2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5

Analysis

max time kernel
253s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe
Size

1.1MB
MD5

cb431f6d4b89d7236818d4192d7689e2
SHA1

996ad8579e1b45ca8071ac76f6ce19a65261eb56
SHA256

2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5
SHA512

e7b558a6d429f384c97ff1ba1bd63b7eddd568e1edc54b6a26c35edc25777736f812658ed1b01712cff610bb85ec50ebc73ecce4b244908f55a2994b77e1d3d1
SSDEEP

24576:my1eixKfaWffBH4ntyIo2G2g2GR2vJItyE:1oiQfaWfJEfNGR2Ity

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	264435407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	264435407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	264435407.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	264435407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	264435407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	191716642.exe

Executes dropped EXE 5 IoCs

pid	Process
1516	aX906535.exe
224	sY926001.exe
3640	Sg945151.exe
3616	191716642.exe
2100	264435407.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	191716642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	264435407.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sY926001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sY926001.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Sg945151.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Sg945151.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aX906535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aX906535.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4464	2100	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3616	191716642.exe
3616	191716642.exe
2100	264435407.exe
2100	264435407.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	191716642.exe
Token: SeDebugPrivilege	2100	264435407.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1516	3536	2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe	79
PID 3536 wrote to memory of 1516	3536	2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe	79
PID 3536 wrote to memory of 1516	3536	2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe	79
PID 1516 wrote to memory of 224	1516	aX906535.exe	80
PID 1516 wrote to memory of 224	1516	aX906535.exe	80
PID 1516 wrote to memory of 224	1516	aX906535.exe	80
PID 224 wrote to memory of 3640	224	sY926001.exe	81
PID 224 wrote to memory of 3640	224	sY926001.exe	81
PID 224 wrote to memory of 3640	224	sY926001.exe	81
PID 3640 wrote to memory of 3616	3640	Sg945151.exe	82
PID 3640 wrote to memory of 3616	3640	Sg945151.exe	82
PID 3640 wrote to memory of 3616	3640	Sg945151.exe	82
PID 3640 wrote to memory of 2100	3640	Sg945151.exe	84
PID 3640 wrote to memory of 2100	3640	Sg945151.exe	84
PID 3640 wrote to memory of 2100	3640	Sg945151.exe	84

C:\Users\Admin\AppData\Local\Temp\2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe
"C:\Users\Admin\AppData\Local\Temp\2701bced7c4d45041dbd68d1df03673cec5d5eca730fd680868ef34b351896a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aX906535.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aX906535.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sY926001.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sY926001.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sg945151.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sg945151.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191716642.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191716642.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264435407.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264435407.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1076
        6⤵
        Program crash
        
        PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2100 -ip 2100
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aX906535.exe

Filesize
940KB

MD5
dc4a381a0064d3913248e3260f27471c

SHA1
31eefa39c2de16327df93fafcfb4cbda4aaace56

SHA256
5028896be79d593129112c444ddc37b182a9c8f26cee55a6b65809e5f56c4ffe

SHA512
c64cd2995b81243c544a68981b0f7579131f1a18a768cfb424f79d99038b75a24af1a421e8834fa684bbc9f2dd3f885f072976e3ea388667f9d8ad4355eec064

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aX906535.exe

Filesize
940KB

MD5
dc4a381a0064d3913248e3260f27471c

SHA1
31eefa39c2de16327df93fafcfb4cbda4aaace56

SHA256
5028896be79d593129112c444ddc37b182a9c8f26cee55a6b65809e5f56c4ffe

SHA512
c64cd2995b81243c544a68981b0f7579131f1a18a768cfb424f79d99038b75a24af1a421e8834fa684bbc9f2dd3f885f072976e3ea388667f9d8ad4355eec064

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sY926001.exe

Filesize
586KB

MD5
98cfbe9dcec948c77713ec365059007e

SHA1
93db57f605fdcbf01ad7bf3f9779ab84679dc896

SHA256
b85696f390b0904c0a52169660674580c29f4997a174c9f214e73a4b80fb0f50

SHA512
50809ff8a589f07232b9b16a6c5e0275ab1df333689b5e4caf584aba792a0936e86f56bbc0ca47743f254c97eb2c31634a2993fa84b55a466c2262eea9ee6a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sY926001.exe

Filesize
586KB

MD5
98cfbe9dcec948c77713ec365059007e

SHA1
93db57f605fdcbf01ad7bf3f9779ab84679dc896

SHA256
b85696f390b0904c0a52169660674580c29f4997a174c9f214e73a4b80fb0f50

SHA512
50809ff8a589f07232b9b16a6c5e0275ab1df333689b5e4caf584aba792a0936e86f56bbc0ca47743f254c97eb2c31634a2993fa84b55a466c2262eea9ee6a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sg945151.exe

Filesize
414KB

MD5
419d5992ee441078e38c97c35529fd9a

SHA1
b60e13bfeed0414c1ad462fddb21d036af12d027

SHA256
26efac9e6c66a6a6fd63b0e68d5abd32076bcb6ce7e430dcd6cd2a4e83f08188

SHA512
ba949cb623d0c4952a517a28498e9d8f2bb19c8f0e891dcdd0cdbd727d4bc0c881596b3c8c4a65d493ca8a09f4b6d69b1528dd8fb5317f46151f50910e8aca88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sg945151.exe

Filesize
414KB

MD5
419d5992ee441078e38c97c35529fd9a

SHA1
b60e13bfeed0414c1ad462fddb21d036af12d027

SHA256
26efac9e6c66a6a6fd63b0e68d5abd32076bcb6ce7e430dcd6cd2a4e83f08188

SHA512
ba949cb623d0c4952a517a28498e9d8f2bb19c8f0e891dcdd0cdbd727d4bc0c881596b3c8c4a65d493ca8a09f4b6d69b1528dd8fb5317f46151f50910e8aca88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191716642.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191716642.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264435407.exe

Filesize
259KB

MD5
6ad8b1c0397ebcc4d6c71585f8e4587c

SHA1
c2b02b844eb61f224e2564a0b630072be6811504

SHA256
c6244e5dc5c3aa79a46ef6bcc119dd75f3492ac37e475cafd8f6984d6cd4bdab

SHA512
30f2ed107672bbfa2a773ded99d5e12a7779f85f61b00c1146c15e4c7b2bbb46c3b480fc4ca4c56ff5fca4b584fe4cb5fe915bf7e611644048a6820901060362

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\264435407.exe

Filesize
259KB

MD5
6ad8b1c0397ebcc4d6c71585f8e4587c

SHA1
c2b02b844eb61f224e2564a0b630072be6811504

SHA256
c6244e5dc5c3aa79a46ef6bcc119dd75f3492ac37e475cafd8f6984d6cd4bdab

SHA512
30f2ed107672bbfa2a773ded99d5e12a7779f85f61b00c1146c15e4c7b2bbb46c3b480fc4ca4c56ff5fca4b584fe4cb5fe915bf7e611644048a6820901060362

Download Submit
memory/2100-235-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2100-236-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2100-237-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2100-234-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-233-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2100-232-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2100-231-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2100-202-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-201-0x00000000004E0000-0x000000000050D000-memory.dmp

Filesize
180KB

Download
memory/2100-238-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3616-163-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3616-176-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-184-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-186-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-188-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-190-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-192-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-193-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3616-194-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3616-195-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3616-180-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-182-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-178-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-174-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-172-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-170-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-168-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-166-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-165-0x0000000002510000-0x0000000002523000-memory.dmp

Filesize
76KB

Download
memory/3616-164-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3616-162-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3616-161-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download