	CD937448.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CD937448.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	SR606409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SR606409.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
380	118088691.exe
380	118088691.exe
3876	218986138.exe
3876	218986138.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	118088691.exe
Token: SeDebugPrivilege	3876	218986138.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 872	4516	167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe	79
PID 4516 wrote to memory of 872	4516	167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe	79
PID 4516 wrote to memory of 872	4516	167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe	79
PID 872 wrote to memory of 4132	872	CD937448.exe	80
PID 872 wrote to memory of 4132	872	CD937448.exe	80
PID 872 wrote to memory of 4132	872	CD937448.exe	80
PID 4132 wrote to memory of 1608	4132	SR606409.exe	81
PID 4132 wrote to memory of 1608	4132	SR606409.exe	81
PID 4132 wrote to memory of 1608	4132	SR606409.exe	81
PID 1608 wrote to memory of 380	1608	mz365556.exe	82
PID 1608 wrote to memory of 380	1608	mz365556.exe	82
PID 1608 wrote to memory of 380	1608	mz365556.exe	82
PID 1608 wrote to memory of 3876	1608	mz365556.exe	88
PID 1608 wrote to memory of 3876	1608	mz365556.exe	88
PID 1608 wrote to memory of 3876	1608	mz365556.exe	88

C:\Users\Admin\AppData\Local\Temp\167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe
"C:\Users\Admin\AppData\Local\Temp\167235b3f11374fd766d047e48eaca05587ca6ab1ab4bfab9a39bc8bebd3a8c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CD937448.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CD937448.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SR606409.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SR606409.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz365556.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz365556.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118088691.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118088691.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218986138.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218986138.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CD937448.exe

Filesize
929KB

MD5
87168d0d9efcc1f844e2144fbadae75d

SHA1
78ba007d77db6f924f8ba7c9a57e95e3279914e5

SHA256
aba46f21e9304783abad39e2b487ff24468d9f2d1dfb8c63b60fd3ba05cff296

SHA512
f6837f2dde703ab726829f87b8396a76b80ead2131d855f7859c2e0fe4d25ef4452dc6743bbedb5e8a2e8b6500ab3970c58cc7abcee4e5844b85cb95ece16a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CD937448.exe

Filesize
929KB

MD5
87168d0d9efcc1f844e2144fbadae75d

SHA1
78ba007d77db6f924f8ba7c9a57e95e3279914e5

SHA256
aba46f21e9304783abad39e2b487ff24468d9f2d1dfb8c63b60fd3ba05cff296

SHA512
f6837f2dde703ab726829f87b8396a76b80ead2131d855f7859c2e0fe4d25ef4452dc6743bbedb5e8a2e8b6500ab3970c58cc7abcee4e5844b85cb95ece16a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SR606409.exe

Filesize
577KB

MD5
4738944b57798c560177d03d52749687

SHA1
1f213f060e9cbe3d3ef0d75124e924c575e5c9dd

SHA256
73491698559ea430d3ad06268eb3339a52328ab8ea2bd43b8c99ea2ec74a953d

SHA512
445d84ccf5a210ea02fa5864112ee9f9698a89206b9ea5635697f2d3eac1aac8a470a6ed9bdc2a403cc90929a36602d8fc7c3d7ea0723c10f17467634bfcd592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SR606409.exe

Filesize
577KB

MD5
4738944b57798c560177d03d52749687

SHA1
1f213f060e9cbe3d3ef0d75124e924c575e5c9dd

SHA256
73491698559ea430d3ad06268eb3339a52328ab8ea2bd43b8c99ea2ec74a953d

SHA512
445d84ccf5a210ea02fa5864112ee9f9698a89206b9ea5635697f2d3eac1aac8a470a6ed9bdc2a403cc90929a36602d8fc7c3d7ea0723c10f17467634bfcd592

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz365556.exe

Filesize
406KB

MD5
6b6eee5486ed161c0ed6de0ee950203f

SHA1
ad37d343302a78be7477a648f68f7ae0b6461f89

SHA256
8c0608f867eaf083fed4d1e7100c3959e02b0719260ec34ae32fd2b79bf71101

SHA512
dc8d48213581e205fefaf79b8e882dbec72c1a08efbdaca5b9c33e245dbdf95ae343f499158ffe2e4e6359b046177d2439e2942083ade3adac8ee93ff1d9b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz365556.exe

Filesize
406KB

MD5
6b6eee5486ed161c0ed6de0ee950203f

SHA1
ad37d343302a78be7477a648f68f7ae0b6461f89

SHA256
8c0608f867eaf083fed4d1e7100c3959e02b0719260ec34ae32fd2b79bf71101

SHA512
dc8d48213581e205fefaf79b8e882dbec72c1a08efbdaca5b9c33e245dbdf95ae343f499158ffe2e4e6359b046177d2439e2942083ade3adac8ee93ff1d9b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118088691.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118088691.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218986138.exe

Filesize
258KB

MD5
365ee535392ffdea909935834ce36119

SHA1
d1a5afadf54f01c507ff6cf28c73f6860dd236b5

SHA256
3ec5e250480bd06c50816db6ff735987532e1f8d20a194591738404939332b03

SHA512
d2f687505efc49d35c620df85f68766f514f4d280da7ded9c6367c7f2aefc632614a6534fa2bb8141e77232e3d07327a2629955aecebe18ab608a3ab2b639ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218986138.exe

Filesize
258KB

MD5
365ee535392ffdea909935834ce36119

SHA1
d1a5afadf54f01c507ff6cf28c73f6860dd236b5

SHA256
3ec5e250480bd06c50816db6ff735987532e1f8d20a194591738404939332b03

SHA512
d2f687505efc49d35c620df85f68766f514f4d280da7ded9c6367c7f2aefc632614a6534fa2bb8141e77232e3d07327a2629955aecebe18ab608a3ab2b639ed5

Download Submit
memory/380-176-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-190-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-165-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-166-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-168-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-170-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-172-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-174-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-163-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/380-178-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-180-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-182-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-184-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-186-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-188-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-164-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/380-192-0x0000000004F10000-0x0000000004F23000-memory.dmp

Filesize
76KB

Download
memory/380-193-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/380-194-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/380-162-0x0000000004960000-0x0000000004F04000-memory.dmp

Filesize
5.6MB

Download
memory/380-161-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3876-216-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/3876-215-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/3876-221-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/3876-219-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/3876-232-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3876-233-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/3876-234-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/3876-235-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download