1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe
Size

685KB
MD5

a535488d1208eb430fef9fa3ccf1f6e8
SHA1

ee7607dd58e4655c4a33eb1b1cf3eb31fd7a2fdf
SHA256

1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f
SHA512

b6161d268bd6038dd2791b8c573dd2620e35ba42e6f0969e4e9c3266d648a3f1cfd73907691e4d1cc2c9798779bfe705ea998505573d4531d2d0caf315b6cbe0
SSDEEP

12288:py902dT4IOxGBG+RVVlMFWyCSKVx5mKZbkNDWYmXZ5Sy8r/3A6Hyd7h:pybdEIOQdMoSy3mLWrXPSbwmWh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	42094843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	42094843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	42094843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	42094843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	42094843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	42094843.exe

Executes dropped EXE 3 IoCs

pid	Process
1984	un880540.exe
568	42094843.exe
324	rk731241.exe

Loads dropped DLL 8 IoCs

pid	Process
1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe
1984	un880540.exe
1984	un880540.exe
1984	un880540.exe
568	42094843.exe
1984	un880540.exe
1984	un880540.exe
324	rk731241.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	42094843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	42094843.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un880540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un880540.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
568	42094843.exe
568	42094843.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	42094843.exe
Token: SeDebugPrivilege	324	rk731241.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1988 wrote to memory of 1984	1988	1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe	27
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 568	1984	un880540.exe	28
PID 1984 wrote to memory of 324	1984	un880540.exe	29
PID 1984 wrote to memory of 324	1984	un880540.exe	29
PID 1984 wrote to memory of 324	1984	un880540.exe	29
PID 1984 wrote to memory of 324	1984	un880540.exe	29
PID 1984 wrote to memory of 324	1984	un880540.exe	29
PID 1984 wrote to memory of 324	1984	un880540.exe	29
PID 1984 wrote to memory of 324	1984	un880540.exe	29

C:\Users\Admin\AppData\Local\Temp\1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe
"C:\Users\Admin\AppData\Local\Temp\1f271567be6e1d3ef6edb068a3afb6f3de43076b906d28cb9466e55e400ab54f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880540.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880540.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880540.exe

Filesize
531KB

MD5
dd47cee50a17e1022ee2398f113a6c22

SHA1
a4a5824780f2477257dc68b0dc5d43b1c148ca32

SHA256
b0632fed1accbb14070c0191fbbbcc36b0f981f61e403d5c38e9a6f8357c9dd9

SHA512
80be477a45cea718c99f16105a6d191bde25d56d03b50ba8887c7402b76298710fd696f46df6d0b66ca3c47ca991e74841b91712b8418ec492c5560275bef219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880540.exe

Filesize
531KB

MD5
dd47cee50a17e1022ee2398f113a6c22

SHA1
a4a5824780f2477257dc68b0dc5d43b1c148ca32

SHA256
b0632fed1accbb14070c0191fbbbcc36b0f981f61e403d5c38e9a6f8357c9dd9

SHA512
80be477a45cea718c99f16105a6d191bde25d56d03b50ba8887c7402b76298710fd696f46df6d0b66ca3c47ca991e74841b91712b8418ec492c5560275bef219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe

Filesize
249KB

MD5
68cf4b598154c0f8202208bfc69c983a

SHA1
7eb1b010ee6aabbc3f5c367e4844d29a9dad4c14

SHA256
f9f2d7be6fdff3a2989ec9a86e5ea0cb1d23afb298a4b14cd56d5ec94685f347

SHA512
b53da746cd4fecb856116c37869274d6c43993e34f218ec28b45b094f87017717925bc4f09bbadbf05d0c40a2918798a82b35ea255edfd71b671cfc579f83c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe

Filesize
249KB

MD5
68cf4b598154c0f8202208bfc69c983a

SHA1
7eb1b010ee6aabbc3f5c367e4844d29a9dad4c14

SHA256
f9f2d7be6fdff3a2989ec9a86e5ea0cb1d23afb298a4b14cd56d5ec94685f347

SHA512
b53da746cd4fecb856116c37869274d6c43993e34f218ec28b45b094f87017717925bc4f09bbadbf05d0c40a2918798a82b35ea255edfd71b671cfc579f83c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe

Filesize
249KB

MD5
68cf4b598154c0f8202208bfc69c983a

SHA1
7eb1b010ee6aabbc3f5c367e4844d29a9dad4c14

SHA256
f9f2d7be6fdff3a2989ec9a86e5ea0cb1d23afb298a4b14cd56d5ec94685f347

SHA512
b53da746cd4fecb856116c37869274d6c43993e34f218ec28b45b094f87017717925bc4f09bbadbf05d0c40a2918798a82b35ea255edfd71b671cfc579f83c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe

Filesize
332KB

MD5
5b43d5c5f3670cbb7b9065cde42aa509

SHA1
31e574bfb5439d0f8f39407dda555b2c7e5c21e6

SHA256
01b97fe861bb19bcf3680a56a04f3b382d87d4d032bafc5f5d4e1e1b26e51679

SHA512
154a1880da5e3b667e30243ac0a4c73b35cbac526ab650140340119089194c187d7dd9133035c988599438db742c61ebc80cac4173d303fd5ec4b57ec14e4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe

Filesize
332KB

MD5
5b43d5c5f3670cbb7b9065cde42aa509

SHA1
31e574bfb5439d0f8f39407dda555b2c7e5c21e6

SHA256
01b97fe861bb19bcf3680a56a04f3b382d87d4d032bafc5f5d4e1e1b26e51679

SHA512
154a1880da5e3b667e30243ac0a4c73b35cbac526ab650140340119089194c187d7dd9133035c988599438db742c61ebc80cac4173d303fd5ec4b57ec14e4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe

Filesize
332KB

MD5
5b43d5c5f3670cbb7b9065cde42aa509

SHA1
31e574bfb5439d0f8f39407dda555b2c7e5c21e6

SHA256
01b97fe861bb19bcf3680a56a04f3b382d87d4d032bafc5f5d4e1e1b26e51679

SHA512
154a1880da5e3b667e30243ac0a4c73b35cbac526ab650140340119089194c187d7dd9133035c988599438db742c61ebc80cac4173d303fd5ec4b57ec14e4239

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880540.exe

Filesize
531KB

MD5
dd47cee50a17e1022ee2398f113a6c22

SHA1
a4a5824780f2477257dc68b0dc5d43b1c148ca32

SHA256
b0632fed1accbb14070c0191fbbbcc36b0f981f61e403d5c38e9a6f8357c9dd9

SHA512
80be477a45cea718c99f16105a6d191bde25d56d03b50ba8887c7402b76298710fd696f46df6d0b66ca3c47ca991e74841b91712b8418ec492c5560275bef219

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un880540.exe

Filesize
531KB

MD5
dd47cee50a17e1022ee2398f113a6c22

SHA1
a4a5824780f2477257dc68b0dc5d43b1c148ca32

SHA256
b0632fed1accbb14070c0191fbbbcc36b0f981f61e403d5c38e9a6f8357c9dd9

SHA512
80be477a45cea718c99f16105a6d191bde25d56d03b50ba8887c7402b76298710fd696f46df6d0b66ca3c47ca991e74841b91712b8418ec492c5560275bef219

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe

Filesize
249KB

MD5
68cf4b598154c0f8202208bfc69c983a

SHA1
7eb1b010ee6aabbc3f5c367e4844d29a9dad4c14

SHA256
f9f2d7be6fdff3a2989ec9a86e5ea0cb1d23afb298a4b14cd56d5ec94685f347

SHA512
b53da746cd4fecb856116c37869274d6c43993e34f218ec28b45b094f87017717925bc4f09bbadbf05d0c40a2918798a82b35ea255edfd71b671cfc579f83c30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe

Filesize
249KB

MD5
68cf4b598154c0f8202208bfc69c983a

SHA1
7eb1b010ee6aabbc3f5c367e4844d29a9dad4c14

SHA256
f9f2d7be6fdff3a2989ec9a86e5ea0cb1d23afb298a4b14cd56d5ec94685f347

SHA512
b53da746cd4fecb856116c37869274d6c43993e34f218ec28b45b094f87017717925bc4f09bbadbf05d0c40a2918798a82b35ea255edfd71b671cfc579f83c30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\42094843.exe

Filesize
249KB

MD5
68cf4b598154c0f8202208bfc69c983a

SHA1
7eb1b010ee6aabbc3f5c367e4844d29a9dad4c14

SHA256
f9f2d7be6fdff3a2989ec9a86e5ea0cb1d23afb298a4b14cd56d5ec94685f347

SHA512
b53da746cd4fecb856116c37869274d6c43993e34f218ec28b45b094f87017717925bc4f09bbadbf05d0c40a2918798a82b35ea255edfd71b671cfc579f83c30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe

Filesize
332KB

MD5
5b43d5c5f3670cbb7b9065cde42aa509

SHA1
31e574bfb5439d0f8f39407dda555b2c7e5c21e6

SHA256
01b97fe861bb19bcf3680a56a04f3b382d87d4d032bafc5f5d4e1e1b26e51679

SHA512
154a1880da5e3b667e30243ac0a4c73b35cbac526ab650140340119089194c187d7dd9133035c988599438db742c61ebc80cac4173d303fd5ec4b57ec14e4239

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe

Filesize
332KB

MD5
5b43d5c5f3670cbb7b9065cde42aa509

SHA1
31e574bfb5439d0f8f39407dda555b2c7e5c21e6

SHA256
01b97fe861bb19bcf3680a56a04f3b382d87d4d032bafc5f5d4e1e1b26e51679

SHA512
154a1880da5e3b667e30243ac0a4c73b35cbac526ab650140340119089194c187d7dd9133035c988599438db742c61ebc80cac4173d303fd5ec4b57ec14e4239

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk731241.exe

Filesize
332KB

MD5
5b43d5c5f3670cbb7b9065cde42aa509

SHA1
31e574bfb5439d0f8f39407dda555b2c7e5c21e6

SHA256
01b97fe861bb19bcf3680a56a04f3b382d87d4d032bafc5f5d4e1e1b26e51679

SHA512
154a1880da5e3b667e30243ac0a4c73b35cbac526ab650140340119089194c187d7dd9133035c988599438db742c61ebc80cac4173d303fd5ec4b57ec14e4239

Download Submit
memory/324-148-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-134-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-152-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-150-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-125-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-146-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-144-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-142-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-138-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-140-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-136-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-154-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-132-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-130-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-128-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-126-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-156-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-158-0x0000000003640000-0x0000000003675000-memory.dmp

Filesize
212KB

Download
memory/324-203-0x0000000000390000-0x00000000003D6000-memory.dmp

Filesize
280KB

Download
memory/324-205-0x0000000007150000-0x0000000007190000-memory.dmp

Filesize
256KB

Download
memory/324-207-0x0000000007150000-0x0000000007190000-memory.dmp

Filesize
256KB

Download
memory/324-211-0x0000000007150000-0x0000000007190000-memory.dmp

Filesize
256KB

Download
memory/324-123-0x0000000003540000-0x000000000357C000-memory.dmp

Filesize
240KB

Download
memory/324-124-0x0000000003640000-0x000000000367A000-memory.dmp

Filesize
232KB

Download
memory/568-92-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-112-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/568-111-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/568-110-0x0000000006F30000-0x0000000006F70000-memory.dmp

Filesize
256KB

Download
memory/568-109-0x0000000006F30000-0x0000000006F70000-memory.dmp

Filesize
256KB

Download
memory/568-84-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-86-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-88-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-90-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-94-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-96-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-98-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-102-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-104-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-106-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-108-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-100-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-81-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-82-0x0000000006F70000-0x0000000006F83000-memory.dmp

Filesize
76KB

Download
memory/568-80-0x0000000006F70000-0x0000000006F88000-memory.dmp

Filesize
96KB

Download
memory/568-79-0x00000000047B0000-0x00000000047CA000-memory.dmp

Filesize
104KB

Download
memory/568-78-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download