1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606

Analysis

max time kernel
150s
max time network
183s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe
Size

697KB
MD5

b1b3e35ade3229a97d14c4ad2d6edbde
SHA1

571fa00ac559ff5ad25f53038463cac543e56da0
SHA256

1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606
SHA512

053f6194bd33a3faaad5b30a3de5abce8fb090b78a4937c21cb254cdd8ced9ad7cdc5511cfa346cb6266dbddb06e868ca6ac588689e0bd2cdf6bf2f30a95009e
SSDEEP

12288:Py90S8W5xESQuZ9tSRnEMed8s1VIddBpHyA2od:PyyWjESP9AEMijI5h2od

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	92003122.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	92003122.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	92003122.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	92003122.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	92003122.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	92003122.exe

Executes dropped EXE 3 IoCs

pid	Process
1112	un330171.exe
268	92003122.exe
2040	rk996975.exe

Loads dropped DLL 8 IoCs

pid	Process
932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe
1112	un330171.exe
1112	un330171.exe
1112	un330171.exe
268	92003122.exe
1112	un330171.exe
1112	un330171.exe
2040	rk996975.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	92003122.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	92003122.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un330171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un330171.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
268	92003122.exe
268	92003122.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	92003122.exe
Token: SeDebugPrivilege	2040	rk996975.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 932 wrote to memory of 1112	932	1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe	28
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 268	1112	un330171.exe	29
PID 1112 wrote to memory of 2040	1112	un330171.exe	30
PID 1112 wrote to memory of 2040	1112	un330171.exe	30
PID 1112 wrote to memory of 2040	1112	un330171.exe	30
PID 1112 wrote to memory of 2040	1112	un330171.exe	30
PID 1112 wrote to memory of 2040	1112	un330171.exe	30
PID 1112 wrote to memory of 2040	1112	un330171.exe	30
PID 1112 wrote to memory of 2040	1112	un330171.exe	30

C:\Users\Admin\AppData\Local\Temp\1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe
"C:\Users\Admin\AppData\Local\Temp\1a00c334a3d4fe9d02bac16c19ff6ce8a6890d5e93a6f9211812acb88c525606.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330171.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330171.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330171.exe

Filesize
543KB

MD5
8899780cbc72e50d91eacf094f923196

SHA1
d36bdeaf7b3a18c199037ea57d61ef40d7f39d62

SHA256
36acef713d5f8e229f365f56355014dd272239c8bc5182f225cec6f83071ccce

SHA512
b6cb6c8f4f68da65d49fdfe9c29c712b85006bf126774c87e2503c06ad9406ab0e02b5f6bc4ff700f842bf87b7a034862e257c634cd0eed3d92e5820889c9190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330171.exe

Filesize
543KB

MD5
8899780cbc72e50d91eacf094f923196

SHA1
d36bdeaf7b3a18c199037ea57d61ef40d7f39d62

SHA256
36acef713d5f8e229f365f56355014dd272239c8bc5182f225cec6f83071ccce

SHA512
b6cb6c8f4f68da65d49fdfe9c29c712b85006bf126774c87e2503c06ad9406ab0e02b5f6bc4ff700f842bf87b7a034862e257c634cd0eed3d92e5820889c9190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe

Filesize
263KB

MD5
8aec28541db80ee920ed0d2438c6e9f4

SHA1
6c6808593af20eb9dbc7e8929b00d9531f24b1e5

SHA256
133bee8d541f219b50c7b81b16af2c20337f10f64d80b25e8fb515fc80087850

SHA512
89fc90aeed01c5be75295e3132d0cae0f1565025754956da3ec163e908228e1ebf14614b7761a6912f00412ac6ab0dc13083bd35c568e4891af16a231324a682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe

Filesize
263KB

MD5
8aec28541db80ee920ed0d2438c6e9f4

SHA1
6c6808593af20eb9dbc7e8929b00d9531f24b1e5

SHA256
133bee8d541f219b50c7b81b16af2c20337f10f64d80b25e8fb515fc80087850

SHA512
89fc90aeed01c5be75295e3132d0cae0f1565025754956da3ec163e908228e1ebf14614b7761a6912f00412ac6ab0dc13083bd35c568e4891af16a231324a682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe

Filesize
263KB

MD5
8aec28541db80ee920ed0d2438c6e9f4

SHA1
6c6808593af20eb9dbc7e8929b00d9531f24b1e5

SHA256
133bee8d541f219b50c7b81b16af2c20337f10f64d80b25e8fb515fc80087850

SHA512
89fc90aeed01c5be75295e3132d0cae0f1565025754956da3ec163e908228e1ebf14614b7761a6912f00412ac6ab0dc13083bd35c568e4891af16a231324a682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe

Filesize
328KB

MD5
228758d29cd11c89abfe2fc3fd376d1c

SHA1
94f55fa3402a7e2011c0454a9e9ca0971a8d8084

SHA256
6b0b460b98e4e3ba0a1f804ee8aa61ef29bf12fb97d589bf3d3a765ed71482d9

SHA512
c1047385aef5c34395937be44f1cf46f7adc72714d862154e21b9dbbfcfbcf139d6ae532ec59ce7b89ff5326d8d08553c5be10a20a1543a007e0a180a1af0a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe

Filesize
328KB

MD5
228758d29cd11c89abfe2fc3fd376d1c

SHA1
94f55fa3402a7e2011c0454a9e9ca0971a8d8084

SHA256
6b0b460b98e4e3ba0a1f804ee8aa61ef29bf12fb97d589bf3d3a765ed71482d9

SHA512
c1047385aef5c34395937be44f1cf46f7adc72714d862154e21b9dbbfcfbcf139d6ae532ec59ce7b89ff5326d8d08553c5be10a20a1543a007e0a180a1af0a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe

Filesize
328KB

MD5
228758d29cd11c89abfe2fc3fd376d1c

SHA1
94f55fa3402a7e2011c0454a9e9ca0971a8d8084

SHA256
6b0b460b98e4e3ba0a1f804ee8aa61ef29bf12fb97d589bf3d3a765ed71482d9

SHA512
c1047385aef5c34395937be44f1cf46f7adc72714d862154e21b9dbbfcfbcf139d6ae532ec59ce7b89ff5326d8d08553c5be10a20a1543a007e0a180a1af0a84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330171.exe

Filesize
543KB

MD5
8899780cbc72e50d91eacf094f923196

SHA1
d36bdeaf7b3a18c199037ea57d61ef40d7f39d62

SHA256
36acef713d5f8e229f365f56355014dd272239c8bc5182f225cec6f83071ccce

SHA512
b6cb6c8f4f68da65d49fdfe9c29c712b85006bf126774c87e2503c06ad9406ab0e02b5f6bc4ff700f842bf87b7a034862e257c634cd0eed3d92e5820889c9190

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un330171.exe

Filesize
543KB

MD5
8899780cbc72e50d91eacf094f923196

SHA1
d36bdeaf7b3a18c199037ea57d61ef40d7f39d62

SHA256
36acef713d5f8e229f365f56355014dd272239c8bc5182f225cec6f83071ccce

SHA512
b6cb6c8f4f68da65d49fdfe9c29c712b85006bf126774c87e2503c06ad9406ab0e02b5f6bc4ff700f842bf87b7a034862e257c634cd0eed3d92e5820889c9190

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe

Filesize
263KB

MD5
8aec28541db80ee920ed0d2438c6e9f4

SHA1
6c6808593af20eb9dbc7e8929b00d9531f24b1e5

SHA256
133bee8d541f219b50c7b81b16af2c20337f10f64d80b25e8fb515fc80087850

SHA512
89fc90aeed01c5be75295e3132d0cae0f1565025754956da3ec163e908228e1ebf14614b7761a6912f00412ac6ab0dc13083bd35c568e4891af16a231324a682

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe

Filesize
263KB

MD5
8aec28541db80ee920ed0d2438c6e9f4

SHA1
6c6808593af20eb9dbc7e8929b00d9531f24b1e5

SHA256
133bee8d541f219b50c7b81b16af2c20337f10f64d80b25e8fb515fc80087850

SHA512
89fc90aeed01c5be75295e3132d0cae0f1565025754956da3ec163e908228e1ebf14614b7761a6912f00412ac6ab0dc13083bd35c568e4891af16a231324a682

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\92003122.exe

Filesize
263KB

MD5
8aec28541db80ee920ed0d2438c6e9f4

SHA1
6c6808593af20eb9dbc7e8929b00d9531f24b1e5

SHA256
133bee8d541f219b50c7b81b16af2c20337f10f64d80b25e8fb515fc80087850

SHA512
89fc90aeed01c5be75295e3132d0cae0f1565025754956da3ec163e908228e1ebf14614b7761a6912f00412ac6ab0dc13083bd35c568e4891af16a231324a682

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe

Filesize
328KB

MD5
228758d29cd11c89abfe2fc3fd376d1c

SHA1
94f55fa3402a7e2011c0454a9e9ca0971a8d8084

SHA256
6b0b460b98e4e3ba0a1f804ee8aa61ef29bf12fb97d589bf3d3a765ed71482d9

SHA512
c1047385aef5c34395937be44f1cf46f7adc72714d862154e21b9dbbfcfbcf139d6ae532ec59ce7b89ff5326d8d08553c5be10a20a1543a007e0a180a1af0a84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe

Filesize
328KB

MD5
228758d29cd11c89abfe2fc3fd376d1c

SHA1
94f55fa3402a7e2011c0454a9e9ca0971a8d8084

SHA256
6b0b460b98e4e3ba0a1f804ee8aa61ef29bf12fb97d589bf3d3a765ed71482d9

SHA512
c1047385aef5c34395937be44f1cf46f7adc72714d862154e21b9dbbfcfbcf139d6ae532ec59ce7b89ff5326d8d08553c5be10a20a1543a007e0a180a1af0a84

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk996975.exe

Filesize
328KB

MD5
228758d29cd11c89abfe2fc3fd376d1c

SHA1
94f55fa3402a7e2011c0454a9e9ca0971a8d8084

SHA256
6b0b460b98e4e3ba0a1f804ee8aa61ef29bf12fb97d589bf3d3a765ed71482d9

SHA512
c1047385aef5c34395937be44f1cf46f7adc72714d862154e21b9dbbfcfbcf139d6ae532ec59ce7b89ff5326d8d08553c5be10a20a1543a007e0a180a1af0a84

Download Submit
memory/268-111-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-116-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/268-84-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/268-86-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-87-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-89-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-91-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-93-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-95-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-97-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-99-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-101-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-103-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-105-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-107-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-109-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-83-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/268-113-0x0000000003080000-0x0000000003093000-memory.dmp

Filesize
76KB

Download
memory/268-82-0x0000000003080000-0x0000000003098000-memory.dmp

Filesize
96KB

Download
memory/268-81-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/268-80-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/268-79-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/268-78-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/268-85-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/2040-145-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-133-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-129-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/2040-130-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2040-131-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2040-132-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-143-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-135-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-137-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-139-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-128-0x0000000004830000-0x000000000486A000-memory.dmp

Filesize
232KB

Download
memory/2040-141-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-153-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-147-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-149-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-151-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-127-0x00000000047F0000-0x000000000482C000-memory.dmp

Filesize
240KB

Download
memory/2040-155-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-157-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-159-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-161-0x0000000004830000-0x0000000004865000-memory.dmp

Filesize
212KB

Download
memory/2040-925-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2040-927-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2040-929-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download