Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2023 20:51

General

  • Target

    1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe

  • Size

    690KB

  • MD5

    5c881206fe3f848037cef9f3def76d4f

  • SHA1

    120ca41618bad4346821bf04f5564d3c7abc50cf

  • SHA256

    1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e

  • SHA512

    486c56509e30527ac2080829dcf90cd39cd36855ee1a5725d05485008a5fd60424a896183a4f82aa4b367522588d5f756d48c72d21ad9d945a98a540647eac55

  • SSDEEP

    12288:Hy90u3fBtThNO4+y+GYi7ExQBFzZIJbQGQi78brLErEe6VuTz9UyH2M3:HytfzOy97EqzZqqi78b3ErEe6wTBUq

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe
    "C:\Users\Admin\AppData\Local\Temp\1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe

    Filesize

    536KB

    MD5

    97311a8442e750f8eb41c7931dd7c978

    SHA1

    1a182f64b1d8c8aba7ca5ab2c109eb77df999ab4

    SHA256

    26ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060

    SHA512

    693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe

    Filesize

    536KB

    MD5

    97311a8442e750f8eb41c7931dd7c978

    SHA1

    1a182f64b1d8c8aba7ca5ab2c109eb77df999ab4

    SHA256

    26ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060

    SHA512

    693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe

    Filesize

    259KB

    MD5

    9f4d59e950ebd1e40be74b06def38ff0

    SHA1

    a642199119c22303c60b9a8a6d054e8768af3b4a

    SHA256

    8878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2

    SHA512

    3cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe

    Filesize

    259KB

    MD5

    9f4d59e950ebd1e40be74b06def38ff0

    SHA1

    a642199119c22303c60b9a8a6d054e8768af3b4a

    SHA256

    8878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2

    SHA512

    3cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe

    Filesize

    259KB

    MD5

    9f4d59e950ebd1e40be74b06def38ff0

    SHA1

    a642199119c22303c60b9a8a6d054e8768af3b4a

    SHA256

    8878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2

    SHA512

    3cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe

    Filesize

    341KB

    MD5

    738eef2ef0d029376088067187401c4c

    SHA1

    41b7f7026dd752788bd17830712ceef6c0382653

    SHA256

    de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24

    SHA512

    fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe

    Filesize

    341KB

    MD5

    738eef2ef0d029376088067187401c4c

    SHA1

    41b7f7026dd752788bd17830712ceef6c0382653

    SHA256

    de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24

    SHA512

    fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe

    Filesize

    341KB

    MD5

    738eef2ef0d029376088067187401c4c

    SHA1

    41b7f7026dd752788bd17830712ceef6c0382653

    SHA256

    de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24

    SHA512

    fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe

    Filesize

    536KB

    MD5

    97311a8442e750f8eb41c7931dd7c978

    SHA1

    1a182f64b1d8c8aba7ca5ab2c109eb77df999ab4

    SHA256

    26ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060

    SHA512

    693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe

    Filesize

    536KB

    MD5

    97311a8442e750f8eb41c7931dd7c978

    SHA1

    1a182f64b1d8c8aba7ca5ab2c109eb77df999ab4

    SHA256

    26ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060

    SHA512

    693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe

    Filesize

    259KB

    MD5

    9f4d59e950ebd1e40be74b06def38ff0

    SHA1

    a642199119c22303c60b9a8a6d054e8768af3b4a

    SHA256

    8878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2

    SHA512

    3cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe

    Filesize

    259KB

    MD5

    9f4d59e950ebd1e40be74b06def38ff0

    SHA1

    a642199119c22303c60b9a8a6d054e8768af3b4a

    SHA256

    8878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2

    SHA512

    3cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe

    Filesize

    259KB

    MD5

    9f4d59e950ebd1e40be74b06def38ff0

    SHA1

    a642199119c22303c60b9a8a6d054e8768af3b4a

    SHA256

    8878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2

    SHA512

    3cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe

    Filesize

    341KB

    MD5

    738eef2ef0d029376088067187401c4c

    SHA1

    41b7f7026dd752788bd17830712ceef6c0382653

    SHA256

    de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24

    SHA512

    fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe

    Filesize

    341KB

    MD5

    738eef2ef0d029376088067187401c4c

    SHA1

    41b7f7026dd752788bd17830712ceef6c0382653

    SHA256

    de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24

    SHA512

    fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe

    Filesize

    341KB

    MD5

    738eef2ef0d029376088067187401c4c

    SHA1

    41b7f7026dd752788bd17830712ceef6c0382653

    SHA256

    de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24

    SHA512

    fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1

  • memory/760-114-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

  • memory/760-85-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-87-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-89-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-91-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-93-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-95-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-97-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-99-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-101-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-103-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-105-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-107-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-109-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-111-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-112-0x0000000000260000-0x000000000028D000-memory.dmp

    Filesize

    180KB

  • memory/760-84-0x0000000000530000-0x0000000000543000-memory.dmp

    Filesize

    76KB

  • memory/760-115-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/760-83-0x0000000000530000-0x0000000000548000-memory.dmp

    Filesize

    96KB

  • memory/760-82-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/760-81-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

  • memory/760-80-0x00000000004F0000-0x000000000050A000-memory.dmp

    Filesize

    104KB

  • memory/760-79-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

  • memory/760-78-0x0000000000260000-0x000000000028D000-memory.dmp

    Filesize

    180KB

  • memory/1632-127-0x0000000002270000-0x00000000022AA000-memory.dmp

    Filesize

    232KB

  • memory/1632-149-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-128-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-131-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-129-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-133-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-135-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-137-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-139-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-141-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-143-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-145-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-147-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-126-0x0000000002230000-0x000000000226C000-memory.dmp

    Filesize

    240KB

  • memory/1632-151-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-153-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-155-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-157-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-159-0x0000000002270000-0x00000000022A5000-memory.dmp

    Filesize

    212KB

  • memory/1632-651-0x0000000000240000-0x0000000000286000-memory.dmp

    Filesize

    280KB

  • memory/1632-653-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1632-655-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1632-657-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1632-924-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1632-926-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1632-927-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1632-929-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB