269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
Size

479KB
MD5

2dd3dcc10f7006763fb2751b0fa6f454
SHA1

484bfeb780722165db13052795e2f4422f828707
SHA256

269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232
SHA512

79a78376652972730c83e57444a167953a45d749a1ddb141d4e68ad043fff56f5e1e633d7592c4a4280ce540706059cd007812434a1d50afea1ef9564785da3a
SSDEEP

6144:Kzy+bnr+rp0yN90QETpsOMm2Vn+UwCj0FOUEjCgnbEQ/PIz2QUJ9tVVv3SJV:VMrry90bpMMC0OAgnbE01Qu9rVvAV

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0859051.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0859051.exe

Executes dropped EXE 3 IoCs

pid	Process
1172	v7184437.exe
652	a0859051.exe
924	b8913035.exe

Loads dropped DLL 6 IoCs

pid	Process
1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
1172	v7184437.exe
1172	v7184437.exe
652	a0859051.exe
1172	v7184437.exe
924	b8913035.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0859051.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7184437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7184437.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
652	a0859051.exe
652	a0859051.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	a0859051.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1856 wrote to memory of 1172	1856	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	28
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 652	1172	v7184437.exe	29
PID 1172 wrote to memory of 924	1172	v7184437.exe	30
PID 1172 wrote to memory of 924	1172	v7184437.exe	30
PID 1172 wrote to memory of 924	1172	v7184437.exe	30
PID 1172 wrote to memory of 924	1172	v7184437.exe	30
PID 1172 wrote to memory of 924	1172	v7184437.exe	30
PID 1172 wrote to memory of 924	1172	v7184437.exe	30
PID 1172 wrote to memory of 924	1172	v7184437.exe	30

C:\Users\Admin\AppData\Local\Temp\269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
"C:\Users\Admin\AppData\Local\Temp\269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe

Filesize
307KB

MD5
25d205eb0b4d50be87dea2d3043ee936

SHA1
9d8d1271e22b8f12614db71e18a43ed1a6918b4b

SHA256
2a7ea5826deab8afb1383512f6ee928d5eb7bcf7ce8e0a660816f2b474fac726

SHA512
f14082b9a6ddcc6cedb524cdb4f64feebc97a90fffc8f844932d376324964b7ee3dd8180430221a7bceb1619282e512e564bd8bed41a9f5e5101b2e56e4c3c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe

Filesize
307KB

MD5
25d205eb0b4d50be87dea2d3043ee936

SHA1
9d8d1271e22b8f12614db71e18a43ed1a6918b4b

SHA256
2a7ea5826deab8afb1383512f6ee928d5eb7bcf7ce8e0a660816f2b474fac726

SHA512
f14082b9a6ddcc6cedb524cdb4f64feebc97a90fffc8f844932d376324964b7ee3dd8180430221a7bceb1619282e512e564bd8bed41a9f5e5101b2e56e4c3c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe

Filesize
175KB

MD5
d59b989253d9bd505567328d127ce588

SHA1
7f2bc6f370f00d2364c50ed6037eff706f64d5c5

SHA256
b5a92e6994f0db8057eaa987df7bf5e1dace2f834d26672ef78b70620f6812cc

SHA512
bcc947bbc66c63da11439aec57b08e7aa6e92c9278d83d523d41a0a13129711d9e609a195526e69b504a9079af880a90cfa4ed01aa920d9295851d8f7ad2d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe

Filesize
175KB

MD5
d59b989253d9bd505567328d127ce588

SHA1
7f2bc6f370f00d2364c50ed6037eff706f64d5c5

SHA256
b5a92e6994f0db8057eaa987df7bf5e1dace2f834d26672ef78b70620f6812cc

SHA512
bcc947bbc66c63da11439aec57b08e7aa6e92c9278d83d523d41a0a13129711d9e609a195526e69b504a9079af880a90cfa4ed01aa920d9295851d8f7ad2d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe

Filesize
136KB

MD5
31fc937fffe039390eec038ac8e953d7

SHA1
bad83a487f89adf0daf13140d0f7956e26d81a83

SHA256
da0047fc3c24596e35d37015285c4c6467ab25a7fa17b5d7663e2f8c3b4d7087

SHA512
b4137c7aeb7067d62002ac8dca0ff647a7f25c6f57457ed1a9971b855400718b9388b6a69fd2fecf22cdcb3ebe28ea1fe4da98f848bcc230fa196c8363f42fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe

Filesize
136KB

MD5
31fc937fffe039390eec038ac8e953d7

SHA1
bad83a487f89adf0daf13140d0f7956e26d81a83

SHA256
da0047fc3c24596e35d37015285c4c6467ab25a7fa17b5d7663e2f8c3b4d7087

SHA512
b4137c7aeb7067d62002ac8dca0ff647a7f25c6f57457ed1a9971b855400718b9388b6a69fd2fecf22cdcb3ebe28ea1fe4da98f848bcc230fa196c8363f42fd3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe

Filesize
307KB

MD5
25d205eb0b4d50be87dea2d3043ee936

SHA1
9d8d1271e22b8f12614db71e18a43ed1a6918b4b

SHA256
2a7ea5826deab8afb1383512f6ee928d5eb7bcf7ce8e0a660816f2b474fac726

SHA512
f14082b9a6ddcc6cedb524cdb4f64feebc97a90fffc8f844932d376324964b7ee3dd8180430221a7bceb1619282e512e564bd8bed41a9f5e5101b2e56e4c3c2d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe

Filesize
307KB

MD5
25d205eb0b4d50be87dea2d3043ee936

SHA1
9d8d1271e22b8f12614db71e18a43ed1a6918b4b

SHA256
2a7ea5826deab8afb1383512f6ee928d5eb7bcf7ce8e0a660816f2b474fac726

SHA512
f14082b9a6ddcc6cedb524cdb4f64feebc97a90fffc8f844932d376324964b7ee3dd8180430221a7bceb1619282e512e564bd8bed41a9f5e5101b2e56e4c3c2d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe

Filesize
175KB

MD5
d59b989253d9bd505567328d127ce588

SHA1
7f2bc6f370f00d2364c50ed6037eff706f64d5c5

SHA256
b5a92e6994f0db8057eaa987df7bf5e1dace2f834d26672ef78b70620f6812cc

SHA512
bcc947bbc66c63da11439aec57b08e7aa6e92c9278d83d523d41a0a13129711d9e609a195526e69b504a9079af880a90cfa4ed01aa920d9295851d8f7ad2d189

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe

Filesize
175KB

MD5
d59b989253d9bd505567328d127ce588

SHA1
7f2bc6f370f00d2364c50ed6037eff706f64d5c5

SHA256
b5a92e6994f0db8057eaa987df7bf5e1dace2f834d26672ef78b70620f6812cc

SHA512
bcc947bbc66c63da11439aec57b08e7aa6e92c9278d83d523d41a0a13129711d9e609a195526e69b504a9079af880a90cfa4ed01aa920d9295851d8f7ad2d189

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe

Filesize
136KB

MD5
31fc937fffe039390eec038ac8e953d7

SHA1
bad83a487f89adf0daf13140d0f7956e26d81a83

SHA256
da0047fc3c24596e35d37015285c4c6467ab25a7fa17b5d7663e2f8c3b4d7087

SHA512
b4137c7aeb7067d62002ac8dca0ff647a7f25c6f57457ed1a9971b855400718b9388b6a69fd2fecf22cdcb3ebe28ea1fe4da98f848bcc230fa196c8363f42fd3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe

Filesize
136KB

MD5
31fc937fffe039390eec038ac8e953d7

SHA1
bad83a487f89adf0daf13140d0f7956e26d81a83

SHA256
da0047fc3c24596e35d37015285c4c6467ab25a7fa17b5d7663e2f8c3b4d7087

SHA512
b4137c7aeb7067d62002ac8dca0ff647a7f25c6f57457ed1a9971b855400718b9388b6a69fd2fecf22cdcb3ebe28ea1fe4da98f848bcc230fa196c8363f42fd3

Download Submit
memory/652-89-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-91-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-83-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-85-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-79-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-99-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-103-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-101-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-97-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-95-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-93-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-81-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-87-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-105-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/652-104-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/652-77-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-76-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/652-75-0x0000000002150000-0x0000000002168000-memory.dmp

Filesize
96KB

Download
memory/652-74-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/924-112-0x00000000009B0000-0x00000000009D8000-memory.dmp

Filesize
160KB

Download
memory/924-113-0x0000000006E90000-0x0000000006ED0000-memory.dmp

Filesize
256KB

Download
memory/924-114-0x0000000006E90000-0x0000000006ED0000-memory.dmp

Filesize
256KB

Download