299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41

Analysis

max time kernel
238s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe
Size

1.1MB
MD5

48b334ded86513b0a362f596b7f86054
SHA1

94a2c507696057bee5d32fccb5565e3059ea7f03
SHA256

299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41
SHA512

851c42e2eb5d2e25cd9033c9025b48bd5eed5fa8db2d9b30f7142cff798dda26eb7b6f62e5c9fc8d8451fe8a6951d0a739f0b4b75c1c749c5948ee9f8fa838ff
SSDEEP

24576:uy7usvgqGC5DrO2ij4kPhljmXzLoPlZHb736WfAkYN93IM3:9iIR51rCUoljAzkPHHb736hr93

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	230305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	230305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	230305402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	230305402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	230305402.exe

Executes dropped EXE 5 IoCs

pid	Process
652	AM494895.exe
3408	Yd884767.exe
1288	mO570783.exe
4352	103383285.exe
1100	230305402.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	103383285.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	230305402.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AM494895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AM494895.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Yd884767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Yd884767.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	mO570783.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mO570783.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4352	103383285.exe
4352	103383285.exe
1100	230305402.exe
1100	230305402.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	103383285.exe
Token: SeDebugPrivilege	1100	230305402.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 652	860	299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe	79
PID 860 wrote to memory of 652	860	299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe	79
PID 860 wrote to memory of 652	860	299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe	79
PID 652 wrote to memory of 3408	652	AM494895.exe	80
PID 652 wrote to memory of 3408	652	AM494895.exe	80
PID 652 wrote to memory of 3408	652	AM494895.exe	80
PID 3408 wrote to memory of 1288	3408	Yd884767.exe	81
PID 3408 wrote to memory of 1288	3408	Yd884767.exe	81
PID 3408 wrote to memory of 1288	3408	Yd884767.exe	81
PID 1288 wrote to memory of 4352	1288	mO570783.exe	82
PID 1288 wrote to memory of 4352	1288	mO570783.exe	82
PID 1288 wrote to memory of 4352	1288	mO570783.exe	82
PID 1288 wrote to memory of 1100	1288	mO570783.exe	86
PID 1288 wrote to memory of 1100	1288	mO570783.exe	86
PID 1288 wrote to memory of 1100	1288	mO570783.exe	86

C:\Users\Admin\AppData\Local\Temp\299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe
"C:\Users\Admin\AppData\Local\Temp\299e05f9a3bb7c1105efa8579d1d6a777b63f8331027f13de002da1d920dcc41.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AM494895.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AM494895.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yd884767.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yd884767.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mO570783.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mO570783.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1288
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\103383285.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\103383285.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\230305402.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\230305402.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AM494895.exe

Filesize
925KB

MD5
a8d2f33d3f9eb127edbe4bd53ec6df0f

SHA1
1226274d65a9727a3af0065b5dad850cb368c450

SHA256
e31da68c614bae91aeaee4ff3d90b7518e518038686d56873fe469fb2f002047

SHA512
6fc22f82ba2947b34e6011200b30580073a64ba7662993dbaea65983da9ea7c5b650f2385bbabb462409880467848907ae193bb0c3ab6a576d1f2a1fbf07f365

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AM494895.exe

Filesize
925KB

MD5
a8d2f33d3f9eb127edbe4bd53ec6df0f

SHA1
1226274d65a9727a3af0065b5dad850cb368c450

SHA256
e31da68c614bae91aeaee4ff3d90b7518e518038686d56873fe469fb2f002047

SHA512
6fc22f82ba2947b34e6011200b30580073a64ba7662993dbaea65983da9ea7c5b650f2385bbabb462409880467848907ae193bb0c3ab6a576d1f2a1fbf07f365

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yd884767.exe

Filesize
582KB

MD5
16ff14aa560b3f5579aa024fb2e85d5c

SHA1
53b87af3c8a0ccdfb71395ff19ef0454027f44d1

SHA256
e7651f868ef37c1b5bc2d4b63934de3e5f4ccbc422acc44be5c27e28b981bdb7

SHA512
65207c1ca8ca2cb35a83dfc8aab83aa116ea478962ac9a734a21581e15d7d8d1dd3223fda612bb239d7b9e2a1900264a6679077420f05bca7bcc7ee48b2ab401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yd884767.exe

Filesize
582KB

MD5
16ff14aa560b3f5579aa024fb2e85d5c

SHA1
53b87af3c8a0ccdfb71395ff19ef0454027f44d1

SHA256
e7651f868ef37c1b5bc2d4b63934de3e5f4ccbc422acc44be5c27e28b981bdb7

SHA512
65207c1ca8ca2cb35a83dfc8aab83aa116ea478962ac9a734a21581e15d7d8d1dd3223fda612bb239d7b9e2a1900264a6679077420f05bca7bcc7ee48b2ab401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mO570783.exe

Filesize
411KB

MD5
1d4536cd4f5d5c6eb5302c12bd1bd894

SHA1
fb06bc4307a262a024c9f2292cc4962620213683

SHA256
815900d640350036a4db5acdd0eb4d9d5888ba8ec3d56e68a039e16e74c2e044

SHA512
fc902d78937bf0ee35d0c69c0c5c992fae30566a4647b012212d52a756585cbb70f10b907a90bfc12b94d89bbddd91a79eb66358accf85454097c20ca29d65b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mO570783.exe

Filesize
411KB

MD5
1d4536cd4f5d5c6eb5302c12bd1bd894

SHA1
fb06bc4307a262a024c9f2292cc4962620213683

SHA256
815900d640350036a4db5acdd0eb4d9d5888ba8ec3d56e68a039e16e74c2e044

SHA512
fc902d78937bf0ee35d0c69c0c5c992fae30566a4647b012212d52a756585cbb70f10b907a90bfc12b94d89bbddd91a79eb66358accf85454097c20ca29d65b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\103383285.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\103383285.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\230305402.exe

Filesize
263KB

MD5
8e1b11f8c38caa4575d4e53979c9cb16

SHA1
d8002f4667b6671448895a38fc05eefe4ba4bc0d

SHA256
dd069279366f23239db4884ca1bd03295476c3062611fd5e3991140302607abd

SHA512
cd203f591221960cb6e579eddcd4dc95a5b890896f6958876c441b75172c29cc8f48d93e950698c73b8e697d019ed90485b1719551f0f54c5f3e064b58aa9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\230305402.exe

Filesize
263KB

MD5
8e1b11f8c38caa4575d4e53979c9cb16

SHA1
d8002f4667b6671448895a38fc05eefe4ba4bc0d

SHA256
dd069279366f23239db4884ca1bd03295476c3062611fd5e3991140302607abd

SHA512
cd203f591221960cb6e579eddcd4dc95a5b890896f6958876c441b75172c29cc8f48d93e950698c73b8e697d019ed90485b1719551f0f54c5f3e064b58aa9c4b

Download Submit
memory/1100-238-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/1100-235-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1100-234-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1100-233-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/1100-232-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1100-203-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1100-202-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/1100-201-0x0000000002D20000-0x0000000002D4D000-memory.dmp

Filesize
180KB

Download
memory/1100-237-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4352-164-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4352-175-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-179-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-181-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-183-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-185-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-187-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-189-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-191-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-193-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-195-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-177-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-173-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-171-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-169-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-168-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/4352-167-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4352-166-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4352-165-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4352-163-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4352-162-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4352-161-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download