226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43

Analysis

max time kernel
147s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe
Size

1.1MB
MD5

804d436b388f5038bb4dd7d00242c29f
SHA1

7ef599cfb5ed3a7a7a9be53f1564eac79ddef6a3
SHA256

226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43
SHA512

27d5f2b5ad6c9b8a6da520b11a144269b751078c4dc1db2d4bce4725ebf4b1c2207a4a6beba4a9c8b22fe0ea8b9c3d0db13df8de161f348af3df9ed01e2d24a2
SSDEEP

24576:4yOyhE63YTrmkrShjpj1XKVNZ1ESqt6FpJ8bHX7/Ob9:/CJbkjN1X+FpezL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	267147961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	267147961.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	267147961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	267147961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	267147961.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	190624236.exe

Executes dropped EXE 5 IoCs

pid	Process
3204	yQ753100.exe
1308	GQ908144.exe
3780	gB940256.exe
3496	190624236.exe
3436	267147961.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	190624236.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	267147961.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gB940256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gB940256.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yQ753100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yQ753100.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	GQ908144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GQ908144.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
940	3436	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3496	190624236.exe
3496	190624236.exe
3436	267147961.exe
3436	267147961.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	190624236.exe
Token: SeDebugPrivilege	3436	267147961.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 3204	3772	226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe	84
PID 3772 wrote to memory of 3204	3772	226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe	84
PID 3772 wrote to memory of 3204	3772	226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe	84
PID 3204 wrote to memory of 1308	3204	yQ753100.exe	85
PID 3204 wrote to memory of 1308	3204	yQ753100.exe	85
PID 3204 wrote to memory of 1308	3204	yQ753100.exe	85
PID 1308 wrote to memory of 3780	1308	GQ908144.exe	86
PID 1308 wrote to memory of 3780	1308	GQ908144.exe	86
PID 1308 wrote to memory of 3780	1308	GQ908144.exe	86
PID 3780 wrote to memory of 3496	3780	gB940256.exe	88
PID 3780 wrote to memory of 3496	3780	gB940256.exe	88
PID 3780 wrote to memory of 3496	3780	gB940256.exe	88
PID 3780 wrote to memory of 3436	3780	gB940256.exe	89
PID 3780 wrote to memory of 3436	3780	gB940256.exe	89
PID 3780 wrote to memory of 3436	3780	gB940256.exe	89

C:\Users\Admin\AppData\Local\Temp\226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe
"C:\Users\Admin\AppData\Local\Temp\226205b1b51edba084f586c5bf32715597a2692ac73256eabba2a21e453fca43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yQ753100.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yQ753100.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GQ908144.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GQ908144.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB940256.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB940256.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\190624236.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\190624236.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267147961.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267147961.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1076
        6⤵
        Program crash
        
        PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3436 -ip 3436
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yQ753100.exe

Filesize
929KB

MD5
eefbd3f0029930ec7a2f9fb25a1f87f3

SHA1
6a1fa6bbcbbf0730ce9d51a42ca322005d17c278

SHA256
259a433145309e9becdc9f1084f02940d28391eb7ec7eb9a378ac899a0715d40

SHA512
9b4aa7925a75b25eccd809eff3ada0f7e045d844d2822c60dc961f0dad4329f51f28145d6928319d6dbbf66e66e2bcf821e6d75a1ecbe998c696da128fb2be24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yQ753100.exe

Filesize
929KB

MD5
eefbd3f0029930ec7a2f9fb25a1f87f3

SHA1
6a1fa6bbcbbf0730ce9d51a42ca322005d17c278

SHA256
259a433145309e9becdc9f1084f02940d28391eb7ec7eb9a378ac899a0715d40

SHA512
9b4aa7925a75b25eccd809eff3ada0f7e045d844d2822c60dc961f0dad4329f51f28145d6928319d6dbbf66e66e2bcf821e6d75a1ecbe998c696da128fb2be24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GQ908144.exe

Filesize
577KB

MD5
c98e184ae653ea33b412bde0a4341698

SHA1
ba6227b1065dcab1a54c97210940264abf7d1f99

SHA256
78544b0d6477cef1000aff34cf85acf9766a7b5bd6cc97856e27046b5daa2ee4

SHA512
7257f178964e8a74f9a69e759d5f4bb21acc0207d8c41b0b74ca3a3786b9d6dfc1382f61442d73d19027c64df7244608d0cf970381e4489006fb7ca544438d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GQ908144.exe

Filesize
577KB

MD5
c98e184ae653ea33b412bde0a4341698

SHA1
ba6227b1065dcab1a54c97210940264abf7d1f99

SHA256
78544b0d6477cef1000aff34cf85acf9766a7b5bd6cc97856e27046b5daa2ee4

SHA512
7257f178964e8a74f9a69e759d5f4bb21acc0207d8c41b0b74ca3a3786b9d6dfc1382f61442d73d19027c64df7244608d0cf970381e4489006fb7ca544438d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB940256.exe

Filesize
405KB

MD5
41231628f75e141616b2b03457efa657

SHA1
1021aa26603dcd257bb475a4809b06dc1f934d4e

SHA256
72d9fef7b908caebadec70c2a89983e7f83b248876a8ba28a89d963b36cd72fa

SHA512
388ffe5d61c86025fd65c42f0c091fbb3dc677e862465f06b2877a894225816503d26cf6fff5577b4a334e7bf913a280b3fc761a59223ca8ef063818fa0a67cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB940256.exe

Filesize
405KB

MD5
41231628f75e141616b2b03457efa657

SHA1
1021aa26603dcd257bb475a4809b06dc1f934d4e

SHA256
72d9fef7b908caebadec70c2a89983e7f83b248876a8ba28a89d963b36cd72fa

SHA512
388ffe5d61c86025fd65c42f0c091fbb3dc677e862465f06b2877a894225816503d26cf6fff5577b4a334e7bf913a280b3fc761a59223ca8ef063818fa0a67cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\190624236.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\190624236.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267147961.exe

Filesize
258KB

MD5
783116fc1a6a20b89c4d7e8100558299

SHA1
f1c63af919bb946b643dac8b4230c6341ad31ee5

SHA256
8d4a55ce735e8df8ca0a637ad0bec2c0b5d0cdf3dcdccff4cb1039c5d6988f65

SHA512
46ab1f216363480d4db80520f66846fd7a3841878ff68d3e6feb3735c683e350e606039ea46e1525db6e438674aaa2c22b24ed047890a5b852628df0c899c0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267147961.exe

Filesize
258KB

MD5
783116fc1a6a20b89c4d7e8100558299

SHA1
f1c63af919bb946b643dac8b4230c6341ad31ee5

SHA256
8d4a55ce735e8df8ca0a637ad0bec2c0b5d0cdf3dcdccff4cb1039c5d6988f65

SHA512
46ab1f216363480d4db80520f66846fd7a3841878ff68d3e6feb3735c683e350e606039ea46e1525db6e438674aaa2c22b24ed047890a5b852628df0c899c0fc

Download Submit
memory/3436-237-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3436-234-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3436-233-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3436-232-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3436-231-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3436-230-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3436-229-0x0000000002CC0000-0x0000000002CED000-memory.dmp

Filesize
180KB

Download
memory/3436-235-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3496-163-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3496-195-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3496-174-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-184-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-182-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-186-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-188-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-190-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-192-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-193-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3496-194-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3496-176-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-180-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-178-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-172-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-170-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-168-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-166-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-165-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/3496-164-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3496-162-0x0000000004980000-0x0000000004F24000-memory.dmp

Filesize
5.6MB

Download
memory/3496-161-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download