21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84

Analysis

max time kernel
253s
max time network
341s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
Size

618KB
MD5

f4e2a3ad55df1a84fa32f2a3a396f75e
SHA1

9e1c4f29d65a68c93599688c0b83de1fefade2b4
SHA256

21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84
SHA512

d1667915ee72608e84f21afa33d829c274510e52ea656b75f17ecff70d6ca270083a87bfba90f1b705309a8e4763840ae1b022cac910c06ada3a309744840bee
SSDEEP

12288:Qy90o5UfrRk63dq6vJI7FYfAPYRKhsVPTs2FQe6/qr9wl:QyR5qmCzvO5QKYYhsVPTs2y3

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	15968789.exe

Executes dropped EXE 3 IoCs

pid	Process
620	st935675.exe
988	15968789.exe
1420	kp167459.exe

Loads dropped DLL 6 IoCs

pid	Process
520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
620	st935675.exe
620	st935675.exe
620	st935675.exe
620	st935675.exe
1420	kp167459.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	15968789.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st935675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st935675.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
988	15968789.exe
988	15968789.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	15968789.exe
Token: SeDebugPrivilege	1420	kp167459.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 520 wrote to memory of 620	520	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	27
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 988	620	st935675.exe	28
PID 620 wrote to memory of 1420	620	st935675.exe	29
PID 620 wrote to memory of 1420	620	st935675.exe	29
PID 620 wrote to memory of 1420	620	st935675.exe	29
PID 620 wrote to memory of 1420	620	st935675.exe	29
PID 620 wrote to memory of 1420	620	st935675.exe	29
PID 620 wrote to memory of 1420	620	st935675.exe	29
PID 620 wrote to memory of 1420	620	st935675.exe	29

C:\Users\Admin\AppData\Local\Temp\21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
"C:\Users\Admin\AppData\Local\Temp\21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe

Filesize
464KB

MD5
cf80f6dde7471fa66217e09531b0408f

SHA1
2bff57f4a56eb362fd7f85ffdf6ff0630fbee293

SHA256
c92ea110db222121e3a056248d7879de458193374766c1c2c64b54ce5e2e86ad

SHA512
e0102854c4247aedc747fcd6ad7565af4d836357b6e3cd656030c49ff92142986c6859fdd31c06256f11eacd162e88632a9279784e9301f83a95cf247cad86fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe

Filesize
464KB

MD5
cf80f6dde7471fa66217e09531b0408f

SHA1
2bff57f4a56eb362fd7f85ffdf6ff0630fbee293

SHA256
c92ea110db222121e3a056248d7879de458193374766c1c2c64b54ce5e2e86ad

SHA512
e0102854c4247aedc747fcd6ad7565af4d836357b6e3cd656030c49ff92142986c6859fdd31c06256f11eacd162e88632a9279784e9301f83a95cf247cad86fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe

Filesize
464KB

MD5
cf80f6dde7471fa66217e09531b0408f

SHA1
2bff57f4a56eb362fd7f85ffdf6ff0630fbee293

SHA256
c92ea110db222121e3a056248d7879de458193374766c1c2c64b54ce5e2e86ad

SHA512
e0102854c4247aedc747fcd6ad7565af4d836357b6e3cd656030c49ff92142986c6859fdd31c06256f11eacd162e88632a9279784e9301f83a95cf247cad86fd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe

Filesize
464KB

MD5
cf80f6dde7471fa66217e09531b0408f

SHA1
2bff57f4a56eb362fd7f85ffdf6ff0630fbee293

SHA256
c92ea110db222121e3a056248d7879de458193374766c1c2c64b54ce5e2e86ad

SHA512
e0102854c4247aedc747fcd6ad7565af4d836357b6e3cd656030c49ff92142986c6859fdd31c06256f11eacd162e88632a9279784e9301f83a95cf247cad86fd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
memory/988-72-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/1420-103-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-117-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-85-0x0000000000F60000-0x0000000000F9C000-memory.dmp

Filesize
240KB

Download
memory/1420-86-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-87-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-88-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-89-0x00000000024E0000-0x000000000251A000-memory.dmp

Filesize
232KB

Download
memory/1420-90-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-91-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-93-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-95-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-97-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-99-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-101-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-83-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1420-105-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-107-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-109-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-111-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-113-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-115-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-84-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/1420-119-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-121-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-123-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-125-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-127-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-129-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-131-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-133-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-135-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-137-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-139-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-141-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-143-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-145-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-147-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-149-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-151-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1420-882-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-884-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-885-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-886-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/1420-888-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download