Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 20:51
Static task
static1
Behavioral task
behavioral1
Sample
1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe
Resource
win10v2004-20230220-en
General
-
Target
1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe
-
Size
690KB
-
MD5
5c881206fe3f848037cef9f3def76d4f
-
SHA1
120ca41618bad4346821bf04f5564d3c7abc50cf
-
SHA256
1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e
-
SHA512
486c56509e30527ac2080829dcf90cd39cd36855ee1a5725d05485008a5fd60424a896183a4f82aa4b367522588d5f756d48c72d21ad9d945a98a540647eac55
-
SSDEEP
12288:Hy90u3fBtThNO4+y+GYi7ExQBFzZIJbQGQi78brLErEe6VuTz9UyH2M3:HytfzOy97EqzZqqi78b3ErEe6wTBUq
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 50693545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 50693545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 50693545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 50693545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 50693545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 50693545.exe -
Executes dropped EXE 3 IoCs
pid Process 908 un441615.exe 760 50693545.exe 1632 rk170223.exe -
Loads dropped DLL 8 IoCs
pid Process 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 908 un441615.exe 908 un441615.exe 908 un441615.exe 760 50693545.exe 908 un441615.exe 908 un441615.exe 1632 rk170223.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 50693545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 50693545.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce un441615.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un441615.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 760 50693545.exe 760 50693545.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 760 50693545.exe Token: SeDebugPrivilege 1632 rk170223.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 1196 wrote to memory of 908 1196 1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe 27 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 760 908 un441615.exe 28 PID 908 wrote to memory of 1632 908 un441615.exe 29 PID 908 wrote to memory of 1632 908 un441615.exe 29 PID 908 wrote to memory of 1632 908 un441615.exe 29 PID 908 wrote to memory of 1632 908 un441615.exe 29 PID 908 wrote to memory of 1632 908 un441615.exe 29 PID 908 wrote to memory of 1632 908 un441615.exe 29 PID 908 wrote to memory of 1632 908 un441615.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe"C:\Users\Admin\AppData\Local\Temp\1ec6389bd086de5f991ccae10e10477fbcdab3b9069e2beb68ba370cb5d3d50e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un441615.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50693545.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk170223.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD597311a8442e750f8eb41c7931dd7c978
SHA11a182f64b1d8c8aba7ca5ab2c109eb77df999ab4
SHA25626ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060
SHA512693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e
-
Filesize
536KB
MD597311a8442e750f8eb41c7931dd7c978
SHA11a182f64b1d8c8aba7ca5ab2c109eb77df999ab4
SHA25626ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060
SHA512693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e
-
Filesize
259KB
MD59f4d59e950ebd1e40be74b06def38ff0
SHA1a642199119c22303c60b9a8a6d054e8768af3b4a
SHA2568878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2
SHA5123cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b
-
Filesize
259KB
MD59f4d59e950ebd1e40be74b06def38ff0
SHA1a642199119c22303c60b9a8a6d054e8768af3b4a
SHA2568878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2
SHA5123cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b
-
Filesize
259KB
MD59f4d59e950ebd1e40be74b06def38ff0
SHA1a642199119c22303c60b9a8a6d054e8768af3b4a
SHA2568878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2
SHA5123cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b
-
Filesize
341KB
MD5738eef2ef0d029376088067187401c4c
SHA141b7f7026dd752788bd17830712ceef6c0382653
SHA256de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24
SHA512fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1
-
Filesize
341KB
MD5738eef2ef0d029376088067187401c4c
SHA141b7f7026dd752788bd17830712ceef6c0382653
SHA256de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24
SHA512fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1
-
Filesize
341KB
MD5738eef2ef0d029376088067187401c4c
SHA141b7f7026dd752788bd17830712ceef6c0382653
SHA256de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24
SHA512fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1
-
Filesize
536KB
MD597311a8442e750f8eb41c7931dd7c978
SHA11a182f64b1d8c8aba7ca5ab2c109eb77df999ab4
SHA25626ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060
SHA512693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e
-
Filesize
536KB
MD597311a8442e750f8eb41c7931dd7c978
SHA11a182f64b1d8c8aba7ca5ab2c109eb77df999ab4
SHA25626ba3939fcb272a0977f6cac58c40197c24b7d236c60f51f60b81b9e27854060
SHA512693e0db7907cdd07e0de7646f4e9b4418a45264230c35e948c37eaecbf1bae908248f1cb97388a994ee519044217c6da26b04e84f09d65b9a2dab29203bf143e
-
Filesize
259KB
MD59f4d59e950ebd1e40be74b06def38ff0
SHA1a642199119c22303c60b9a8a6d054e8768af3b4a
SHA2568878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2
SHA5123cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b
-
Filesize
259KB
MD59f4d59e950ebd1e40be74b06def38ff0
SHA1a642199119c22303c60b9a8a6d054e8768af3b4a
SHA2568878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2
SHA5123cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b
-
Filesize
259KB
MD59f4d59e950ebd1e40be74b06def38ff0
SHA1a642199119c22303c60b9a8a6d054e8768af3b4a
SHA2568878b696843233e7d1c24cf8cf4e4de92c2960ce0de06102740915d4543fcff2
SHA5123cda0f396fbc386bb542caae33679136e3ca17f71baddfbdaaddc68cdd4a9310ee230833f729eb01598916c549a614404923f993cb2f2f67acb124302744456b
-
Filesize
341KB
MD5738eef2ef0d029376088067187401c4c
SHA141b7f7026dd752788bd17830712ceef6c0382653
SHA256de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24
SHA512fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1
-
Filesize
341KB
MD5738eef2ef0d029376088067187401c4c
SHA141b7f7026dd752788bd17830712ceef6c0382653
SHA256de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24
SHA512fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1
-
Filesize
341KB
MD5738eef2ef0d029376088067187401c4c
SHA141b7f7026dd752788bd17830712ceef6c0382653
SHA256de66f0ffc53bdcc00f2ea593b9377b4561ccf801e2e1bb1924da9e3a7f531b24
SHA512fc26e58c34e7688af0765c6ef0ed8891543ca37b3cc5b2bd89d7ab4c22a903d0a5d5832f2d456b37cc5d79ef9d5a361bd3686b544851cf7485648c728db227f1