246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe
Size

1.1MB
MD5

ebb1c7dc22e548d37d97e13f784e2738
SHA1

eda62e9de88afa3af46e493fb3e0419c064a7d08
SHA256

246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050
SHA512

b86381e5102605c7acc680007f3c7c0b75ea7549b190b5a9bba0b48b6c97c80c5b70ddb787333eeea99f1cb094b7adb975b4cca12b0b110e33efa2ab4c8fbdbe
SSDEEP

24576:myMjyzJJ21fZqiGqFCYPeSH7m6xp82d56Fsm8bhkw:1CyNJ8Eq9Pe8/nBwsL1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	264053598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	264053598.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	264053598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	264053598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	264053598.exe

Executes dropped EXE 6 IoCs

pid	Process
4496	gW348704.exe
404	hf784976.exe
4216	gc630402.exe
232	162725861.exe
4868	264053598.exe
2772	377761923.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	162725861.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	264053598.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gW348704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gW348704.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hf784976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hf784976.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gc630402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gc630402.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	4868	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
232	162725861.exe
232	162725861.exe
4868	264053598.exe
4868	264053598.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	162725861.exe
Token: SeDebugPrivilege	4868	264053598.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4496	532	246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe	87
PID 532 wrote to memory of 4496	532	246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe	87
PID 532 wrote to memory of 4496	532	246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe	87
PID 4496 wrote to memory of 404	4496	gW348704.exe	88
PID 4496 wrote to memory of 404	4496	gW348704.exe	88
PID 4496 wrote to memory of 404	4496	gW348704.exe	88
PID 404 wrote to memory of 4216	404	hf784976.exe	89
PID 404 wrote to memory of 4216	404	hf784976.exe	89
PID 404 wrote to memory of 4216	404	hf784976.exe	89
PID 4216 wrote to memory of 232	4216	gc630402.exe	91
PID 4216 wrote to memory of 232	4216	gc630402.exe	91
PID 4216 wrote to memory of 232	4216	gc630402.exe	91
PID 4216 wrote to memory of 4868	4216	gc630402.exe	92
PID 4216 wrote to memory of 4868	4216	gc630402.exe	92
PID 4216 wrote to memory of 4868	4216	gc630402.exe	92
PID 404 wrote to memory of 2772	404	hf784976.exe	95
PID 404 wrote to memory of 2772	404	hf784976.exe	95
PID 404 wrote to memory of 2772	404	hf784976.exe	95

C:\Users\Admin\AppData\Local\Temp\246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe
"C:\Users\Admin\AppData\Local\Temp\246315094cc01d004867beda576d7a504fc73fbcff0842b05585ae6906ef0050.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW348704.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW348704.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf784976.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf784976.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gc630402.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gc630402.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\162725861.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\162725861.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264053598.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264053598.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1084
        6⤵
        Program crash
        
        PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377761923.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377761923.exe
      4⤵
      Executes dropped EXE
      PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4868 -ip 4868
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW348704.exe

Filesize
929KB

MD5
8e33194acc2e4d409d7c62bf2844b177

SHA1
e37e15c3d9cf859aec45511a8e144a109622325a

SHA256
3008e6eb3d78beff2089010f9a30613dcbc5a3fbf3f4b7cb3eb53c9c67424f3e

SHA512
1e1307de53feb059aeb6b87530a5f41345db14c4fda6015f2aa46c35a9a7b299b3fd759e600c8c825babc2e01a1e5902c88ef9a3b1faa5fead74de24cddc36fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gW348704.exe

Filesize
929KB

MD5
8e33194acc2e4d409d7c62bf2844b177

SHA1
e37e15c3d9cf859aec45511a8e144a109622325a

SHA256
3008e6eb3d78beff2089010f9a30613dcbc5a3fbf3f4b7cb3eb53c9c67424f3e

SHA512
1e1307de53feb059aeb6b87530a5f41345db14c4fda6015f2aa46c35a9a7b299b3fd759e600c8c825babc2e01a1e5902c88ef9a3b1faa5fead74de24cddc36fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf784976.exe

Filesize
577KB

MD5
e9016250f44d344556c345597a8ee90a

SHA1
04164ffbbaff7b061299cba95d7b463910965225

SHA256
cc200d4116de90f6da6a8b7111fb54d193e472d147c310f4feb922fcf46124cf

SHA512
3100c3373bc62b932493c5a61cde7d23edccbb12fafef9af517eb72be176cd01e5bfb181a88e6f17bacab518ef6ad8b2f0622424e4b75523eedf2fc1995244fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf784976.exe

Filesize
577KB

MD5
e9016250f44d344556c345597a8ee90a

SHA1
04164ffbbaff7b061299cba95d7b463910965225

SHA256
cc200d4116de90f6da6a8b7111fb54d193e472d147c310f4feb922fcf46124cf

SHA512
3100c3373bc62b932493c5a61cde7d23edccbb12fafef9af517eb72be176cd01e5bfb181a88e6f17bacab518ef6ad8b2f0622424e4b75523eedf2fc1995244fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377761923.exe

Filesize
204KB

MD5
1304f384653e08ae497008ff13498608

SHA1
d9a76ed63d74d4217c5027757cb9a7a0d0093080

SHA256
2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

SHA512
4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377761923.exe

Filesize
204KB

MD5
1304f384653e08ae497008ff13498608

SHA1
d9a76ed63d74d4217c5027757cb9a7a0d0093080

SHA256
2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

SHA512
4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gc630402.exe

Filesize
405KB

MD5
c7f57f2a558c841b3f89204172c762db

SHA1
3be24e87964ad4f66211ad520cdef30226cc12a5

SHA256
7ee2fbb1012835e7ed2c918cdbed335835df96b2ca1a5403551c68f936c0af68

SHA512
db99395f6aa2a4dd2351c14ffe292ed8c9434f8bbf3b9629145ef2d0bbd687cf7e3f3777065dbc437dbfa957004af253d4c692ee45dd93aa058dcc15385d9903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gc630402.exe

Filesize
405KB

MD5
c7f57f2a558c841b3f89204172c762db

SHA1
3be24e87964ad4f66211ad520cdef30226cc12a5

SHA256
7ee2fbb1012835e7ed2c918cdbed335835df96b2ca1a5403551c68f936c0af68

SHA512
db99395f6aa2a4dd2351c14ffe292ed8c9434f8bbf3b9629145ef2d0bbd687cf7e3f3777065dbc437dbfa957004af253d4c692ee45dd93aa058dcc15385d9903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\162725861.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\162725861.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264053598.exe

Filesize
258KB

MD5
3c381fa43bbc1dacb07299c47e2193c8

SHA1
4b5168f1dfb2bc166e3002bb78da37ca7a94ff88

SHA256
825e43ad20f870a33dc245c024edac9ecdcfa8d5fbbdeafcccbfb9be701469c7

SHA512
194e94917504d16fb9b671434b04f6a64652a6da0153805722f7ae69103ecfb47a8bbfb4d883778869659086678801d83aab402d7d4787a5327880c3a6b06fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264053598.exe

Filesize
258KB

MD5
3c381fa43bbc1dacb07299c47e2193c8

SHA1
4b5168f1dfb2bc166e3002bb78da37ca7a94ff88

SHA256
825e43ad20f870a33dc245c024edac9ecdcfa8d5fbbdeafcccbfb9be701469c7

SHA512
194e94917504d16fb9b671434b04f6a64652a6da0153805722f7ae69103ecfb47a8bbfb4d883778869659086678801d83aab402d7d4787a5327880c3a6b06fa6

Download Submit
memory/232-186-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-193-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/232-170-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-172-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-174-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-176-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-178-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-180-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-182-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-184-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-166-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-188-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-190-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-191-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/232-192-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/232-168-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-194-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/232-195-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/232-164-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-163-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/232-161-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/232-162-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4868-231-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4868-232-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4868-233-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4868-234-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/4868-235-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4868-236-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4868-237-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4868-239-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4868-230-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/4868-201-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download