07a482b57b07d95eb183c4637b3b66928b8965727dde9cc1a43a1167166b64d8

Analysis

max time kernel
244s
max time network
326s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27ead757de0b0ca55450c5d8cc53c6fe.exe
Size

1.5MB
MD5

27ead757de0b0ca55450c5d8cc53c6fe
SHA1

bfadc4ff184893938d2a76a69f83f391c778557a
SHA256

07a482b57b07d95eb183c4637b3b66928b8965727dde9cc1a43a1167166b64d8
SHA512

a60c98193f1c6164337b4da77902fe51c47b333296b0442bc0eaef7785c2a2117c26fa69db5b43aa64651d7927f7d3d52573e504fbaac0e2ed01f085313e68c9
SSDEEP

24576:ny0vXuziDrn7/nhNyZUQgyhttJxVDlQklm0ooB8dLaDnvsvkZqT4gkOCFIsFS0x0:yaXLLzzyGjyrt7JlLdL8dLaDngSqc6Uk

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

98863495.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	98863495.exe

Executes dropped EXE 6 IoCs

Processes:

za471003.exeza531389.exeza657525.exe98863495.exe1.exeu97318255.exe

pid process

5092 za471003.exe
2852 za531389.exe
3736 za657525.exe
788 98863495.exe
768 1.exe
2900 u97318255.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
5092	za471003.exe
2852	za531389.exe
3736	za657525.exe
788	98863495.exe
768	1.exe
2900	u97318255.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za471003.exeza531389.exeza657525.exe27ead757de0b0ca55450c5d8cc53c6fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za471003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za471003.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za531389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za531389.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za657525.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za657525.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	27ead757de0b0ca55450c5d8cc53c6fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27ead757de0b0ca55450c5d8cc53c6fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

768 1.exe
768 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

98863495.exeu97318255.exe1.exe

description pid process

Token: SeDebugPrivilege 788 98863495.exe
Token: SeDebugPrivilege 2900 u97318255.exe
Token: SeDebugPrivilege 768 1.exe

pid	process
768	1.exe
768	1.exe

description	pid	process
Token: SeDebugPrivilege	788	98863495.exe
Token: SeDebugPrivilege	2900	u97318255.exe
Token: SeDebugPrivilege	768	1.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

27ead757de0b0ca55450c5d8cc53c6fe.exeza471003.exeza531389.exeza657525.exe98863495.exe

description	pid	process	target process
PID 1160 wrote to memory of 5092	1160	27ead757de0b0ca55450c5d8cc53c6fe.exe	za471003.exe
PID 1160 wrote to memory of 5092	1160	27ead757de0b0ca55450c5d8cc53c6fe.exe	za471003.exe
PID 1160 wrote to memory of 5092	1160	27ead757de0b0ca55450c5d8cc53c6fe.exe	za471003.exe
PID 5092 wrote to memory of 2852	5092	za471003.exe	za531389.exe
PID 5092 wrote to memory of 2852	5092	za471003.exe	za531389.exe
PID 5092 wrote to memory of 2852	5092	za471003.exe	za531389.exe
PID 2852 wrote to memory of 3736	2852	za531389.exe	za657525.exe
PID 2852 wrote to memory of 3736	2852	za531389.exe	za657525.exe
PID 2852 wrote to memory of 3736	2852	za531389.exe	za657525.exe
PID 3736 wrote to memory of 788	3736	za657525.exe	98863495.exe
PID 3736 wrote to memory of 788	3736	za657525.exe	98863495.exe
PID 3736 wrote to memory of 788	3736	za657525.exe	98863495.exe
PID 788 wrote to memory of 768	788	98863495.exe	1.exe
PID 788 wrote to memory of 768	788	98863495.exe	1.exe
PID 3736 wrote to memory of 2900	3736	za657525.exe	u97318255.exe
PID 3736 wrote to memory of 2900	3736	za657525.exe	u97318255.exe
PID 3736 wrote to memory of 2900	3736	za657525.exe	u97318255.exe

C:\Users\Admin\AppData\Local\Temp\27ead757de0b0ca55450c5d8cc53c6fe.exe
"C:\Users\Admin\AppData\Local\Temp\27ead757de0b0ca55450c5d8cc53c6fe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471003.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471003.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za531389.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za531389.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za657525.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za657525.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\98863495.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\98863495.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u97318255.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u97318255.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471003.exe
Filesize
1.3MB

MD5
3c7d81316befb256f108af32c01d8df3

SHA1
a7b7259ffdf582405e3fdae11494c97ea5d677b4

SHA256
0fe122d690b4af00b8ac7e9cbe0743bd053fe0ac6a891d0530a1e255573d4a43

SHA512
3f5c1d19acf853e1f3257cbe49401549261b00f6ac558598b2c8795ce3c42632e3306406c4291fe7ab056a8af7b7636898594c2fa6d47440fa467fe947d0ce90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471003.exe
Filesize
1.3MB

MD5
3c7d81316befb256f108af32c01d8df3

SHA1
a7b7259ffdf582405e3fdae11494c97ea5d677b4

SHA256
0fe122d690b4af00b8ac7e9cbe0743bd053fe0ac6a891d0530a1e255573d4a43

SHA512
3f5c1d19acf853e1f3257cbe49401549261b00f6ac558598b2c8795ce3c42632e3306406c4291fe7ab056a8af7b7636898594c2fa6d47440fa467fe947d0ce90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za531389.exe
Filesize
883KB

MD5
3301379962fbfd052e75670e2092366b

SHA1
0a10938c77e9d3894256fabd76a731d11f9dec2b

SHA256
861832976714a7935f23b4a2cbfdf224cfe3073641ca512a2208317d9ea787de

SHA512
67d4f533b56dfacb84fe806ab8224f1d6224b06f0a4375a0b3538a8a318b22546641a67e7daac537ab08fa13bef2e16f726bdbdc65851847653a41ef9fd31f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za531389.exe
Filesize
883KB

MD5
3301379962fbfd052e75670e2092366b

SHA1
0a10938c77e9d3894256fabd76a731d11f9dec2b

SHA256
861832976714a7935f23b4a2cbfdf224cfe3073641ca512a2208317d9ea787de

SHA512
67d4f533b56dfacb84fe806ab8224f1d6224b06f0a4375a0b3538a8a318b22546641a67e7daac537ab08fa13bef2e16f726bdbdc65851847653a41ef9fd31f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za657525.exe
Filesize
700KB

MD5
da105f0563e15352d05dc6216f850e2b

SHA1
61edfd54290c3b7626b0c4280a59b10abb6e6105

SHA256
cb017c6785939456b220bce20da1d0273e487aff7c1483ad740ccb882d9991e4

SHA512
d48b549e232c6c3fa6967d855471e422d97fff6fdb496be6a3ec695a7bb8c2de5fb86908bbd8118fc4e217773830c616bcb26f042bc2f0369e678004bb260840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za657525.exe
Filesize
700KB

MD5
da105f0563e15352d05dc6216f850e2b

SHA1
61edfd54290c3b7626b0c4280a59b10abb6e6105

SHA256
cb017c6785939456b220bce20da1d0273e487aff7c1483ad740ccb882d9991e4

SHA512
d48b549e232c6c3fa6967d855471e422d97fff6fdb496be6a3ec695a7bb8c2de5fb86908bbd8118fc4e217773830c616bcb26f042bc2f0369e678004bb260840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\98863495.exe
Filesize
300KB

MD5
f43927c96977de3a0217738db93255ee

SHA1
9269d4c5db86453bf69896fb6aacb02a9e30b352

SHA256
34036fdb13f40b5a812eedac5c0c7e0607780a5dab0398b598a3e7c186ed2850

SHA512
ec03754641723d02643d691bea2a74957a865c6bedb3e140871fccdf15584c4b63e72e4a8432fc6e449f0db4243d92e90506ec1226b3e604309c2554ab2db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\98863495.exe
Filesize
300KB

MD5
f43927c96977de3a0217738db93255ee

SHA1
9269d4c5db86453bf69896fb6aacb02a9e30b352

SHA256
34036fdb13f40b5a812eedac5c0c7e0607780a5dab0398b598a3e7c186ed2850

SHA512
ec03754641723d02643d691bea2a74957a865c6bedb3e140871fccdf15584c4b63e72e4a8432fc6e449f0db4243d92e90506ec1226b3e604309c2554ab2db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u97318255.exe
Filesize
479KB

MD5
2111556c59d7c82db20fe15a31971a7b

SHA1
a6df4b66d34fdab6e01d278ba48b17dad10e15bf

SHA256
841de67acd3ebd52ac1409526998f64fc47de66ade6536ffda613ef2426b3218

SHA512
b83a1a66bdfc6b442f89efa7d81a7ee25eff392733de82fde1e0d9d679b7e96391a841f97909da864e48e89b86f5532f8c1f4a62875b8d7b0a2675ebec118770

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u97318255.exe
Filesize
479KB

MD5
2111556c59d7c82db20fe15a31971a7b

SHA1
a6df4b66d34fdab6e01d278ba48b17dad10e15bf

SHA256
841de67acd3ebd52ac1409526998f64fc47de66ade6536ffda613ef2426b3218

SHA512
b83a1a66bdfc6b442f89efa7d81a7ee25eff392733de82fde1e0d9d679b7e96391a841f97909da864e48e89b86f5532f8c1f4a62875b8d7b0a2675ebec118770

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/768-2311-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/788-190-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-208-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-167-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-169-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-163-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-171-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-173-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-175-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-177-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-178-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/788-181-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/788-180-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/788-182-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-186-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-184-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-188-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-162-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-192-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-194-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-196-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-198-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-200-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-202-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-204-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-206-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-165-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-210-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-212-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-214-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-216-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-218-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-220-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-222-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-224-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-226-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-161-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/788-228-0x00000000050C0000-0x0000000005111000-memory.dmp

Filesize
324KB

Download
memory/788-2294-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/788-2293-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/788-2295-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/788-2297-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2900-2314-0x0000000000820000-0x000000000086C000-memory.dmp

Filesize
304KB

Download
memory/2900-2316-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2900-2318-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2900-4445-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2900-4448-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2900-4449-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2900-4450-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2900-4453-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download