1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4

Analysis

max time kernel
151s
max time network
182s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe
Size

766KB
MD5

6fbb2e12ddec8b4a865a8404bf98c69c
SHA1

8fa8dfebc50df0f6431a973695e882e8745c6186
SHA256

1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4
SHA512

a5f67603a83a269b91560c9baa34ecf5ef14dc19f780ca46056263e06fbb7c7b9ca02ef0fe736450b267c311249ae4ea57321283dbe10c1a828aad36a97791d2
SSDEEP

12288:lMrcy90OtFEH422ARICDXyvYMDrYke9MCWzrEVNs1mHo0+9KMKzYSvHw:Ry7tg3IGXQYyYCPErs1mHoWnQ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9494448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9494448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9494448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9494448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9494448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9494448.exe

Executes dropped EXE 4 IoCs

pid	Process
2032	v2268163.exe
1412	v9629166.exe
432	a9494448.exe
1244	b6092337.exe

Loads dropped DLL 7 IoCs

pid	Process
1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe
2032	v2268163.exe
2032	v2268163.exe
1412	v9629166.exe
1412	v9629166.exe
1412	v9629166.exe
1244	b6092337.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9494448.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	a9494448.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9629166.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9629166.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2268163.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2268163.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
432	a9494448.exe
432	a9494448.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	a9494448.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 1156 wrote to memory of 2032	1156	1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe	27
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 2032 wrote to memory of 1412	2032	v2268163.exe	28
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 432	1412	v9629166.exe	29
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30
PID 1412 wrote to memory of 1244	1412	v9629166.exe	30

C:\Users\Admin\AppData\Local\Temp\1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe
"C:\Users\Admin\AppData\Local\Temp\1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe

Filesize
376KB

MD5
bb6c79c6e676ee45e56944fd91a7abf4

SHA1
df41f28990dad82d28a15c0a94b21302afdbc916

SHA256
2a99a46e6fd41e4418afc66f9138e9fdec10133cc237fa54697f7d0c95f89ac0

SHA512
d4b4e621d2f021b524c60100e0aa051c01fdad92a097059fa26443b1b248b95b48ae52f0dae8f09db514c573c3c257dbf730e74c81644c6cb2faec791b92ea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe

Filesize
376KB

MD5
bb6c79c6e676ee45e56944fd91a7abf4

SHA1
df41f28990dad82d28a15c0a94b21302afdbc916

SHA256
2a99a46e6fd41e4418afc66f9138e9fdec10133cc237fa54697f7d0c95f89ac0

SHA512
d4b4e621d2f021b524c60100e0aa051c01fdad92a097059fa26443b1b248b95b48ae52f0dae8f09db514c573c3c257dbf730e74c81644c6cb2faec791b92ea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe

Filesize
204KB

MD5
fd5e3bbc3b0bebd190db9b28f7daf991

SHA1
0a473b6c4cf1757ddee9ff73c16283fc37075cfa

SHA256
dd03e44a5bc269e9e2e789fc57e444aec6d0b9108d31d63ee513dc04e68e6b7a

SHA512
135a76dc0d9938747379b0c0ae310dbb857aa28409e0255204a9950c28030de0225e046fc901a0c36600cd59a67d22ce645c0a187d33a33bb4e9a0b1c1566105

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe

Filesize
204KB

MD5
fd5e3bbc3b0bebd190db9b28f7daf991

SHA1
0a473b6c4cf1757ddee9ff73c16283fc37075cfa

SHA256
dd03e44a5bc269e9e2e789fc57e444aec6d0b9108d31d63ee513dc04e68e6b7a

SHA512
135a76dc0d9938747379b0c0ae310dbb857aa28409e0255204a9950c28030de0225e046fc901a0c36600cd59a67d22ce645c0a187d33a33bb4e9a0b1c1566105

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe

Filesize
376KB

MD5
bb6c79c6e676ee45e56944fd91a7abf4

SHA1
df41f28990dad82d28a15c0a94b21302afdbc916

SHA256
2a99a46e6fd41e4418afc66f9138e9fdec10133cc237fa54697f7d0c95f89ac0

SHA512
d4b4e621d2f021b524c60100e0aa051c01fdad92a097059fa26443b1b248b95b48ae52f0dae8f09db514c573c3c257dbf730e74c81644c6cb2faec791b92ea12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe

Filesize
376KB

MD5
bb6c79c6e676ee45e56944fd91a7abf4

SHA1
df41f28990dad82d28a15c0a94b21302afdbc916

SHA256
2a99a46e6fd41e4418afc66f9138e9fdec10133cc237fa54697f7d0c95f89ac0

SHA512
d4b4e621d2f021b524c60100e0aa051c01fdad92a097059fa26443b1b248b95b48ae52f0dae8f09db514c573c3c257dbf730e74c81644c6cb2faec791b92ea12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe

Filesize
204KB

MD5
fd5e3bbc3b0bebd190db9b28f7daf991

SHA1
0a473b6c4cf1757ddee9ff73c16283fc37075cfa

SHA256
dd03e44a5bc269e9e2e789fc57e444aec6d0b9108d31d63ee513dc04e68e6b7a

SHA512
135a76dc0d9938747379b0c0ae310dbb857aa28409e0255204a9950c28030de0225e046fc901a0c36600cd59a67d22ce645c0a187d33a33bb4e9a0b1c1566105

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe

Filesize
204KB

MD5
fd5e3bbc3b0bebd190db9b28f7daf991

SHA1
0a473b6c4cf1757ddee9ff73c16283fc37075cfa

SHA256
dd03e44a5bc269e9e2e789fc57e444aec6d0b9108d31d63ee513dc04e68e6b7a

SHA512
135a76dc0d9938747379b0c0ae310dbb857aa28409e0255204a9950c28030de0225e046fc901a0c36600cd59a67d22ce645c0a187d33a33bb4e9a0b1c1566105

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe

Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
memory/432-82-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/1244-89-0x0000000000DC0000-0x0000000000DE8000-memory.dmp

Filesize
160KB

Download
memory/1244-90-0x0000000007130000-0x0000000007170000-memory.dmp

Filesize
256KB

Download
memory/1244-91-0x0000000007130000-0x0000000007170000-memory.dmp

Filesize
256KB

Download